Risk
11/2/2006
07:30 AM
50%
50%

Boarding-Pass Brouhaha

Fake boarding-pass exploit raises the curtain on 'security theater'

Christopher Soghoian is a computer security graduate student in the School of Informatics at Indiana University, where I am a member of the Dean’s Advisory Council. Soghoian is also the main suspect in an ongoing joint FBI/TSA cybercrime investigation. His alleged crime? Taking an old chestnut of a vulnerability from 2003 and building a working demonstration of the exploit to make its implications more real.

Is turning a well-known, published vulnerability into a flashy demonstration a crime? The answer according to many computer security gurus -- including Ed Felten, Avi Rubin, and myself -- may surprise you.

Soghoian's main crime seems to have been writing an extremely unsophisticated script to generate counterfeit HTML-based boarding passes. See his blog for a first-person description of the story (the script has long since been taken down).

Way back in 2003 (that's 21 in dog years and who knows how many more in Internet years), Bruce Schneier pointed out that boarding passes were very easy to forge, and that this was a serious security problem. Since then, others have trumpeted the story, including Slate magazine, a number of major newspapers, and even a U.S. Senate press release.

Princeton Professor Ed Felten is currently working on an academic paper that discusses the problem along with some solutions. Yet it took a grad student to blow the lid off the story.

The real vulnerability involved is pretty bad. By properly exploiting it, a person on the "no fly" list may well be able to get on an airplane. (Yes, that could be bad.) The attack would involve a handful of easy steps:

  • Get a real boarding pass from an airline under an assumed name not on the no fly list.
  • Print out a fake boarding pass with the attacker's real blacklisted name using Soghoian's script. (Or edit the HTML by hand... How hard is that?!)
  • Present the fake pass with a real ID that matches it (remember, this is the attacker's actual name) to get through security.
  • Use the legitimate (false name) pass to board the airplane.

Lets get this straight: This loophole has been well known and very publicly documented since 2003. If you are a frequent flier, you may recall after 9/11 that photo IDs and boarding passes were checked both at security and at the gate before boarding. This is no longer the case. Now, ID is required only at the security checkpoint.

This kind of backwards security move is classic TSA. As a result, systems like the one we have in place for airport security now have come to be known among the cognoscente as "security theater" -- a phrase coined by Schneier.

Before the Soghoian script, attackers on the no-fly list wishing to carry out the attack described above might have had to open an HTML editor to forge their boarding pass. After the script, they could run a simple program -- ever so much easier. Shall we now shoot the messenger?

Rep. Ed Markey (D-Mass) called for the immediate arrest of the budding young hacker last week after he learned of the script. This, no doubt, sparked the FBI/TSA investigation. But Markey changed his mind a few days later and called the work a public service. Politician.

In public statements, the TSA says the fake boarding passes are not a problem and other security mechanisms exist that would thwart a would-be attacker. And yet they support the arrest and prosecution of Soghoian?! Looks like they had better make up their mind, huh?

Put bluntly, discussing vulnerabilities in airport security is a valid subject for security research. Any sort of chilling effect for legitimate research on vulnerabilities (which might result from prosecution in this case) is the opposite of what is needed to make air travel more secure. A demonstration of a security problem is not a crime. The government has shown time and time again an inability to improve the situation until something bad happens. Security researchers have a duty to make vulnerabilities as obvious and clear as possible so they get fixed.

Recently, I discussed the situation with Ed Felten from Princeton, whose own work often involves public demonstration of security problems. Ed has a draft paper (not yet released) describing in detail many of the same issues surrounding airport insecurity. Ed agrees with me that this kind of work should be welcomed and not prosecuted. (Incidentally, we both think the way that Soghoian went about publishing his script was irresponsible.)

On the other hand, why didn't Soghoian do something obvious like make sure his script watermarked the fake boarding pass with the word "Counterfeit" just like Microsoft's Word program can print "DRAFT" in gray as the background of every page in a document?

Johns Hopkins Professor Avi Rubin thinks that Soghoian went way over the line with his exploit and needs a clue. He thinks the demo should have rendered something more obviously fake. He further believes that Soghoian should have properly notified the TSA what he was up to, sharing the demo with them in advance of any publicity. These views stem from years working with "hot" exploits -- something that Felten, Rubin, and myself have all learned about through a decade of experience.

Christopher Soghoian is young, arrogant, and full of hubris. His actions were not tempered by clear thinking about how to present a real exploit to the public. His demo could have been easily adjusted to make it clear that the end product was a forgery (yes, I know such a watermark could be removed by a simple edit, that's not the point).

But whatever mistakes he made, his actions are not criminal. He did not use his script to sneak onto a plane. On his blog, he says, "I have not flown, or even attempted to enter the airport with one of these fake boarding passes. I haven't even printed one out. All I have done is create a php script, which highlights a security hole made public by others before me." Oops.

Rep. Markey probably sums the whole story up best. He says, "It remains a fact that fake boarding passes can be easily created and the integration of terrorist watch lists with boarding security is still woefully inadequate. The best outcome of Mr. Soghoian's ill-considered demonstration would be for the Department of Homeland Security to close these loopholes immediately."

I could not agree more.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.