Risk
11/2/2006
07:30 AM
50%
50%

Boarding-Pass Brouhaha

Fake boarding-pass exploit raises the curtain on 'security theater'

Christopher Soghoian is a computer security graduate student in the School of Informatics at Indiana University, where I am a member of the Dean’s Advisory Council. Soghoian is also the main suspect in an ongoing joint FBI/TSA cybercrime investigation. His alleged crime? Taking an old chestnut of a vulnerability from 2003 and building a working demonstration of the exploit to make its implications more real.

Is turning a well-known, published vulnerability into a flashy demonstration a crime? The answer according to many computer security gurus -- including Ed Felten, Avi Rubin, and myself -- may surprise you.

Soghoian's main crime seems to have been writing an extremely unsophisticated script to generate counterfeit HTML-based boarding passes. See his blog for a first-person description of the story (the script has long since been taken down).

Way back in 2003 (that's 21 in dog years and who knows how many more in Internet years), Bruce Schneier pointed out that boarding passes were very easy to forge, and that this was a serious security problem. Since then, others have trumpeted the story, including Slate magazine, a number of major newspapers, and even a U.S. Senate press release.

Princeton Professor Ed Felten is currently working on an academic paper that discusses the problem along with some solutions. Yet it took a grad student to blow the lid off the story.

The real vulnerability involved is pretty bad. By properly exploiting it, a person on the "no fly" list may well be able to get on an airplane. (Yes, that could be bad.) The attack would involve a handful of easy steps:

  • Get a real boarding pass from an airline under an assumed name not on the no fly list.
  • Print out a fake boarding pass with the attacker's real blacklisted name using Soghoian's script. (Or edit the HTML by hand... How hard is that?!)
  • Present the fake pass with a real ID that matches it (remember, this is the attacker's actual name) to get through security.
  • Use the legitimate (false name) pass to board the airplane.

Lets get this straight: This loophole has been well known and very publicly documented since 2003. If you are a frequent flier, you may recall after 9/11 that photo IDs and boarding passes were checked both at security and at the gate before boarding. This is no longer the case. Now, ID is required only at the security checkpoint.

This kind of backwards security move is classic TSA. As a result, systems like the one we have in place for airport security now have come to be known among the cognoscente as "security theater" -- a phrase coined by Schneier.

Before the Soghoian script, attackers on the no-fly list wishing to carry out the attack described above might have had to open an HTML editor to forge their boarding pass. After the script, they could run a simple program -- ever so much easier. Shall we now shoot the messenger?

Rep. Ed Markey (D-Mass) called for the immediate arrest of the budding young hacker last week after he learned of the script. This, no doubt, sparked the FBI/TSA investigation. But Markey changed his mind a few days later and called the work a public service. Politician.

In public statements, the TSA says the fake boarding passes are not a problem and other security mechanisms exist that would thwart a would-be attacker. And yet they support the arrest and prosecution of Soghoian?! Looks like they had better make up their mind, huh?

Put bluntly, discussing vulnerabilities in airport security is a valid subject for security research. Any sort of chilling effect for legitimate research on vulnerabilities (which might result from prosecution in this case) is the opposite of what is needed to make air travel more secure. A demonstration of a security problem is not a crime. The government has shown time and time again an inability to improve the situation until something bad happens. Security researchers have a duty to make vulnerabilities as obvious and clear as possible so they get fixed.

Recently, I discussed the situation with Ed Felten from Princeton, whose own work often involves public demonstration of security problems. Ed has a draft paper (not yet released) describing in detail many of the same issues surrounding airport insecurity. Ed agrees with me that this kind of work should be welcomed and not prosecuted. (Incidentally, we both think the way that Soghoian went about publishing his script was irresponsible.)

On the other hand, why didn't Soghoian do something obvious like make sure his script watermarked the fake boarding pass with the word "Counterfeit" just like Microsoft's Word program can print "DRAFT" in gray as the background of every page in a document?

Johns Hopkins Professor Avi Rubin thinks that Soghoian went way over the line with his exploit and needs a clue. He thinks the demo should have rendered something more obviously fake. He further believes that Soghoian should have properly notified the TSA what he was up to, sharing the demo with them in advance of any publicity. These views stem from years working with "hot" exploits -- something that Felten, Rubin, and myself have all learned about through a decade of experience.

Christopher Soghoian is young, arrogant, and full of hubris. His actions were not tempered by clear thinking about how to present a real exploit to the public. His demo could have been easily adjusted to make it clear that the end product was a forgery (yes, I know such a watermark could be removed by a simple edit, that's not the point).

But whatever mistakes he made, his actions are not criminal. He did not use his script to sneak onto a plane. On his blog, he says, "I have not flown, or even attempted to enter the airport with one of these fake boarding passes. I haven't even printed one out. All I have done is create a php script, which highlights a security hole made public by others before me." Oops.

Rep. Markey probably sums the whole story up best. He says, "It remains a fact that fake boarding passes can be easily created and the integration of terrorist watch lists with boarding security is still woefully inadequate. The best outcome of Mr. Soghoian's ill-considered demonstration would be for the Department of Homeland Security to close these loopholes immediately."

I could not agree more.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.