07:30 AM

Boarding-Pass Brouhaha

Fake boarding-pass exploit raises the curtain on 'security theater'

Christopher Soghoian is a computer security graduate student in the School of Informatics at Indiana University, where I am a member of the Dean’s Advisory Council. Soghoian is also the main suspect in an ongoing joint FBI/TSA cybercrime investigation. His alleged crime? Taking an old chestnut of a vulnerability from 2003 and building a working demonstration of the exploit to make its implications more real.

Is turning a well-known, published vulnerability into a flashy demonstration a crime? The answer according to many computer security gurus -- including Ed Felten, Avi Rubin, and myself -- may surprise you.

Soghoian's main crime seems to have been writing an extremely unsophisticated script to generate counterfeit HTML-based boarding passes. See his blog for a first-person description of the story (the script has long since been taken down).

Way back in 2003 (that's 21 in dog years and who knows how many more in Internet years), Bruce Schneier pointed out that boarding passes were very easy to forge, and that this was a serious security problem. Since then, others have trumpeted the story, including Slate magazine, a number of major newspapers, and even a U.S. Senate press release.

Princeton Professor Ed Felten is currently working on an academic paper that discusses the problem along with some solutions. Yet it took a grad student to blow the lid off the story.

The real vulnerability involved is pretty bad. By properly exploiting it, a person on the "no fly" list may well be able to get on an airplane. (Yes, that could be bad.) The attack would involve a handful of easy steps:

  • Get a real boarding pass from an airline under an assumed name not on the no fly list.
  • Print out a fake boarding pass with the attacker's real blacklisted name using Soghoian's script. (Or edit the HTML by hand... How hard is that?!)
  • Present the fake pass with a real ID that matches it (remember, this is the attacker's actual name) to get through security.
  • Use the legitimate (false name) pass to board the airplane.

Lets get this straight: This loophole has been well known and very publicly documented since 2003. If you are a frequent flier, you may recall after 9/11 that photo IDs and boarding passes were checked both at security and at the gate before boarding. This is no longer the case. Now, ID is required only at the security checkpoint.

This kind of backwards security move is classic TSA. As a result, systems like the one we have in place for airport security now have come to be known among the cognoscente as "security theater" -- a phrase coined by Schneier.

Before the Soghoian script, attackers on the no-fly list wishing to carry out the attack described above might have had to open an HTML editor to forge their boarding pass. After the script, they could run a simple program -- ever so much easier. Shall we now shoot the messenger?

Rep. Ed Markey (D-Mass) called for the immediate arrest of the budding young hacker last week after he learned of the script. This, no doubt, sparked the FBI/TSA investigation. But Markey changed his mind a few days later and called the work a public service. Politician.

In public statements, the TSA says the fake boarding passes are not a problem and other security mechanisms exist that would thwart a would-be attacker. And yet they support the arrest and prosecution of Soghoian?! Looks like they had better make up their mind, huh?

Put bluntly, discussing vulnerabilities in airport security is a valid subject for security research. Any sort of chilling effect for legitimate research on vulnerabilities (which might result from prosecution in this case) is the opposite of what is needed to make air travel more secure. A demonstration of a security problem is not a crime. The government has shown time and time again an inability to improve the situation until something bad happens. Security researchers have a duty to make vulnerabilities as obvious and clear as possible so they get fixed.

Recently, I discussed the situation with Ed Felten from Princeton, whose own work often involves public demonstration of security problems. Ed has a draft paper (not yet released) describing in detail many of the same issues surrounding airport insecurity. Ed agrees with me that this kind of work should be welcomed and not prosecuted. (Incidentally, we both think the way that Soghoian went about publishing his script was irresponsible.)

On the other hand, why didn't Soghoian do something obvious like make sure his script watermarked the fake boarding pass with the word "Counterfeit" just like Microsoft's Word program can print "DRAFT" in gray as the background of every page in a document?

Johns Hopkins Professor Avi Rubin thinks that Soghoian went way over the line with his exploit and needs a clue. He thinks the demo should have rendered something more obviously fake. He further believes that Soghoian should have properly notified the TSA what he was up to, sharing the demo with them in advance of any publicity. These views stem from years working with "hot" exploits -- something that Felten, Rubin, and myself have all learned about through a decade of experience.

Christopher Soghoian is young, arrogant, and full of hubris. His actions were not tempered by clear thinking about how to present a real exploit to the public. His demo could have been easily adjusted to make it clear that the end product was a forgery (yes, I know such a watermark could be removed by a simple edit, that's not the point).

But whatever mistakes he made, his actions are not criminal. He did not use his script to sneak onto a plane. On his blog, he says, "I have not flown, or even attempted to enter the airport with one of these fake boarding passes. I haven't even printed one out. All I have done is create a php script, which highlights a security hole made public by others before me." Oops.

Rep. Markey probably sums the whole story up best. He says, "It remains a fact that fake boarding passes can be easily created and the integration of terrorist watch lists with boarding security is still woefully inadequate. The best outcome of Mr. Soghoian's ill-considered demonstration would be for the Department of Homeland Security to close these loopholes immediately."

I could not agree more.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-24
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
PUBLISHED: 2019-03-24
The renderer process in the entertainment system on Tesla Model 3 vehicles mishandles JIT compilation, which allows attackers to trigger firmware code execution, and display a crafted message to vehicle occupants.
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.