Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 AM

Boarding-Pass Brouhaha

Fake boarding-pass exploit raises the curtain on 'security theater'

Christopher Soghoian is a computer security graduate student in the School of Informatics at Indiana University, where I am a member of the Dean’s Advisory Council. Soghoian is also the main suspect in an ongoing joint FBI/TSA cybercrime investigation. His alleged crime? Taking an old chestnut of a vulnerability from 2003 and building a working demonstration of the exploit to make its implications more real.

Is turning a well-known, published vulnerability into a flashy demonstration a crime? The answer according to many computer security gurus -- including Ed Felten, Avi Rubin, and myself -- may surprise you.

Soghoian's main crime seems to have been writing an extremely unsophisticated script to generate counterfeit HTML-based boarding passes. See his blog for a first-person description of the story (the script has long since been taken down).

Way back in 2003 (that's 21 in dog years and who knows how many more in Internet years), Bruce Schneier pointed out that boarding passes were very easy to forge, and that this was a serious security problem. Since then, others have trumpeted the story, including Slate magazine, a number of major newspapers, and even a U.S. Senate press release.

Princeton Professor Ed Felten is currently working on an academic paper that discusses the problem along with some solutions. Yet it took a grad student to blow the lid off the story.

The real vulnerability involved is pretty bad. By properly exploiting it, a person on the "no fly" list may well be able to get on an airplane. (Yes, that could be bad.) The attack would involve a handful of easy steps:

  • Get a real boarding pass from an airline under an assumed name not on the no fly list.
  • Print out a fake boarding pass with the attacker's real blacklisted name using Soghoian's script. (Or edit the HTML by hand... How hard is that?!)
  • Present the fake pass with a real ID that matches it (remember, this is the attacker's actual name) to get through security.
  • Use the legitimate (false name) pass to board the airplane.

Lets get this straight: This loophole has been well known and very publicly documented since 2003. If you are a frequent flier, you may recall after 9/11 that photo IDs and boarding passes were checked both at security and at the gate before boarding. This is no longer the case. Now, ID is required only at the security checkpoint.

This kind of backwards security move is classic TSA. As a result, systems like the one we have in place for airport security now have come to be known among the cognoscente as "security theater" -- a phrase coined by Schneier.

Before the Soghoian script, attackers on the no-fly list wishing to carry out the attack described above might have had to open an HTML editor to forge their boarding pass. After the script, they could run a simple program -- ever so much easier. Shall we now shoot the messenger?

Rep. Ed Markey (D-Mass) called for the immediate arrest of the budding young hacker last week after he learned of the script. This, no doubt, sparked the FBI/TSA investigation. But Markey changed his mind a few days later and called the work a public service. Politician.

In public statements, the TSA says the fake boarding passes are not a problem and other security mechanisms exist that would thwart a would-be attacker. And yet they support the arrest and prosecution of Soghoian?! Looks like they had better make up their mind, huh?

Put bluntly, discussing vulnerabilities in airport security is a valid subject for security research. Any sort of chilling effect for legitimate research on vulnerabilities (which might result from prosecution in this case) is the opposite of what is needed to make air travel more secure. A demonstration of a security problem is not a crime. The government has shown time and time again an inability to improve the situation until something bad happens. Security researchers have a duty to make vulnerabilities as obvious and clear as possible so they get fixed.

Recently, I discussed the situation with Ed Felten from Princeton, whose own work often involves public demonstration of security problems. Ed has a draft paper (not yet released) describing in detail many of the same issues surrounding airport insecurity. Ed agrees with me that this kind of work should be welcomed and not prosecuted. (Incidentally, we both think the way that Soghoian went about publishing his script was irresponsible.)

On the other hand, why didn't Soghoian do something obvious like make sure his script watermarked the fake boarding pass with the word "Counterfeit" just like Microsoft's Word program can print "DRAFT" in gray as the background of every page in a document?

Johns Hopkins Professor Avi Rubin thinks that Soghoian went way over the line with his exploit and needs a clue. He thinks the demo should have rendered something more obviously fake. He further believes that Soghoian should have properly notified the TSA what he was up to, sharing the demo with them in advance of any publicity. These views stem from years working with "hot" exploits -- something that Felten, Rubin, and myself have all learned about through a decade of experience.

Christopher Soghoian is young, arrogant, and full of hubris. His actions were not tempered by clear thinking about how to present a real exploit to the public. His demo could have been easily adjusted to make it clear that the end product was a forgery (yes, I know such a watermark could be removed by a simple edit, that's not the point).

But whatever mistakes he made, his actions are not criminal. He did not use his script to sneak onto a plane. On his blog, he says, "I have not flown, or even attempted to enter the airport with one of these fake boarding passes. I haven't even printed one out. All I have done is create a php script, which highlights a security hole made public by others before me." Oops.

Rep. Markey probably sums the whole story up best. He says, "It remains a fact that fake boarding passes can be easily created and the integration of terrorist watch lists with boarding security is still woefully inadequate. The best outcome of Mr. Soghoian's ill-considered demonstration would be for the Department of Homeland Security to close these loopholes immediately."

I could not agree more.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Navigating the Asia-Pacific Threat Landscape: Experts Dive In
Kelly Sheridan, Staff Editor, Dark Reading,  9/25/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...