Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 AM

Boarding-Pass Brouhaha

Fake boarding-pass exploit raises the curtain on 'security theater'

Christopher Soghoian is a computer security graduate student in the School of Informatics at Indiana University, where I am a member of the Dean’s Advisory Council. Soghoian is also the main suspect in an ongoing joint FBI/TSA cybercrime investigation. His alleged crime? Taking an old chestnut of a vulnerability from 2003 and building a working demonstration of the exploit to make its implications more real.

Is turning a well-known, published vulnerability into a flashy demonstration a crime? The answer according to many computer security gurus -- including Ed Felten, Avi Rubin, and myself -- may surprise you.

Soghoian's main crime seems to have been writing an extremely unsophisticated script to generate counterfeit HTML-based boarding passes. See his blog for a first-person description of the story (the script has long since been taken down).

Way back in 2003 (that's 21 in dog years and who knows how many more in Internet years), Bruce Schneier pointed out that boarding passes were very easy to forge, and that this was a serious security problem. Since then, others have trumpeted the story, including Slate magazine, a number of major newspapers, and even a U.S. Senate press release.

Princeton Professor Ed Felten is currently working on an academic paper that discusses the problem along with some solutions. Yet it took a grad student to blow the lid off the story.

The real vulnerability involved is pretty bad. By properly exploiting it, a person on the "no fly" list may well be able to get on an airplane. (Yes, that could be bad.) The attack would involve a handful of easy steps:

  • Get a real boarding pass from an airline under an assumed name not on the no fly list.
  • Print out a fake boarding pass with the attacker's real blacklisted name using Soghoian's script. (Or edit the HTML by hand... How hard is that?!)
  • Present the fake pass with a real ID that matches it (remember, this is the attacker's actual name) to get through security.
  • Use the legitimate (false name) pass to board the airplane.

Lets get this straight: This loophole has been well known and very publicly documented since 2003. If you are a frequent flier, you may recall after 9/11 that photo IDs and boarding passes were checked both at security and at the gate before boarding. This is no longer the case. Now, ID is required only at the security checkpoint.

This kind of backwards security move is classic TSA. As a result, systems like the one we have in place for airport security now have come to be known among the cognoscente as "security theater" -- a phrase coined by Schneier.

Before the Soghoian script, attackers on the no-fly list wishing to carry out the attack described above might have had to open an HTML editor to forge their boarding pass. After the script, they could run a simple program -- ever so much easier. Shall we now shoot the messenger?

Rep. Ed Markey (D-Mass) called for the immediate arrest of the budding young hacker last week after he learned of the script. This, no doubt, sparked the FBI/TSA investigation. But Markey changed his mind a few days later and called the work a public service. Politician.

In public statements, the TSA says the fake boarding passes are not a problem and other security mechanisms exist that would thwart a would-be attacker. And yet they support the arrest and prosecution of Soghoian?! Looks like they had better make up their mind, huh?

Put bluntly, discussing vulnerabilities in airport security is a valid subject for security research. Any sort of chilling effect for legitimate research on vulnerabilities (which might result from prosecution in this case) is the opposite of what is needed to make air travel more secure. A demonstration of a security problem is not a crime. The government has shown time and time again an inability to improve the situation until something bad happens. Security researchers have a duty to make vulnerabilities as obvious and clear as possible so they get fixed.

Recently, I discussed the situation with Ed Felten from Princeton, whose own work often involves public demonstration of security problems. Ed has a draft paper (not yet released) describing in detail many of the same issues surrounding airport insecurity. Ed agrees with me that this kind of work should be welcomed and not prosecuted. (Incidentally, we both think the way that Soghoian went about publishing his script was irresponsible.)

On the other hand, why didn't Soghoian do something obvious like make sure his script watermarked the fake boarding pass with the word "Counterfeit" just like Microsoft's Word program can print "DRAFT" in gray as the background of every page in a document?

Johns Hopkins Professor Avi Rubin thinks that Soghoian went way over the line with his exploit and needs a clue. He thinks the demo should have rendered something more obviously fake. He further believes that Soghoian should have properly notified the TSA what he was up to, sharing the demo with them in advance of any publicity. These views stem from years working with "hot" exploits -- something that Felten, Rubin, and myself have all learned about through a decade of experience.

Christopher Soghoian is young, arrogant, and full of hubris. His actions were not tempered by clear thinking about how to present a real exploit to the public. His demo could have been easily adjusted to make it clear that the end product was a forgery (yes, I know such a watermark could be removed by a simple edit, that's not the point).

But whatever mistakes he made, his actions are not criminal. He did not use his script to sneak onto a plane. On his blog, he says, "I have not flown, or even attempted to enter the airport with one of these fake boarding passes. I haven't even printed one out. All I have done is create a php script, which highlights a security hole made public by others before me." Oops.

Rep. Markey probably sums the whole story up best. He says, "It remains a fact that fake boarding passes can be easily created and the integration of terrorist watch lists with boarding security is still woefully inadequate. The best outcome of Mr. Soghoian's ill-considered demonstration would be for the Department of Homeland Security to close these loopholes immediately."

I could not agree more.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...
PUBLISHED: 2020-02-24
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
PUBLISHED: 2020-02-24
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind...