Wednesday, October 18, 2006

Paging Osama, please meet your party at the Information Desk

[Ed: The technique outlined in this blog post was also documented by a journalist at Slate last year. See:

The only way for these kind of problems to get fixed, are through through public full disclosure. TSA/DHS cannot be expected to fix anything unless they are publicly shamed into doing so.]

Shortly after 9/11, the airlines introduced a very reasonable security check (amongst a bunch of other stupid ones): They started checking ID at the gate.

It's really important to note why this is good. You see, when they scan your boarding pass, the screen will either beep yes, to tell them it's valid, or beep no, and tell them that it's a bogus pass. They'll be able to look on their terminal, see the name attached to the booking reference, and check it against the ID in front of them (ok, they rarely did this, and instead checked the name on the boarding pass - but at least they had the potential to do it correctly).

However, checking the ID of 300 passengers when you're trying to fill up and airplane can lead to considerable delays, and thus, once the hysteria of a few terrorists armed with exacto blades had calmed down, the airlines did away with this requirement, and instead offloaded it to TSA.

Herein lies the problem: TSA doesn't have access to the Airline's computer systems. Thus, they have no real way of knowing if a boarding pass is real or not. All they can do is verify that the name on the piece of paper (which may or may not be a boarding pass) matches the ID they have been given.

This situtation is made even worse when you consider the fact that you can print your own boarding pass online at home. This is often a bunch of text/html, with one or two images (a barcode, and perhaps an airline logo). It is trivially easy - as in, 20 seconds with a text-editor, and not even requiring you to open photoshop - to open it up, and change the name.

And thus, I introduce a perfectly valid method for a terrorist - known to the government, and already on the domestic no fly list, to board a US commercial flight.

Step 1. Purchase an airplane ticket in the name of "George P. Watkins"
Step 2. Check-in online the night before, and print out your boarding pass online.
Step 3. Save as HTML, edit the boarding pass code, and change it to your real name "Ali Terrorist"
Step 4. Print both boarding passes - the one which lists your real name, and the one with the name that the ticket was actually purchased under.

Step 5. Go to the airport the next day with both boarding passes.

Step 6. Present your real drivers license and modified boarding pass to the TSA checkpoint officers. Note that as they do not have access to a computer, they cannot check you against the no fly list, nor can they even verify that the name on the piece of paper matches the booking in the airline's reservation system.

Step 7. Clear security (after being frisked 5 times for looking middle eastern)

Step 8. Wait patiently at the checkin-counter, and when the gate agent announces that is time to board:

Step 9. Hand her the original boarding pass (with the fake name), which should scan perfectly, and should she even look at the computer, she'll see that the name on her screen matches the name on the boarding pass. She won't ask you for ID (as TSA already performed that task), and thus will let you on the plane.

Step 10. Board the plane, and do whatever nasty stuff you intend to do.

This is insanely easy, and unfortunately, will work.

The reasons for this massive security hole:

1. TSA agents cannot verify the authenticity of boarding passes.
2. TSA agents cannot access the airline's reservation systems, nor do a on-the-spot lookup of the ID presented to them against the no-fly-list.
3. Boarding passes are not tamper evident. One can easily edit them at home.

And just for fun, I thought I'd show off the modified boarding pass for my flight tomorrow. Of course, I won't be using this, as it'd guarantee me a one-way ticket straight to Gitmo. (Habeas Corpus not included):


Anonymous said...

hmm, even in Cairo/Egypt the person checking your ticket and ID has a list of all web ticket fliers where you are ticked off - and if your name is not on that list you are not getting anywhere near a plane.

Anonymous said...

Certainly, the immediate knee-jerk reaction by the airlines would be to crank up their online boarding pass/validation system (another band-aid solution, but expect nothing less).

Good job on the exploit. Kudos!!

Anonymous said...

In the Europe, your boarding pass is always checked against the boarding lists AND full ID is shown - passport or ID card. On the other hand I've only travelled internationally so maybe it's different internally. Is the problem that is being highlighted on all flights or just internal US flights?

Anonymous said...

It seems like the implication here is that the TSA and the airlines should be sharing MORE information about me--or at least that they should have more real time access to information that each organization attempts to maintain. Clearly you've identified a logistical security hole--but I'm not sure I like the implication that we need MORE Orwellian security measures to solve the problem. How can such a hole be dealt with without further eroding my privacy?

Anonymous said...

I really do find it astonishing that someone is concerned about their privacy more than the safety of several hundred people.
To be honest, the sooner there is a global DNA database that all law enforcement can access, the better.

Imagine being able to feel secure in your home knowing that anyone breaking and entering can be identified in seconds - what a deterrent. Someone please tell me why privacy should prevail over my families safety?

Anonymous said...

I can understand that need for security, but security at the expense of personal freedom is too high a price. However, in this case, it isn't an issue, as between both groups, they have access to the data already. The relvant bit is putting the two together. Believe me, I am normally one to call the privacy concerns, but I don't think that the argument is valid.

Anonymous said...

What I find atonishing is that some people can come out with idiocy like this.

What I will find very amusing when we are all on a database, is that a criminal will get hold of your DNA, liberally sprinkle it over the house he burgles, and then watch you get sent down because you will be deemed to be the culprit. You should be sent down anyway for being a total moron.

Incidentally, you should also stop watching TV.

Anonymous said..., it's not done everywhere in Europe. I only need to show a boarding pass or ticket to go past security. Only if I'm traveling to the U.S. or U.K. there is a second check to enter the "isolation ward" where my passport and boarding pass have to match.

I know of another loophole in that regard that I won't be sharing.

The irony of this is that people expect TSA's mission to be about security. I thought the same back when it was formed. Dozens (hundreds?) of flights and thousands of miles later I've come to realize that TSA's job is the illusion that we're secure.

As for "Mr./Ms. Privacy versus the security of their family" why should I give up my privacy for your insecurities? Buy a gun and shoot the bastard entering your home if you're so concerned. It's an 19th century solution that has worked just fine for years.

Anonymous said...

If you happen to be flying to Kuwait or Abu Dahbi to serve your country in it's time of greed as a "civilian contractor", it is common practice for TSA to cut you out for special SSSA boarding pass code special security screening. They have no way of knowing nor do they even care that you have three levels of security clearance from the US government to even qualify for the job you are going to the PG to do. The extra attention you receive then occupies the TSA and erodes their ability to screen people that may actually pose a threat. As a frequent flier I take notice and it scares me that when going through the line for carry on baggage ex-ray, you are asked for your ID and boarding pass. In the MAJORITY of these cases these people never even look you in the face to establish if the person on the ID is actually the person they are checking through. Hey they are punching a clock and not getting on the plane what do they care!