Matt Blaze's
EXHAUSTIVE SEARCH
Science, Security, Curiosity
Patch Tuesday at the TSA
Boarding pass scanners now at some airport security checkpoints.

In 2003, Bruce Schneier published a simple and effective attack against the TSA's protocol for verifying a flyer's identity on domestic flights in the US. Nothing was done until 2006, when Chris Soghoian, then a grad student at Indiana University, created an online fake boarding pass generator that made it a bit easier to carry out the attack. That got the TSA's attention: Soghoian's home was raided by the FBI and he was ordered to shut down or face the music. But the TSA still didn't change its flawed protocol, and so for more than five years, despite the inconvenience of long security lines and rigorous checks of our government-issue photo IDs at the airport, it has remained possible for bad guys to exploit the loophole and fly under a fake name. I blogged about the protocol failure, and the TSA's predictably defensive, shoot-the-messenger reaction to it, in this space a couple of years ago.

Well, imagine my surprise yesterday when I noticed something new at Philadelphia International Airport: the TSA ID checker was equipped not just with the usual magnifying glass and UV light, but with a brand new boarding pass reader. The device, which did not yet seem to be in use, apparently reads and validates the information encoded on a boarding pass and displays the passenger name as recorded in the airline's reservation record. According to the TSA blog, boarding pass readers are being rolled out at selected security checkpoints, partly to to enable "paperless" boarding passes on mobile phones, but also to close the fake boarding pass loophole.

Unfortunately, the new system doesn't actually fix the problem. The new protocol is still broken. Even when the security checkpoint boarding pass readers are fully operational, it will still be straightforward to get on a flight under a false name.

 


Anonymous flying requires a slight adjustment to the exploit now, but it's still easy to carry out, and it's not terribly difficult to figure out what to do just from observing the basic TSA procedures that every air traveler can see.

Here's how the attack worked (as I described here) before the new TSA checkpoint scanners appeared:

The [vulnerability] has to do with a feature interaction that exploits "print at home" boarding passes and the particular way in which IDs are checked at most US airports. The attack is very simple, and was publicly pointed out (first by Bruce Schneier, I believe) in 2003. The anonymity-seeking attacker simply buys a ticket under an innocuous false name (one that does not appear on any "do not fly" or "watch" lists), and checks in for the flight via the airline's web interface (which allows the boarding pass to be printed at home). At the same time, the attacker creates a second -- fake -- boarding pass essentially similar to the first one but with his or her own real name (for which he or she has a valid, government-issued photo ID) instead of the false name. The fake boarding pass (with the real name) is used to clear the security checkpoint, where a photo ID must be shown (and will be compared against the name on the boarding pass, if the screener is doing a good job). The real boarding pass (with the false name, but corresponding to a valid ticket) is presented at the gate to board the aircraft. The false name is the only one that will appear in the airline's records, and is the one that will be checked against the various databases of suspected criminals and terrorists.

Flying under a fake name now requires that anonymous travelers get two valid boarding passes instead of just one: one, for the desired flight, under the innocuous fake name and another, for a different flight, under his or her real name. He or she goes through the security checkpoint with the (valid) boarding pass that matches the true name, but uses the one with the fake name to board the actual flight. Frugal attackers will want to get a refundable ticket for the one bought under their real name, which is used only for the purposes of traversing the TSA checkpoint.

Now, in the new system's defense, it does close one part of the loophole: people on the "selectee" lists will no longer be able to evade the extra screening for which their name flags them. So anonymous travelers whose true name is in the selectee database will now have to endure a bit of extra scrutiny when they are screened. But their names will be registered for different flights from the ones that they actually board. The fundamental goal of the new system -- ensuring that the government knows which flights have suspected bad guys on them -- can be thwarted just as easily as before. The main difference is that now the TSA has bunch of fancy new scanners at the security checkpoints (paid for, presumably, by either tax dollars or ticket surcharges).

I don't mean to pick too much on the TSA here. It feels almost unsporting to criticize weaknesses in an agency whose popularity these days seems to lie somewhere between that of the IRS and Al Queda. They've got an impossible job, and they're trying, albeit slowly and clumsily, to show progress toward something that can't be measured except by perception. And they do have a spiffy new blog, written by hip, tech-savvy people, and that's got to count for something. But the whole idea of strong passenger ID checks as a basis for an anti-terrorism program is itself ill-conceived, addressing a threat that has never been clearly articulated and for which no credible risk assessment has ever been been published.

Patching the protocols won't fix that.

Postscript (9/19/09): Stewart Baker (who has worked as the DHS policy director and as the NSA legal counsel, now in private practice) takes me to task in his blog for failing to adequately recognize the TSA's effort to fix a security problem. I think he misses the point, which was that the (expensive) patch they devised does a poor job of fixing the problem. But judge for yourself. His take, and my response to it (in the comments), can be found here [link].

Post-Postscript (9/20/09): I just posted a follow-up here.