Matt Blaze's
Science, Security, Curiosity
Human-scale security and the TSA
Back off, he's a scientist

There was a nice column by Randall Stross in the New York Times a few weeks back entitled "Theater of the Absurd at the T.S.A." []. (Unfortunately, the Times' perversely inverted pricing structure -- in which fresh news is free and old news is charged for -- means that the article may no longer be available on their free site by the time you look for it, but that's another subject for another day.) Anyway, the piece focuses on the ongoing plight of Christopher Soghoian, a computer science graduate student at Indiana University who has found himself in hot water for making available a web-based tool that creates visually convincing -- but entirely fake -- airline boarding passes. Soon after the site went online the FBI raided his home and shut down his site, but ultimately decided against filing any criminal charges. But the Transportation Security Administration isn't so sure. In spite of the FBI's declining to prosecute, the TSA is, as of this writing, apparently considering pursuing tens of thousands of dollars in administrative penalties against Mr. Soghoian. Bruce Schneier and I were both quoted in the Times piece, with the two of us suggesting that openness, rather than threats of fines and prosecution, would be a far better strategy for improving security here.

Does this mean I think putting the boarding pass generator online was a great idea? No, and in fact I have some serious reservations about it. But if Mr. Soghoian may have been guilty of a bit of poor judgement here, the TSA's behavior in response has been far, far worse -- and suggests problems much more damaging to our security than forged boarding passes.  

Here's the backround: There is apparently a significant (but largely secret) component of our aviation security infrastructure that depends on being able to identify travelers by name. But the system as it has been implemented for the last several years makes it trivially easy for a malicious individual to avoid being identified. The reason for this has to do with a feature interaction that exploits "print at home" boarding passes and the particular way in which IDs are checked at most US airports. The attack is very simple, and was publicly pointed out (first by Bruce Schneier, I believe) in 2003. The anonymity-seeking attacker simply buys a ticket under an innocuous false name (one that does not appear on any "do not fly" or "watch" lists), and checks in for the flight via the airline's web interface (which allows the boarding pass to be printed at home). At the same time, the attacker creates a second, fake boarding pass essentially similar to the first one but with his or her own real name (for which he or she has a valid, government-issue photo ID) instead of the false name. The fake boarding pass (with the real name) is used to clear the security checkpoint, where a photo ID must be shown (and will be compared against the name on the boarding pass, if the screener is doing a good job). The real boarding pass (with the false name, but corresponding to a valid ticket) is presented at the gate to board the aircraft. The false name is the only one that will appear in the airline's records, and is the one that will be checked against the various databases of suspected criminals and terrorists.

This is a very easy attack to carry out. It is a simple matter to create a realistic-looking fake print-at-home boarding pass with modern desktop publishing or image manipulation software, and the details of what to do at the airport should be readily apparent to even the most casual flyer. In other words, our system for identifying malicious travelers by name has for several years been completely broken. One might reasonably conclude that either this ineffective system should be fixed at once, or, perhaps, identifying travelers might not be so helpful after all, in which case the identification-based infrastructure should be scraped and its (substantial) resources directed elsewhere.

So, what did Christopher Soghoian have to do with all of this? According to various news reports, last Fall he took the technique to its logical next step and created a simple web-based interface that allows anyone to format a valid-looking Northwest Airlines print-at-home boarding pass. Presumably he hoped to demonstrate dramatically that the current identity-based security system is terribly flawed. In any case, his system was quickly shut down by the FBI after being condemned by various public officials as a threat to aviation security, and the TSA may yet file administrative charges.

For the record, I think Mr. Soghoian's online boarding pass generator was ultimately rather ill-advised whether viewed as science or as civic protest, and I'd certainly hope my students would think very carefully about the potential consequences before doing something similar. From a scientific standpoint the boarding pass generator didn't demonstrate any particularly interesting or novel technical concept; it is obvious to anyone who understands the technology that it is trivial to generate a visually convincing -- and entirely fake -- boarding pass printout (and this observation had, in fact, already been published). And it seems especially unfortunate that the provocative nature of Mr. Soghoian's online demonstration may in the end have had the effect of distracting attention from the very real problems that he hoped to expose. So as a researcher who often faces the dilemma of disclosing exploitable weaknesses in fielded systems, I'm not entirely comfortable defending all of Mr. Soghoian's choices in creating his demo and putting it online.

But for the TSA to suggest that it is Mr. Soghoian's system that is the "threat to aviation security" here is either terribly confused or just plain cynical and disingenuous. The fact is that any system based on a visual check of an easily forged document is so fundamentally broken that any "evildoer" with access to even the most rudimentary computing expertise would have no difficulty producing these documents if they felt that doing so would serve their purposes. (In fact, the open, online nature of Mr. Soghoian's ill-fated demo greatly reduces its usefulness to genuine criminals or terrorists, since anyone using his system would never know whether their network traffic was being monitored by the authorities as they created their fake boarding passes). The TSA's relying on a flawed, trivially circumvented system is the threat to aviation security here.

Unfortunately, it is all too natural for those embarrassed or inconvenienced by the disclosure of a security problem to try to shift the blame to the messenger, and the hysteria around "homeland security" makes it especially easy to succeed in doing so these days.

As predictable as it might have been, though, I'm still surprised by the force and apparent vindictiveness of the TSA's response to Mr. Soghoian. My own experience with disclosing even embarrassing security vulnerabilities has been that federal security agencies often understand the issues and pitfalls here better (or are at least better behaved in this regard) than do many purveyors of commercial systems, who are often very quick to threaten legal action (or even physical violence) against those who point out flaws in their products. For example, the FBI was quite receptive to our recent research on the (un)reliability of telephone wiretaps, and even the secrecy-oriented NSA reacted admirably well a decade ago when I published my paper on flaws in their Clipper Chip. In contrast, I still get angry email from locksmiths and lock makers after publishing papers on weaknesses in master keyed locks and on the security of safes and vaults, the lessons of Alfred Hobbs notwithstanding.

Whether Mr. Soghoian exhibited the best possible judgment in putting his system online may be debatable, but that's very much beside the point compared with the issues it raises. Real security against a serious threat of terrorism demands a lively, open discussion of a complex system that, in this case, is flawed, wasteful, and ineffective in many fundamental ways. For the TSA to threaten ruinous fines against those who point out these flaws (even as provocatively as Mr. Soghoian did) can only serve to stifle an urgently needed public debate. The message is unmistakably clear: if you discover we're doing something wrong, just shut up about it.

Designing effective security systems is hard, especially when they are this complex. It isn't especially unusual or alarming in and of itself if occasional weaknesses are discovered from time to time. A far more important signal of a system's security health is how flaws are (or aren't) addressed when they are found.

In this case, perhaps the most disturbing issue is that such an obvious flaw has persisted despite having been pointed out several years ago. That by itself suggests a broken, ad hoc design that must be systematically examined and overhauled before we should have confidence in its security for the long run.

Like many security protocol failures in human-scale systems, the ID-checking mechanism actually started out as a reasonably effective one, but was later broken by a series of seemingly innocuous incremental changes. Immediately after 9/11/01, a passenger ID check was performed at the gate during boarding, but a few years ago most airports eliminated that procedure and rely instead on the (centralized) ID/boarding pass check done as passengers enter the concourse security screening checkpoints.

The gate-based ID check is a more reliable way to verify that the name on the flyer's ID documents matches the name in the reservation because the authenticity of the boarding pass (against which the name is matched) can be confirmed online when the check is performed. But no such online check is performed at the screening checkpoint.

Eliminating the gate ID check, coupled with the ability to print one's own boarding passes, had the side effect of allowing someone whose name is on the "no fly list," the "selectee list," or one of the various terrorism watch lists to fly without being detected.

Of course, the no-fly and selectee databases are themselves notoriously noisy, and obtaining an adequately convincing "government issue" ID under a false name may not be especially difficult for a determined malfeasant. But presenting a fake ID at least entails some risk of detection. The fake boarding pass attack is serious because it eliminates virtually all risk to the attacker, rendering the entire ID-based infrastructure an expensive charade.

The fact that these loopholes exist doesn't touch on the broader -- and ultimately more serious -- issue: whether an ID-based system that worked properly would even be desirable for society in the first place. There are many tricky problems here. There are obvious privacy implications of having centralized databases of people's travel patterns (and some of the most serious are hard to quantify economically), there are difficult questions surrounding how to correct bad information and name collisions, securing the large databases that underly these systems involves solving very difficult technical problems, the underlying photo ID mechanisms are themselves known to be unreliable, and of course there are the more abstract but equally vital issues of balancing security against the individual's right to travel. (Required reading for those interested in the technical and socio-legal nuances of this issue are the National Research Council's recent reports on the subject: ID's -- Not That Easy and Who Goes There?.)

The TSA's air-traveler ID system is based on the assumption that identifying travelers helps prevent terrorist attacks. If they're right about this then the current system urgently needs to be fixed, since it's demonstrably broken. But if an expensive and cumbersome system for identifying travelers isn't actually making us any safer, we should get rid of it altogether.

Many security specialists (including me, if that's not yet clear) are skeptical of the value of ID-based security generally, and believe that the TSA has not demonstrated (in the public literature at least) that an ID-based system is an effective or efficient form of protection against aviation terrorists. But because it is so easy to circumvent the TSA's mechanism, one does not need to agree with that broad point to see that the current system needs to be replaced. Since the ID system can be reliably bypassed by criminals and terrorists, we pay all of the costs associated with ID-based security and yet get none of the potential benefits, whatever they might be. That should be unacceptable no matter where one stands on the other issues

It's unfortunate that the rather flippant and aggressively provocative manner in which the boarding pass generator was released and presented allowed the TSA to portray Mr. Soghoian, rather than the TSA's own flawed system, as the problem. It is natural and very common for those embarrassed by the disclosure of a security-related weakness to try to do this, and I'm afraid that some of Mr. Soghoain's choices played right into the TSA's hands in this regard.

The scientific importance of some of the flaw exploitation tools used in computer security research is sometimes not immediately obvious, and appreciating their real value can require a nuanced understanding of how research in the field progresses. Seemingly dubious tools that appear at first to be of potential use only to criminals may in fact serve as essential stepping stones to making current and future systems more secure. It's enormously valuable to have these apparently "dangerous" tools widely available to the research community, even at the risk that they might be exploited by bad guys. I have long been among the first to argue against legal restrictions (such as the anti-research provisions of the Digital Millennium Copyright Act) that discourage this kind of openness.

Unfortunately, much about the way the boarding pass demo was released and presented seemed to go out of its way to obscure any scientific value the tool might have, even though it was surely created to advance laudable goals. The presentation almost seemed to yell out, "go ahead, try to stop me." That makes defending it as research that much more difficult, and may ultimately make it that much harder for future researchers who produce valuable but potentially "harmful" tools to justify making their work available (especially when they lack conventional scientific credentials or are not supported by established research institutions).

So far, the TSA has been largely successful in controlling the terms of the debate by going on the offensive against an easy target, vilifying a graduate student instead of acknowledging the underlying problems that his demo exploited. That's a terrible, if predictable, shame.

Messenger-blaming aside, it would be simple enough for the TSA to implement any number of countermeasures against Mr. Soghoian's attack (actually, Schneier's attack). They could eliminate print-at-home boarding passes. They could put online boarding pass readers at the checkpoints. Or they could move the ID checks to the boarding gates (where there are online readers). Such countermeasures would thwart this particular attack, but would not address any of the deeper problems inherent in ID-based security systems (such as the ease of obtaining forged documents, the lack of reliable mapping between "name" and "identity", the fact that suicide attackers may have relatively "clean" records, the privacy and civil liberties issues that databases of travel patterns create, the unreliability of the no-fly, selectee, and watch lists, and so on).

The Schneier/Sogohian attack didn't directly address the broader questions about ID-based security, except in one way that I've not seen discussed much: because of this obvious weakness, we've effectively lived without a working ID-based system at airports for several years now, enabling anyone who wishes to do so to easily and without risk fly under a false name. And yet in spite of this there have been no major aviation security incidents in the US (and certainly none involving terrorists flying under false names). We might ask what a traveler ID requirement actually accomplishes, given that we seem to be managing pretty well without one.

1/13/07 update: Thanks to Jon Lasser and Jameson Simmons for showing me how to generate more permanent links to NY Times articles via [].