Schneier on Security
A blog covering security and security technology.
« Fertilizer as a Weapon |
| Bank Sued for Unauthorized Transaction »
February 8, 2005
Flying on Someone Else's Airline Ticket
Slate has published a method for anyone to fly on anyone else's ticket.
I wrote about this exact vulnerability a year and a half ago.
The vulnerability is obvious, but the general concepts are subtle. There are three things to authenticate: the identity of the traveler, the boarding pass, and the computer record. Think of them as three points on the triangle. Under the current system, the boarding pass is compared to the traveler's identity document, and then the boarding pass is compared with the computer record. But because the identity document is never compared with the computer record -- the third leg of the triangle -- it's possible to create two different boarding passes and have no one notice. That's why the attack works.
Posted on February 8, 2005 at 9:11 AM
• 14 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Hell, once someone is inside the terminal nothing is stopping an attacker from waiting until the last passenger is boarded, then do a running sprint before the cabin door is closed and pretty much single-handedly coldcock the females standing in the way and gaining entrance to the cockpit if there is a door available. Then with all the flying experience fly the passenger jet up and out... it just takes one bad apple to poison thousands.
Sure post 9/11 it is likely that if there are passengers witnessing this encounter they may intercede in their favor, but with the counter being sleeper agents that can choke access points for enough time for the rogue pilot to hijack the airliner there is no guarantee that the common man can stop the attackers intentions from occurring.
No need for a duped ticket, duped identity, concealed weapons… just lots of patience, a few buddies and a simple strategy to implement their will.
Even more ridiculous is the requirement to present a photo ID when purchasing a ticket for Amtrak. Per their website, "Amtrak customers 18 years of age and older must produce valid photo identification when purchasing tickets (whether in stations or on board trains)". Of course, no checks are ever made to determine if the person who uses the ticket is the one who purchased it. And, if you purchase over the Internet, you can pick up your ticket at the automated kiosk without ever showing any ID to anyone. Utterly pointless, and yet another example of security procedures being used to fulfill emotional needs.
"Amtrak customers 18 years of age and older must produce valid photo ... "
Hmmm, possible loophole - fake it, tell 'em you are only 17 ..." ? You could probably pull this off, with less hassle, and need only an accomplice 'parent' with good credentials get you aboard, as well. This could add a new depth to the triangle, as now you have a proxy to deal with (the adult) and the "teenager" who could be the Menacing Agent.
Simple -vs- complex, as under-18 adds an additional problem ... so soon we'll need better ID for infants, as well as 6 year olds, etc.
Of course, a Nat'l ID card would be useful here, right? Tag everyone from birth ...(wink)
The most dissapointing aspect of the Slate article is that the conclusion was "here's how to fix it" rather than "this shows how pointless this is."
I'm bothered by the throwaway comment about biometric systems being developed. Biometrics tend to fail on the problem of identification, where the biometric of an unknown subject is matched against a database of all known subjects. Biometrics--most especially facial biometrics--currently are only really useful for verification, where an unknown subject's biometric is checked against a single claimed identity.
Biometric verification is useful for limited access control, like logging into a computer or accessing a private area in the workplace, but for a general public system like air travel, it means that in order to work as conceived every person on the planet would have to have their biometrics collected and maintained in one massive database *before* they travel.
Yeah. Right. Like that's ever going to happen.
Mr. Torres' scenario doesn't seem as fool-proof to me as he apparently thinks. I'm not quite clear whether his attacker is running down the ramp into the plane or running up the aisle into the cockpit. But the gate agents are going to know when someone runs down the ramp and call security immediately. Passengers with cell phones are going to be making calls. With an unpressurized plane, emergency exits are going to open up, perhaps deploying the slides.
With the airport notified there are many ways of stopping the plane. First, the plane is going to have to back up, possibly without the help of the towing vehicle, perhaps with the towing vehicle pushing to keep the place in place. And the towing vehicle doesn't even have to counter the force of the plane's engines, it just has to turn the wheel in the worst direction, such as towards the dirt, where the plane will sink in.
Perhaps some well-placed fuel trucks could hem it in even earlier, or if nothing else, other planes.
Perhaps there are ways to cause the engines to flame out, maybe by putting a chemical into the front of the engines. For all I know a couple bags of flour or sugar would do it.
Military aircraft would be scrambled....
Not quite a sure thing....
It's much harder to pull it off here. With Qantas (Australia's main airline), you can buy a ticket online, but it has a booking number which is linked to their own database which has the name of the person who originally booked the ticket. When you go to check in, they don't care what piece of paper you have, they care about your photo ID and (to a slightly lesser degree) where and when you're flying. You can't book a flight, and then I changing "Bruce Schneier" for "Steven Plunkett" on the booking receipt and then printing it off and showing it to the check in counter. I'd have to have a fake ID as well.
Mind you, if I did have a fake ID, the problem is ostenibly solved...
I think the answer is to be like the old west and allow everyone who is legally able to carry a concealed weapon on board the airplane. Why would anyone try anything if possibly dozens of people are packing heat?
Of course, you don�t want to be on the flight where half the people are terrorists. Nevermind.
Maybe this has been discussed already, but the more discussion I see about airline/airport security (which seems to mostly be misdirected use of money/time), the more I have to wonder just how much "terrorist threat" is linked to this system. Yes, the terrorists used this system in the past, but now that the "cats out of the bag", it seems that they (the smart terrorists) would move on to a different method of attack.
I sometimes wonder how much all the airline/airport security parallels the "Maginot Line" of past history. Are we too busy defending against the methods of attack from the last "war" and not focusing enough effort to defend ourselves from the methods of the next "war"?
The "scenario" I explained above doesn't have to "seem" foolproof at all. It simply has to be attempted to gain any type of success. In a war of terror there is no warrant for streamlined success. The message is to terrorize. As I have stated mantra-like: "The security measures we all have seen are reactive and not proactive." - this means there is no mechanism to currently stop the scenario mentioned from occurring, thus it becomes a viable option. As long as it is viable, it is a vulnerability.
For example it would not matter that people were calling security or that a slow chain of events were trickling in hopes of stopping the attacker. The point is that the attacker can get into his position of action without much resistance to achieve a goal of terrorizing. The airliner full of passengers does not need to take off into the air and crash into something to cause this effect. Why wait for it to happen when you know it _can_ happen?
I flew JetBlue a few months ago with a boarding pass I had printed online, and I was in fact asked for ID at the gate. I noticed they were doing this only for passengers with printed-at-home boarding passes. I don't remember clearly if they scanned the boarding pass barcode or not but my guess is that they did. If that's the case it would seem at least some airlines are taking precautions against print-at-home boarding pass faking.
I see I am late and the spammers already got here. Everyone wants to complain about how much money we are spending on airport security. They say that we are defending against a threat that won't be used again because it has lost an element of surprise. I agree that it is unlikely to be used again but that is partly due to the fact that we are defending it. You can't just assume a security hole won't be exploited because everyone knows how to use the exploit. You have to patch the hole and then move one to other vulnerabilites. We have to patch all the holes before we are safe.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.