Schneier on Security

On some airlines an observant counter clerk would detect this at the boarding gate. Just prior to the passenger walking down the jetway, the ticket is scanned and the machine displays the last name/first name of the passenger. Sometimes I've seen Delta employees compare the boarding pass to the display, but this does depend on human factors to reliably work.

The machine also beeps if the passenger is seated in an exit row, is an unaccompanied minor or some other combination of events. It may also flag a "Do Not Fly List" name, although I do not know if this is implemented.

Hello Bruce,

You stated that checking ID's is for the business interests of the airlines, rather than for security.

Similarly, checking boarding passes at the security checkpoint is for business, not security purposes. Checking boarding passes prevents the casual non-traveller from going through security to meet their loved ones at the gate. This reduces the number of people going through the checkpoint, which keeps the lines shorter and reduces security costs. Hence, checking boarding passes is all about convenience, efficiency and cost, not security.

Are we surprised?

Alan

European airports I've been through do this a lot better: security is checked at the gate or at the terminal wing, not in the terminal main lobby. This not only eliminates the terminal-entry bottleneck, but it also solves the problem of counterfeit boarding passes (since the security screener at the gate has access to the flight manifest).

Of course, metal detectors and X-ray machines at each gate puts the cost and responsibility of the airplanes' security into the airlines' hands, so it's a tough sell in the U.S. It's far cheaper to externalize security.

Further, this exploit only works if the airline (either at check-in or at gate) don't type the etkt number into their seat allocation software, as they always do. If they do (presuming you don't have insider access to their systems, in which case you'd clearly issue your own ticket in whatever name you liked) they will get the original passenger name record....can you step this way sir whilst I call Homeland Security?

Similar to hoping that the bank gives you the cash without asking for the card. Not a real issue.

What Alex says is re-assuring, but the point of the article wasn't as much about bording the plane but about getting past the security checkpoint:

"Can you actually get on an airplane using this approach? Probably not, but you can certainly make it past the security screening checkpoints."

Yet another great article Bruce. I doubt anyone in the TSA is reading unfortunately.

T. Hudson, you misinterpreted Bruce's scenario. The terrorist uses the undoctored "Joe Smith" boarding pass to actually get onto the plane at the boarding gate. Hence the Delta system would show that the valid boarding pass matched their records. The doctored "Joe Terrorist" pass and matching real ID is only used to get thru the TSA security checkpoint, where they do not check any databases or the like.

Actually for domestic flights in french airports the ID/ticket is checked between 2 and 4 times : first at check in, then at the terminal entrance where there are the metal detectors, very often at the gate by the airline personnel, and sometimes before boarding the plane by security personnel.

@Alex: Read the article - it's about using a fake boarding pass to get past security, not to get onto the plane.

The author of this latest article points out it can be used to get past screening - by not having 'ssss' on your pass - but if that's your goal, it's even easier: just print two copies of your boarding pass. Throw away the marked one once you're through.

I talk about this in my software security classes all the time when we discuss authentication & authorization. Of course you can get on a plane doing this. Print out the boarding pass at home with the real name (e.g. John Doe). Make a photocopy and cut & paste (the physical kind or photoshop) your name in place of John Doe. Print both boarding passes.

Use the one with your name that matches your ID to pass security. Throw it away. Use the real ticket with John Doe's name to board the plane. This is trivial to accomplish.

Alex: Reread the article. The author gives a clear summary of a 5 step plan that allows someone on the No-Fly list to board a plane. All it requires is a stolen credit card (or someone gullible enough to buy a ticket , then give it to you). If someone on the No-Fly list really is a such a dangerous person, surely they'll be willing to steal a credit card number. Add in a good fake ID and someone on the FBI's Ten Most Wanted list can get on an airplane.

Airline security is a crock, an elaborate piece of security theatre that happens to make reselling tickets hard so airlines love it.

Perhaps the problem can briefly put as: At security, the ID is authenticated (in theory) but the boarding pass is not; at the gate the boarding pass is authenticated but the ID is not. By switching boarding passes, you make the ID check meaningless. If, however, the pass you present at the gate was guaranteed to be the same as the one you presented at security, then this particular problem goes away. Others remain.

An even easier way to get past the security is to get a job with the airline, one of its regional subsidiaries, or the service subcontractors. Their background checks are cursory; legal authority to reside in the US is evidently not even a requirement, and then you have a separate door through security that no one watches, and you can take as many other people with you as will fit in the catering truck.

While you are replacing the magazines and peanuts, you can stash an H&K MP-5 with 3 spare clips under every seat in first class; the toilet-servicing truck can transport about 40 of them to the plane with no effort.

You could put enough C4 in the potty to not only vaporize the plane, but also trigger the nuclear-launch-warning satellite alarms.

You won't be on the airplane when it leaves with this method, but with all the stuff you've had time & access to do to it you probably wouldnt want to be on it anyway.

I was about to comment, but Gary got it. (Though there are certainly other issues), when they dropped the photo ID at boarding time it was immediately obvious that this could be exploited by changing documents between the two checkpoints.

I also love how all airports use consistent security even when they have different layouts. The Kansas City airport was built right before the security craze, to step from your car practially onto to the plane. Since then, they have cordoned off every few gates into these secure zones, each of which has its own security entrance. These security points are no more than a few feet from airline counters, yet the TSA and airline people continue to have nothing to do with each other, for convenience OR security reasons. Even here, it would be a snap to carry out this paperwork exploit.

What's the big deal if Joe Terrorist flies on an airplane? If Joe can't get through the cockpit door, and can't bring on weapons, then what's the worst he can do?

None of this matters at all, except in that it's a waste of resources that would be better spent elsewhere.

-- damon

I don't think I've seen an airport where boarding passes are not checked against PNRs at the gate. Certainly not where aircraft of more than one engine were in evidence. The boarding pass is indeed guaranteed to be the same - unless you can arrange two with identical unique identifiers but different details, in which case we do indeed have a problem!

Further, there is little point in being able to get through a security checkpoint if you can't get through the document check or the gate check. If the two are not mutually independent, they are seriously flawed.

Perhaps this is just because I'm a eurosexual, but the minimum security environment I expect to find at an airport involves both check-in/gate crosschecking, a separate ID/boarding pass verification by either security or immigration control, and a security screening (for suspicious items) independent of the boarding passes.

Don't they do that in the States?

I think Damon has a good point.

@shoobe01

Ah yes, Kansas City. It's a nightmare hub, for that very reason. If at all possible, I won't fly through it. Changing planes shouldn't involve another long wait in the security lines.

Damon points would be well taken if weapons screening were effective.

Excerpted from a USAToday article:

Checkpoint screeners at 32 of the nation's largest airports failed to detect fake weapons — guns, dynamite or bombs — in almost a quarter of undercover tests by the Transportation Security Administration last month, documents obtained by USA TODAY show.

The tests, the first since the security agency began overseeing checkpoint screening in February, were done by agents who were instructed to do little to try to conceal the items as they passed through screening checkpoints, memos about the tests show.

Overall, screeners missed simulated weapons in 24% of the tests. At three major airports — in Cincinnati, Jacksonville and Las Vegas — screeners failed to detect potentially dangerous items in at least half the tests. At a fourth, Los Angeles International Airport, the results weren't much better. The failure rate there was 41%. Screeners repeatedly failed to find stainless-steel test pieces that set off metal detectors as guns might. Screeners also had trouble spotting simulated bombs.

I don't worry too much about this, but there are a couple of points:

1. There's a -- what's the phrase? -- walking-the-cat-back issue. What the availability of this exploit means is you don't actually know who was on the plane, if something happens. I imagine you can find out with some extra work, but the manifest isn't going to tell you.

2. As Alan noted, the exploit allows anyone airside. Just fake a boarding pass. Keep a copy of a genuine one from some trip or other and create a modified version for any particular date you want to go airside. There is some security in restricting airside access to passengers: they can't hang about for an indefinite amount of time looking to observe exploitable patterns, since they have to get on their plane. Someone airside on a fake pass can.

I don't know that either of these are particularly worrisome, but they do violate what we always preach as security principles: (1) if you can't protect, detect and (2) least privilege.

If it's so easy to get weapons on planes, and it's so easy to get on board a plane with fake ID, and we have a large group of fanatics who are at war with us, why aren't there more such attacks?

One has to wonder if there is no enemy out there, or if such basic security actually works.

@Posted by: damon at March 14, 2006 01:16 PM
"can't bring on weapons, then what's the worst he can do?"
Are you sure about this ?
Yes, they confiscate nail-clippers, then you are free to go to the duty-free shops and buy az many _glass_ bottles with highly flamable liquid in them as you wish.

@Posted by: damon at March 14, 2006 01:16 PM
"can't bring on weapons, then what's the worst he can do?"
Are you sure about this ?
Yes, they confiscate nail-clippers, then you are free to go to the duty-free shops and buy az many _glass_ bottles with highly flamable liquid in them as you wish.

Harrold is right: there are very few attackers in the west. There are quite a lot in Iraq, but they recognise that it's both easier and more effective to attack there than in the US.

Harrold: because we have a huge terrorist magnet in Iraq right now.

Why spend years as a sleeper in the US so you can fly a plane into a building when you can just walk to Iraq and take potshots at representatives of the great satan RIGHT NOW? After all, your goal is to meet Allah and live in paradise with infidels as your servants. It doesnt matter how things work out here on the earth you leave behind.

And this scenario is better for us anyway because the americans they attack in Iraq are: a)aware of whats up, b)prepared (at least somewhat), c)equipped (same comment) and d) volunteers.

The focus in the country has gone astray. We have forgot the basics, and sold out our civil liberties for a perception of being more secure. I recently flew, and a number of questions still can not be answered: If a TSA official were able to know what they were looking for, would they know how to respond when the occasion arose? And if they responded as trained (or even not as trained but as a prudent security checkpoint officer would), would the rest of the “system� function, or would it be a catastrophic disaster?
Passengers still have to submit to arcane “security measures� as taking off their shoes to be x-rayed, removing jackets before entering metal detectors, and removing laptops from bags. If there were a threat matrix level assigned to each passenger for each ticket, the majority of passengers would not be harassed and the system would work more efficiently, better, and cost less than the current system (especially if ridiculous and logic backward groups, such as unions, are kept out of the system). Maybe the solution would be to outsource the security at airports to entities that have a track record to being secure and working efficiently, such as the Israelis or Swiss. I recall, flying into Zurich and Tel Aviv, of a no nonsense security system: armed MPs with Uzis/M-16 set on ready (instead of the pea-shooters in JFK); layered security; profiling and associated threat levels associated to the passengers; and personnel whom know what they are looking for and know how to react to those threats.
Air marshals in the sky only prevent a psychotic passenger, not a determined terrorist; requiring x-rays of shoes only waste time and money, not prevent another idiot shoe bomber because the trace detection systems were not used; TSA of today will not prevent future determined hijackers, only irk passengers and supply a false sense of security.

The photo ID requirement was enacted immediately after TWA flight 800 was blown up by Islamic radicals, ostensibly to prevent future attacks.

Bruce glosses over a point when he remarks that the airlines didn't resist -- they had been begging for such a requirement for years, and accusing people who bought and sold restricted tickets or frequent flier awards of being "criminals".

Of course, when we learned that TWA 800 was not blown up by Islamist radicals, the photo ID requirement was not rescinded.

Nor did it actually prevent subsequent terrorist attacks, as we learned in 2001.

I wonder how many people remember that only 10 years ago, you didn't have to present photo id?