Authentication is a looming problem for security in the near future. It used to be you were known, physically, to your local merchants, your banker, and so on. Now, with the Internet, anyone can be anyone--authentication is lacking in many crucial areas. What if you could print your own airline ticket? You can already. But what if you could print your own boarding pass? Briefly last week, you could, and hopefully the existence of this site (now shut down) will force the issue of airport authentication--and therefore security--out of the realm of security researchers and into the mainstream. Otherwise, we've learned nothing from September 11. 2001.
IU student wreaks havoc
Last week an Indiana University Bloomington computer security student, Christopher Soghoian, posted (briefly) his own custom Northwest Airlines boarding-pass creator on the Internet. The response was swift: Federal agents swooped in and shut him down, taking his computer; a congressional representative even called for Soghoian's arrest--then backed down.
"I haven't even printed one out," Soghoian wrote. "All I have done is create PHP script, which highlights a security hole made public by others before me."
What Soghoian did was exploit a well-known flaw in the current method of screening airport passengers in the wake of September 11, 2001. "I haven't even printed one out," Soghoian wrote on his personal blog site last Friday. "All I have done is create PHP script, which highlights a security hole made public by others before me."
A security triangle that's broken
Security guru Bruce Schneier has mentioned time and time again that the current method of checking passengers against their tickets is flawed. In various security blogs and columns, Schneier suggests that airport security is basically a triangle with computer records, paper tickets, and identification together providing authentication. When travelers show only a paper ticket and an ID, the airport screeners have no way of knowing whether the ticket is valid. As long as the paper document that's presented looks and feels legitimate, the airport screeners only check to see that the name on the ticket matches that on the photo ID presented. They have no way to access the airline's database to see whether you really are booked on a specific flight.
In his 2003 book Beyond Fear, Schneier says that "the real point of photo ID requirements is to prevent people from reselling nonrefundable tickets … Under the guise of a step to help prevent terrorism, the airlines solved a business problem of their own and passed the blame for the solution on to FAA security requirements."
Indeed, despite what it says on the current FAA Web site, regulations don't really require you to provide ID at the airport--really.
Please don't shoot the messenger
Congressional Representative Edward Markey (D-MA) initially called for Soghoian to be arrested. Then Markey backed down, issuing a press release. "It remains a fact that fake boarding passes can be easily created and the integration of terrorist watch lists with boarding security is still woefully inadequate. The best outcome would be for the Department of Homeland Security to close these loopholes immediately.
Indeed, despite what it says on the current FAA Web site, regulations don't really require you to provide ID at airport--really. The alternative to showing an ID is to submit to a secondary screening. This came out of a 9th Circuit Court decision in favor of John Gilmore. The Identity Project, a privacy rights organization, suggests you bring along a copy of his court decision and point out the number of times it mentions you can fly as a "selectee" rather than show ID.
So, how secure are airports?
Accepting Gilmore's challenge, Jim Harper, a committee member of the Department of Homeland Security's privacy advisory committee flew home from San Francisco sans ID, a trip ocumented in an article on Wired. After announcing that he'd mailed his driver's license home, Harper was directed to a secondary screening area. The irony is that the secondary screening area is a much shorter line, which may have allowed Harper to exit the security area faster than if he'd brought his ID.
In response to the Soghoian boarding-pass controversy, Schneier revisited the topic of airport security and concluded that TSA airport screeners still aren't very good. Schneier cites one example in his blog; at Newark Liberty International Airport, where screeners at airports used in the September 11, 2001 attacks failed 20 of 22 security tests conducted by undercover U.S. agents. I think until we address the real problem--authentication--we shouldn't be arresting students like Soghoian. Should Soghoian face charges for creating his Northwest Airlines boarding-pass creator? Talk back to me.