Today, I took a domestic flight within the US. I noticed a problem minor flaw in the security procedure used to verify and account for passengers. Their bug wouldn’t allow someone to sneak a weapon onto a plane. However, it might allow someone on a no-fly list, a fugitive, or someone else who doesn’t want their real name (like Wired writer Evan Ratliff) being seen to get on a plane.
Here’s the security procedure followed. See if you can spot the slip up:
- A passenger purchases a ticket online using a credit card
- A few hours before the flight, the passenger checks in online, and prints out a boarding pass
- The passenger has no checked baggage, so doesn’t need to see a representative at the airport
- At the security checkpoint, a TSA screener verifies the passenger’s photo ID, ensuring:
- That the ID is valid,
- That the person matches the photo on the ID, and
- That the name on the ID matches the name on the boarding pass
- The passenger, and their bag(s) are screened for dangerous articles
- The passenger makes their way to the gate
- At the gate, a computer checks a barcode on the boarding pass before allowing the passenger to board the plane
Let’s assume that the barcode, and ID verifications are both fool-proof, but we’ll come back to the barcode later. There’s no verification that the person in the computer system is the same as the person boarding the plane. Here’s how an attack would work:
- Trudy purchases a ticket online using her friend Alice’s credit card (or a stolen credit card in another name)
- A few hours before boarding, Trudy checks in online, and prints out a boarding pass in the name of Alice
- Trudy copies the boarding pass, changing the printed name to her own
- Trudy has no checked baggage, so she doesn’t need to see a representative at the airport
- At the security checkpoint, Trudy supplies the doctored “Trudy” boarding pass, and her own photo ID
- A TSA screener verifies Trudy’s photo ID, ensuring:
- That the ID is valid,
- That Trudy matches the photo on her ID, and
- That the name on Trudy’s ID matches the name on her boarding pass
- Trudy, and her bag(s) are screened for dangerous articles
- Trudy makes her way to the gate
- At the gate, Trudy supplies the original “Alice” boarding pass
- The computer checks a barcode on the boarding pass before allowing the Trudy to board the plane
In this way, Trudy is able to secure a seat on the plane, without her name showing up in the manifest, or being vetted against any no-fly lists. She only has to forge the easily-modified boarding pass.
So far, I’ve assumed that the barcode verification was watertight. For instance, imagine that the barcode codes for the passenger’s name, seat, and flight number, plus a hash of this, signed with the airline’s private key. This is very difficult to forge, but can easily be verified at the gate. Consider the case in which the barcode does not include a cryptographically secure signature. It might be possible to board a flight to an arbitrary destination without making any booking at all.
Think that there’s an error in my reasoning? Got a good way that the TSA could easily patch this hole? Let me know in the comments.