It’s hip2b2

A poor Indiana University graduate student got raided, put into custody and sued by the US Federal Government. This is in line with his recent posting of a boarding pass generator for NWA (Site was taken down already). Details of the NWA vulnerability can also be found posted by a US Senator here. So should the both of them go to jail?

The process is documentated below (found in the good senator’s website):

1. Joe Terror (whose name is on the terrorist watch list) buys a ticket online in the name of Joe Thompson using a stolen credit card. Joe Thompson is not listed on the terrorist watch list.
2. Joe Terror then prints his “Joe Thompson” boarding pass at home, and then electronically alters it (either by scanning or altering the original image, depending on the airline system and the technology he uses at home) to create a second almost identical boarding pass under the name Joe Terror, his name.
3. Joe Terror then goes to the airport and goes through security with his real ID and the FAKE boarding pass. The name and face match his real drivers license. The airport employee matches the name and face to the real ID.
4. The TSA guard at the magnetometer checks to make sure that the boarding pass looks legitimate as Joe Terror goes through. He/she does not scan it into the system, so there is still no hint that the name on the fake boarding pass is not the same as the name on the reservation.
5. Joe Terror then goes through the gate into his plane using the real Joe Thompson boarding pass for the gate’s computer scanner. He is not asked for ID again to match the name on the scanner, so the fact that he does not have an ID with that name does not matter. [Since Joe Thompson doesn’t actually exist it does not coincide with a name on the terrorist watch list] Joe Terror boards the plane, no questions asked.

It does not take a graduate student to do all of this. Simple HTML and/or photoshop magic should do the trick. As long as the system allows end users print their own boarding passes in their own computers, this can be done. Heck, it is much much much harder to fake passports.

This is definitely a process flaw. Notice that the system breaks down because there are two (2) different checks that are not linked to each other. The airport security personnel’s check on a valid ID is not the same as the TSA agent’s check on the boarding pass. This failure to link the tests makes the entire process fail. As the article also mentions, this could have been fixed if only the TSA agent also checked the ID. Definitely, a different name in the boarding pass and the ID would definitely be suspicious. But wait … in the Philippines, we have been doing that all along. Heck, we don’t even have pictures on the boarding passes. The IDs are simply checked. Plain. Simple and Effective.

This entry was posted on Sunday, October 29th, 2006 at 9:52 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.