Tuesday, November 18, 2008

DHS to Close Boarding-Pass Loophole

Via Wired.com -

There’s a hole in airline security big enough to get Osama bin Laden himself onto a domestic flight, Homeland Security chief Michael Chertoff acknowledges, but that’s no reason to ditch watch lists or ID checks at the airport, he says.

Chertoff told Threat Level in an interview last week that the government was aware of, and patching, the so-called boarding-pass loophole, which just came back into the public eye after a recent Atlantic magazine story where a reporter got though security using a fake boarding pass.

That loophole lets a known terrorist who is on a government watch list board a plane without needing a fake ID. All that’s needed is a home computer, a printer and a little skill at HTML.

“On the issue of switching boarding passes, that is a loophole we are aware of,” Chertoff said.

Security guru and Wired.com columnist Bruce Schneier argues this and other loopholes show that the current airline security methods are just theater, that hardened cockpit doors were the best response to 9/11 and that we’d be just as safe without hassles over shoes and liquids and watch lists.

But the government and airlines are working on a transformation in virtual boarding passes, according to Chertoff — one that would still allow hurried travelers to check in from home, but prevent them from modifying the name on the new virtual boarding passes.

“We are testing using electronic boarding passes with something on your phone to make it well-nigh impossible to make a phony one,” Chertoff said. “That would plug that loophole.”

And even though that’s only a pilot project, that doesn’t mean that the terrorist watch list and the mandatory identification requirement should be tossed aside, Chertoff said.

“For me, it’s a no-brainer to ask for ID to get on a plane,” Chertoff said.

DHS's Transportation Security Administration is currently testing an encrypted 2-D bar code that includes all the information from a boarding pass and is digitally signed to ensure the data hasn’t been altered.

In the pilot, passengers show the bar code to TSA identity checkers, who use a scanner to read the image off the passenger’s smartphone, and then check the person’s identification against the decrypted information.

[...]

The system also works using public-key cryptography, which lets the TSA use scanners that don’t need to connect to airline databases, and they don’t store records of who is traveling.

That gets the program a thumbs-up from security researcher Christopher Soghoian, who earned fame and an FBI raid of his home for creating a fake boarding-pass generator online.

“The security is pretty good,” Soghoian said. “It’ll be difficult to make fake passes.”

The 2-D program is more than just a pilot. All the major airlines are required to adopt the bar codes for printed boarding passes by 2010, as well.

Once that’s in place, and every TSA ID checker verifies the boarding pass’s information, the hole will be officially closed, almost five years after a Slate magazine writer first announced it to the larger world (Schneier, of course, noticed it first in 2003).

Soghoian hedges his praise for the belated fix.

“This, of course, doesn't actually guarantee that terrorists will be kept off planes,” Soghoian said. “It does, however, mean that the government will have a fairly good idea of who [is] getting into the secure areas of the airport.”

Chertoff says the new system is better than nothing. Just because someone can come up with a real scenario that would let an adversary avoid a layer of security doesn’t mean that layer should be peeled off and discarded, Chertoff argues. That thinking ignores the number of times the imperfect procedure has helped.

“That argument means you don't believe in seat belts and airbags,” Chertoff said. “If you hit an 18-wheeler head-on, you will be as flat as a pancake. But there will be some accidents where they will help you.”

---------------------------------

No single security layer can stop all attacks, that is why it is so important to use multiple security layers together to manage the residual risk exposed by each separate layer - sound familiar?

No comments:

Post a Comment