Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists

In this paper, we discuss a number of existing problems with the airport transportation security system in the United States. We discuss two separate, yet equally important issues: The ease with which a passenger can fly without any identification documents at all and the ease with which print-at-home boarding passes can be modified, tampered with, and faked. The significance of these vulnerabilities becomes clear when viewed in light of the US government's insistence on maintaining passenger watch lists, whose contents are secret and effectiveness depend upon the government being able to verify the identity of each flying passenger. We then introduce a method of determining if any particular name is on the no fly list, without ever having to step foot into an airport. We introduce a physical denial of service attack against the Transportation Security Administration (TSA) checkpoints at airports, distributed via an Internet virus. Finally, we propose technical solutions to the user modifiable boarding pass problem, which also neutralize the physical denial of service attack. The solutions have the added benefit of meshing with TSA's publicly stated wish to assume responsibility for verifying passengers names against the watch lists, as well as enabling them to collect and store real time data on passengers as they pass through checkpoints, something they are not able to do under the existing system.

[1]  Yousri Omar PLANE HARASSMENT: THE TRANSPORTATIONSECURITY ADMINISTRATION'S INDIFFERENCETO THE CONSTITUTION IN ADMINISTERINGTHE GOVERNMENT'S WATCH LISTS , 2006 .

[2]  Taekyoung Kwon,et al.  A Model for Embedding and Authorizing Digital Signatures in Printed Documents , 2002, ICISC.

[3]  Deborah Von Rochow-Leuschner CAPPS II and the Fourth Amendment: Does It Fly , 2004 .

[4]  Aaron Strauss,et al.  Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System , 2002, First Monday.

[5]  Aviel D. Rubin,et al.  Defending against an Internet-based attack on the physical world , 2002, TOIT.

[6]  Lorrie Faith Cranor,et al.  The Real ID Act: Fixing Identity Documents with Duct Tape , 2006 .

[7]  Justin Florence,et al.  Making the No Fly List Fly: A Due Process Model for Terrorist Watchlists , 2006 .

[8]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[9]  Leigh A. Kite Red Flagging Civil Liberties and Due ProcessRights of Airline Passengers: Will aRedesigned CAPPS II System Meetthe Constitutional Challenge? , 2004 .

[10]  John T. Cross Age Verification in the 21st Century: Swiping Away Your Privacy, 23 J. Marshall J. Computer & Info. L. 363 (2005) , 2005 .

[11]  D. Steinbock,et al.  Designating the Dangerous: From Blacklists to Watch Lists , 2005 .

[12]  Charles Poynton,et al.  Frequently Asked Questions about Color , 1997 .

[13]  Linda L Lane The discoverability of sensitive security information in aviation litigation , 2006 .

[14]  Soumya Panda The Procedural Due Process Requirements for No-FlyLists , 2005 .