• United States



How to hack airport security with a fleece jacket

Apr 19, 20076 mins
Data and Information SecurityPhysical Security

According to its own website the Transportation Security Administration “will continuously set the standard for excellence in transportation security through its people, processes, and technology. On my recent trip to Denver I was frankly alarmed at the number of vulnerabilities in airport security that I witnessed.

The following narrative is an exploration of these vulnerabilities and some simple suggestions for how to improve the security posture at Denver International Airport. Please be advised that your attempt at exploiting these vulnerabilities may result in your meeting many interesting people who wear dark suits, sunglasses, and carry firearms.

I feel that the TSA is there for our protection, but that drastic changes must be made to transform the appearance of security into something that will actually prevent exposure to threats.

10:24 AM MST I arrived at Denver International Airport anticipating that my 1:30 flight to Atlanta would be delayed due to the weather. I checked my luggage at the Delta check-in counter with no issues. As usual I was directed to the security screening area with my boarding pass in hand.

10:40 AM MST While inline I began chatting with a young lady who happened to be part of the TSA security crew. She directed me to a “special” line. I don’t really know what was special about it other than all of the people in line appeared to be traveling for business.

11:01AM MST This “special” security line moved faster than the other lines until a cadre of disabled persons were directed into it from a wheelchair accessible entrance (no ropes to navigate). The security screener appeared to be distracted because he was responsible for screening the disabled persons as well as the special line. That being said it was with minor scrutiny; if any, that he examined my boarding pass and photo id. (… This is where it gets really good…)

11:08 AM MST I am finally at the x-ray conveyer belt when suddenly out of nowhere members of a flight crew hop in line between parents and their kids. Understandably the mother was upset.

The raised voices that followed again distracted the TSA crew. The 189 year old gentlemen before me was a mere 4 and a half feet tall and looked completely out of place in his security garb. I mean the guy has no gun, no club, and not even a flashlight. An able bodied four year old could have bum rushed this guy. In any case he’s busy watching the flight attendant and angry mother exchange words, so he isn’t watching what’s going on.

Meanwhile I have, as per memorized TSA script commands, placed my beloved MacBook Pro in its very own tray, followed by shoes and briefcase in another tray. Well, I made the mistake of placing my fleece windbreaker on top of my laptop. Let me stop here and say that you should NEVER place so much as an unused facial tissue on top of your laptop. This apparently prevents the super secret x-rays that the TSA uses from being able to accurately detect anything dangerous that may be concealed within. I know this because of the tantrum thrown by the x-ray screener who proceeded to stop the entire scanning process, made people back up through the line, and a myriad of other shenanigans before rescanning my obviously threatening laptop and fleece jacket. Well, I have certainly learned my lesson.

During this fiasco the gentleman behind me had also been busted for attempting to carry a cigarette lighter onto the plane. He was appropriately scolded and his lighter was confiscated. Kudos to the TSA for finding this weapon of minimal destruction. After confiscating the lighter, the TSA screener gave the man a good scolding and placed the lighter on the monitor for the x-ray machine. Since I mentioned that fleece is impenetrable by x-rays and that I personally caused a massive hiccup in the entire US air transportation system, you may not be surprised to hear that the lighter-less man calmly grabbed his lighter off of the monitor while I was being de-fleeced.

You read correctly, he was able to simply pick up his lighter and continue on his merry way to Akron, Phoenix, or some other home to miscreants and malcontents. I feel safer already knowing that the entire air transportation security program can be “hacked” with fleece and an argument.

(WHO CARES WHAT TIME ANYMORE SINCE FLEECE IS EVIL) PM MST The fiasco is over Bob the smoker has his lighter back. I have stowed the fleece and my mac is safely tucked away in my briefcase. I’m still not to my concourse yet and I find another gaping flaw in security.

Those of you who have been through Denver International Airport will know exactly what I am referring to when I talk about the cattle stalls. The area behind the x-ray machines at DIA is corralled off by partitions similar to what you would find in a Dilbert cartoon. If I really wanted to bypass the screener’s, I wouldn’t use any high tech gadgetry like a false bottom in a Thermos or hollow heels in my shoes. I would simply hand the object over the partitions. Voila, security has been bypassed. Furthermore, the corral is below another level in the airport that happens to directly overlook the screening area. How about dropping something over the rail to an accomplice in the corral. Obviously the security guards won’t notice.

I finally made it home, fleece and all. This frankly surprises me given the holes in the security program at the airport. Though this is a hopefully humorous recollection, it is nonetheless true and highlights what I find to be common in many security programs whether in the public or private sector. Most organizations want the appearance of security rather than a security program that actually works. It’s like having a heavy-duty lock on a cardboard door. What’s the point?

In my mind, and you are certainly welcome to disagree, TSA needs a massive overhaul of its security posture. What is the true intent of the security program? If what the government wants is window dressing then they have it in place now. If instead the government wants to prevent repeats of the September 11th tragedy, then they should scrutinize each point of potential attack.

In the case of DIA, money is not the problem. TSA screeners should be trained to prevent them from failing at their duties when distracted. In network terms, they should fail closed. If there is a problem, perceived problem, or major distraction, halt the screening process. As for the corral, create a wide barrier between the public and those being scanned. Passing over objects would be much more difficult. On the upper level, add floor to ceiling glass to prevent people from dropping objects inside the screening area. These recommendations are minimally expensive and would significantly improve the security at DIA. I’m sure other airports have similar problems, but at what point does the façade need to fall? How many more innocents will be lost before we move to enacting real security at our airports?

Chad McDonald, CISSP, CISA, C|EH, PMP is a Senior Professional Services Consultant with Imperva. Chad has worked previously at National Student Clearinghouse, Centers for Disease Control and Prevention, Georgia Department of Audits and Accounts and is the former Chief Information Security Officer at Georgia College & State University. Chad has addressed numerous groups on topics such as business continuity planning, incident response, and information security awareness. Chad has spent the bulk of his career building, managing, and assessing information security for educational and research organizations. Chad has earned multiple professional security certifications. He is a member of the Information Systems Audit and Control Association as well as InfraGard, an FBI Task Force charged with protecting the nation's information infrastructure. Chad is active in the security community He worked with law enforcement agencies to assist in the prosecution of the first computer crime on record in Georgia and continues to assist local and state authorities with computer based investigations. Chad has investigated computer and computer-related crimes for local and state law enforcement agencies. Chad is an avid Mac user, since he was rescued from the dark side eight years ago. He currently conducts the vast majority of his work using a MacBook Pro and a MacBook. Chad looks forward to the day that he can stop referring to himself in the third person and actually pay someone to write his bio for him. The opinions and statements expressed here are those of Chad McDonald and in no way reflect opinions or statements of any employer or organization with which Chad is affiliated.