Hacking Airport Security by “Talking”

I fly around quite a bit so I have had my fair share of experience with airport security.  I am of the opinion, along with our security folks such as Bruce Schneier that a lot of the airport security changes since 9/11 are mostly security theater.  I haven’t posted about any of my experiences up to this point but I observed something yesterday that was amusing.

I was walking up to the table where they have you put any liquids you are carrying on into a clear plastic zip lock bag.  The gentleman in front of me apparently had a “fruit cup” that he wanted to take on board and his conversation with the TSA guards went like this:

Gentleman: I have a fruit cup in my bag.  Can I take that on board?

Guard: No I’m sorry you can’t.  You could, however, eat it here before you go through the screening process.

Gentleman: But I’m a diabetic.

Guard: Oh you weren’t giving me all the information.  Yes you can take the fruit cup on the plane.

And that was that.  The gentleman (behind me in line by this point) shuffled through the rest of the security line, walked up to the detectors, put his stuff through the x-ray machine without a word to the machine operators about his fruit cup, and then I assume he went on to get on his flight (and enjoy his fruit cup at his leisure).

This got me thinking: The rules limiting liquids in carry-on luggage seem pretty arbitrary and I’m not convinced they’re actually solving a real problem.  However if you are going to have these rules why is it possible to bypass them by verbally asserting that you are a diabetic?  Obviously diabetics have medical needs and it would be stupid to have travel security policies that made it impossible for diabetics to travel with necessary medical supplies – that isn’t my point.  Rather why have security rules that can be bypassed with a simple verbal assertion?  Perhaps next time the TSA folks get on my case about my tube of toothpaste being too big to carry on I will tell them I have gingivitis…

That reminded me of a situation a while back when a TSA agent was manually inspecting all carry-on bags as I was actually boarding a plane.  There were two women working their way down the line.  When the time came to have my bag inspected I said “the other woman already checked my bag” and the woman I was talking to responded by saying “OK” and moving on down the line.  Perhaps I just look trustworthy.

“Month of…” promotions seem to be gaining a lot of popularity these days (Month of Apple Bugs, Month of Kernel Bugs).  Perhaps we need a “Month of Airport Security Bugs?”

dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Information Security

2 Responses to “Hacking Airport Security by “Talking””

  1. Lans Hobart

    Social Engineering – because there is no patch for stupid.


  2. ian

    This reminds me of the time when, at Houston Hobby airport I walked through the metal detector and set it off. I knew I would set it off because of my shoes. Just to see what would happen, I pointed to the guy behind me in line and said “It was him”.

    Shockingly they took my word for it and let me just keep on walking while they searched the guy behind me.

    This made absolutely no sense.

Leave a Reply

Your email address will not be published. Required fields are marked *