Network News

X My Profile
View More Activity

Boarding Pass Hacker Gets Visit From FBI

A computer security researcher who created a Web page designed to allow anyone to generate and print out a fake boarding pass for Northwest Airlines got a visit from the FBI yesterday, following public calls for his arrest by a prominent Democratic congressman.

Christopher Soghoian, a 24-year-old Ph.D. student at Indiana University's School of Informatics, published an interactive page on his Web site that produced a bogus boarding pass that could be used to gain access to an airport's boarding gate. The pass would not actually permit someone to board a plane. Soghoian said the fake pass would "allow you to sneak under the radar of the [Transportation Security Administration's] no-fly list, and while it is more complex, it will allow you to go through the TSA checkpoint without raising any red flags."

A screenshot taken from Soghoian's Web site before his boarding pass feature was taken down late Friday.

Soghoian said he was publishing the tool to call attention to anti-terrorist procedures at airports that he said were designed to make passengers feel safer but did little to stop determined bad guys from circumventing the checks. He explained how a fake boarding pass might help a known terrorist evade the TSA's no-fly list:

"1. Buy a ticket online, using a prepaid credit card purchased at 7/11 with cash, for a fake passenger name. Make sure you do not use "John Smith" or "Robert Johnson", as these are already on the no-fly list.

"2. Show up at the airport, and tell the airline check-in staff you have no ID. They will give you a special boarding pass, marked "NO ID" and "SSSS" which will let you go through security without authenticating your stated name.

"3. Board airplane."

He acknowledged that the method he presented wasn't exactly trailblazing: Others in the past have highlighted this same weakness, including back in 2005, as well as Sen. Charles Schumer (D-N.Y.).

Heck, security expert Bruce Schneier warned about this vulnerability back in 2003, when he wrote:

"The vulnerability is obvious, but the general concepts are subtle. There are three things to authenticate: the identity of the traveler, the boarding pass, and the computer record. Think of them as three points on the triangle. Under the current system, the boarding pass is compared to the traveler's identity document, and then the boarding pass is compared with the computer record. But because the identity document is never compared with the computer record -- the third leg of the triangle -- it's possible to create two different boarding passes and have no one notice. That's why the attack works."

When I phoned Soghoian Friday evening, he abruptly ended our conversation shortly after it began by saying that two FBI agents were banging on his door asking to speak with him. A short time later, the tool he had posted on his site vanished.

I later caught up with Soghoian in an online chat channel, but he was reluctant to say much before consulting an attorney.

"I had a conversion with the FBI tonight," Soghoian told me. "We agreed that the issue of boarding passes is important, but that my particular approach could be improved upon."

Wendy Osborne, a special agent with the FBI's Indianapolis field office, declined to discuss the matter, but said Soghoian was not arrested. "We do take precautions when there are potential security problems in light of everything that's going on these days."

In the image linked to above, Soghoian suggests a couple of improvements to the current system. Here's hoping this issue finally receives the attention it deserves.

By Brian Krebs  |  October 28, 2006; 12:40 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Scams Target Latest Upgrades in E-Banking Security
Next: Congressman Comes to Defense of Boarding Pass Hacker


They're prepping a a new cell in Gitmo tonight for one "Christopher Soghoian". His thoughtcrime was pointing out that the Emperor has no clothes.

Posted by: Anonymous Coward | October 28, 2006 2:38 PM | Report abuse

This poor kid has since had his home broken into (with a warrant, yippee) and his computers seized. I have emailed Rep. Markey and my own Representative to encourage them to leave this young man alone (maybe apologize???) and focus on matters of actual importance. I hope others will do the same.

Posted by: Concerned Citizen | October 28, 2006 8:58 PM | Report abuse

This is a great article, too bad it was written by Xeni Jardin over on BoingBoing first. Way to plagerize there bub.

Posted by: sean bonner | October 28, 2006 10:04 PM | Report abuse


I'll admit I parachuted in on this story when a mutual friend of Mr. Soghoian's pinged me at 6:50 p.m. last night to tell me what was going down, but "plagiarize?" I don't think so.

I spent several hours tracking down FBI field agents, Mr. Soghoian himself, and gathering data from his blog and from other news outlets, no fewer than three of which I cite in the blog. That said, anything taken from those articles was put in double quotes and called out. The main reason I posted my story when I did was that no one who'd covered it had managed to speak with him around the time of the FBI visit and confirm that.

I saw the BoingBoing piece like everyone else, but I never read past the first paragraph. Frankly, I was more interested in the graphic they ran on the top of that post, as even though I'd mirrored Soghoian's site before he took the form down, the PHP back-end code was not mirrored and I was unable to reproduce the boarding pass I'd generated from Chris's site just prior to my calling him for the first time.
I had no idea that BB broke the story: had I been aware of it at the time, I'd have sourced them as the origin.

I am very careful to cite other blogs and writers when I am using or referring to their work. You, too, should be more careful before accusing reporters of such serious charges. Is there a particular paragraph or phrase or quote you'd like to call attention to?

Thanks for reading.

Posted by: Bk | October 29, 2006 12:24 AM | Report abuse

The link to the "prominent Democratic congressman" ought to be to Edward Markey or the Massachusett's 7th, which he represents,
not to Oakland County, Michigan, which has no connection.

Posted by: Anonymous | October 29, 2006 9:34 AM | Report abuse

Do you really expect anyone to believe that? You were actively following this story and when you saw the BB piece you "never read past the first paragraph."? Why wouldn't you read past the first paragraph, especially when you say you were looking for info? And if you didn't read past the first paragraph how do you explain this one close to the end of yours:

"Wendy Osborne, a special agent with the FBI's Indianapolis field office, declined to discuss the matter, but said Soghoian was not arrested."

Because frankly that sounds way too paraphrased from this one that Xeni wrote a day earlier:

"FBI special agent Wendy Osborne declined to confirm whether Soghoian had been visited or if an investigation was taking place, citing FBI policy, but said "We will confirm that he has not been arrested.""

And that's an example that isn't in the first paragraph.

Posted by: sean bonner | October 29, 2006 11:08 AM | Report abuse

Something doesn't jibe here, Brian. You called Soghoian some time after 6:50p on Friday: "When I phoned Soghoian Friday evening, he abruptly ended our conversation shortly after it began by saying that two FBI agents were banging on his door asking to speak with him." but the FBI appears to have only visited him twice: once at 3:54 (according to Chris' own blog), and once in the middle of the night when he wasn't there. There's a really, really big gap here, Brian.

Posted by: Tom Bridge | October 29, 2006 11:54 AM | Report abuse

Sean, it's not at all uncommon to have virtually the same quote from the same person in two or more stories, especially when dealing with federal government officials, who tend to stay on-message. I was directed to Ms. Osborne after receiving a return call I'd put in to the FBI's HQ in D.C., and you can check that if you like.

Anyway, I'm still not sure what your point is, other than perhaps that I didn't credit BB for breaking the story (which as I said before I didn't know at the time). Thanks for stopping by, and have a nice day.

Posted by: Bk | October 29, 2006 11:55 AM | Report abuse

Tom -- Why don't you call Chris himself and ask him when I called him, and about this "gap" you speak of. His number and email address are listed on his blog.

Posted by: Bk | October 29, 2006 12:00 PM | Report abuse

Testy, aren't we, Brian!

There's a three hour hole in your story, and the only thing you can say is "call him yourself."

I'm not the one getting paid for this kinda stuff, Brian :)

Posted by: Tom Bridge | October 29, 2006 12:07 PM | Report abuse

And, as of this afternoon, Chris has said "The legal advice I've gotten thus far has been to not talk to the press for now." I'll respect that, because the last thing he needs is one more person calling him or clogging up his email.

So, that said, you've probably got notes from when you called Chris, when did you call him, exactly?

Posted by: Tom Bridge | October 29, 2006 12:49 PM | Report abuse

I'm still not exactly clear what you are getting at with this, Tom, but at any rate I called and reached Chris from my cell phone at 6:51 p.m. ET Friday. Our subsequent conversation after midnight took place via instant message.

Posted by: Bk | October 29, 2006 1:55 PM | Report abuse

Brian, Thanks for getting in touch with me about my comments and criticism. I do believe that you talked with Chris Friday, and that you saw the site you did at 5:55. There's still a general concern over the number of visits that Chris has had from the FBI (two or three?) but there's plenty of wiggle room available for the time being. I'd be interested to hear more from Chris if you hear from him in the future.


Posted by: Tom Bridge | October 29, 2006 4:16 PM | Report abuse

In defense of BK (and it kills me to defend him as critical as I have been of his reporting) BoingBoing reports that "An iChat transcript provided to BoingBoing shows Soghoian claimed the FBI was at his door between 345 and 350pm PST. He stopped responding to incoming IM messages at that time, and has not responded to other incoming messages since." The transcript is timed stamped PST and Brian would have been calling from EST meaning he is only off by a couple of minutes. It is certainly easy to believe a 4-9 minute difference.

I have always doubted Brian's technical knowledge but I would never doubt his honesty.

Posted by: Troy | October 30, 2006 9:37 AM | Report abuse

Why all the furor over this Krebs re-wrte?

"Parachuted In" is just Big Media slang for what used to be called "matching" a story. As a news assistant for major wire service (let's call it "Reuters") it was actually a thrill to see a story I had researched and broken re-sourced and slightly altered in the New York Times or the Washington Post.

It's fun to get all riled up about it in a "new media" kind of way, but it's as old as the hills and just as accepted. As long as the Big Media reporter contacts the original or new sources, it's fair game. That's the way it is, play it as it lays.

Posted by: beentheredonethat | October 31, 2006 8:36 PM | Report abuse

I worked as a trainer in airline cargo operations for a few years beginning in 2003. I saw security lapses big enough to drive an uninspected tractor trailer through. I tried many times to let DHS, TSA, Congress, etc. know about all I learned. They were not interested in the least. All those loopholes still exist to this day.

Posted by: thw2001 | November 1, 2006 6:23 PM | Report abuse

I don't understand that part about getting a boarding pass with no i.d. I showed up for a flight once with an expired driver's license and was refused - I had to go home and get my passport.

Posted by: Clifford the BRD | November 3, 2006 8:50 AM | Report abuse

Collection of quantitative survey data on churches and church membership, religious professionals, and religious groups..
sorri... off topic.

Posted by: ladewwcar | November 3, 2006 12:15 PM | Report abuse

This story is not without controversy among computer security experts (among whom I count myself). I wrote an article about this in my monthly technical column that you may find interesting.

Here's a pointer



Posted by: Gary McGraw | November 3, 2006 1:55 PM | Report abuse

Nick Lowe bares all at the Hawke's Bay Outdoor Leisure Club, Glengarry Road, near Napier. PICTURE: DUNCAN BROWN Grin and bare it say Hawke's Bay naturists - and they certainly do.
While most people cringe at the thought of getting their kit off in public, these naturists are more than comfortable in just their skin.
Hawke's Bay Outdoor Leisure Club president Nick Lowe believes nudity is a lifestyle choice - and a good one at that. He's inviting locals to come up and visit the club at today's open day - part of national "Gonatural Week".
Mr Lowe hates wearing clothes and enjoys the freedom of being nude.
"They are restrictive and when you go swimming, who wants clammy togs clinging to you?"
The cheeky club boasts about 80 members from all walks of life, including lawyers, accountants, housewives, firefighters, plumbers and many retirees.
A peaceful recluse, the club has a swimming pool - no togs allowed - a volleyball court and a playground for kids.
Most members converge on the grounds for day trips or stay in their privately owned holiday homes.
Here they soak up the sun and meet like-minded people.
But it is slip, slop, slap inside the club gates.
Mr Lowe reckons nudists are more aware of the dangers of melanoma than most.
"Naturists are generally sun-conscious, there are certain things you don't want burnt."
He encourages people to engage in "social nudity" and join the club - even his mother became a member two years ago.
But perverts be warned - there is a strong veto structure in place, including a national database, to weed out any unfavourable applicants.
"Freaks don't slip through the system," Mr Lowe says.
PJ, 77, a club member for 41 years, enjoys the safety and security of the club.
He says people shouldn't knock it until they give it a go.
"You really don't know what you are missing until you try it."
The public can visit the club from 10am to 4pm for a fun sports and recreation day. It will be clothes on for the first three hours, then anything goes.
[url=]Photos [/url]

Posted by: Bryan9000 | November 11, 2006 10:26 PM | Report abuse

What about him?
audi washington dc
audi a8

Posted by: 7HKqNCttIY | November 13, 2006 10:02 PM | Report abuse

Hello friends and teachers, I'd like to pose you a question about pronunciation. I'm trying to increase my skills with a tongue twister, but my doubt is not about the main words of the sentence, which I think I have already cleared up. The problem arises when it comes to decide wether I have to prononunce the d in the word and or not. It might sound a minor problem, but it definitely affects my fluency Here you are the case:

I slit the sheet, the sheet I slit, and on the slitted sheet I sit.

Posted by: hipituren | November 17, 2006 1:07 AM | Report abuse

You can hardly find anything better; you can’t even imagine how hot are those xxx-movies that are waiting to be downloaded from icoonet You should visit it right now and watch them all.

Posted by: nidltered | November 17, 2006 2:36 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company