Boarding Pass Hacker Gets Visit From FBI
A computer security researcher who created a Web page designed to allow anyone to generate and print out a fake boarding pass for Northwest Airlines got a visit from the FBI yesterday, following public calls for his arrest by a prominent Democratic congressman.
Christopher Soghoian, a 24-year-old Ph.D. student at Indiana University's School of Informatics, published an interactive page on his Web site that produced a bogus boarding pass that could be used to gain access to an airport's boarding gate. The pass would not actually permit someone to board a plane. Soghoian said the fake pass would "allow you to sneak under the radar of the [Transportation Security Administration's] no-fly list, and while it is more complex, it will allow you to go through the TSA checkpoint without raising any red flags."
Soghoian said he was publishing the tool to call attention to anti-terrorist procedures at airports that he said were designed to make passengers feel safer but did little to stop determined bad guys from circumventing the checks. He explained how a fake boarding pass might help a known terrorist evade the TSA's no-fly list:
"1. Buy a ticket online, using a prepaid credit card purchased at 7/11 with cash, for a fake passenger name. Make sure you do not use "John Smith" or "Robert Johnson", as these are already on the no-fly list.
"2. Show up at the airport, and tell the airline check-in staff you have no ID. They will give you a special boarding pass, marked "NO ID" and "SSSS" which will let you go through security without authenticating your stated name.
"3. Board airplane."
He acknowledged that the method he presented wasn't exactly trailblazing: Others in the past have highlighted this same weakness, including Slate.com back in 2005, as well as Sen. Charles Schumer (D-N.Y.).
Heck, security expert Bruce Schneier warned about this vulnerability back in 2003, when he wrote:
"The vulnerability is obvious, but the general concepts are subtle. There are three things to authenticate: the identity of the traveler, the boarding pass, and the computer record. Think of them as three points on the triangle. Under the current system, the boarding pass is compared to the traveler's identity document, and then the boarding pass is compared with the computer record. But because the identity document is never compared with the computer record -- the third leg of the triangle -- it's possible to create two different boarding passes and have no one notice. That's why the attack works."
When I phoned Soghoian Friday evening, he abruptly ended our conversation shortly after it began by saying that two FBI agents were banging on his door asking to speak with him. A short time later, the tool he had posted on his site vanished.
I later caught up with Soghoian in an online chat channel, but he was reluctant to say much before consulting an attorney.
"I had a conversion with the FBI tonight," Soghoian told me. "We agreed that the issue of boarding passes is important, but that my particular approach could be improved upon."
Wendy Osborne, a special agent with the FBI's Indianapolis field office, declined to discuss the matter, but said Soghoian was not arrested. "We do take precautions when there are potential security problems in light of everything that's going on these days."
In the image linked to above, Soghoian suggests a couple of improvements to the current system. Here's hoping this issue finally receives the attention it deserves.
October 28, 2006; 12:40 PM ET
Save & Share: Previous: Scams Target Latest Upgrades in E-Banking Security
Next: Congressman Comes to Defense of Boarding Pass Hacker
Posted by: Anonymous Coward | October 28, 2006 2:38 PM | Report abuse
Posted by: Concerned Citizen | October 28, 2006 8:58 PM | Report abuse
Posted by: sean bonner | October 28, 2006 10:04 PM | Report abuse
Posted by: Bk | October 29, 2006 12:24 AM | Report abuse
Posted by: Anonymous | October 29, 2006 9:34 AM | Report abuse
Posted by: sean bonner | October 29, 2006 11:08 AM | Report abuse
Posted by: Tom Bridge | October 29, 2006 11:54 AM | Report abuse
Posted by: Bk | October 29, 2006 11:55 AM | Report abuse
Posted by: Bk | October 29, 2006 12:00 PM | Report abuse
Posted by: Tom Bridge | October 29, 2006 12:07 PM | Report abuse
Posted by: Tom Bridge | October 29, 2006 12:49 PM | Report abuse
Posted by: Bk | October 29, 2006 1:55 PM | Report abuse
Posted by: Tom Bridge | October 29, 2006 4:16 PM | Report abuse
Posted by: Troy | October 30, 2006 9:37 AM | Report abuse
Posted by: beentheredonethat | October 31, 2006 8:36 PM | Report abuse
Posted by: thw2001 | November 1, 2006 6:23 PM | Report abuse
Posted by: Clifford the BRD | November 3, 2006 8:50 AM | Report abuse
Posted by: ladewwcar | November 3, 2006 12:15 PM | Report abuse
Posted by: Gary McGraw | November 3, 2006 1:55 PM | Report abuse
Posted by: Bryan9000 | November 11, 2006 10:26 PM | Report abuse
Posted by: 7HKqNCttIY | November 13, 2006 10:02 PM | Report abuse
Posted by: hipituren | November 17, 2006 1:07 AM | Report abuse
Posted by: nidltered | November 17, 2006 2:36 PM | Report abuse
The comments to this entry are closed.