The Fake Boarding Pass Saga

boardingpass_veganstraight.jpgLast week Christopher Soghoian, a 24 year-old Ph.D. student in information security at Indiana University, whipped together a website that allowed anyone to create a fake Northwest Airlines boarding pass. He hoped to bring attention to a security hole that allows anyone, including someone on the No-Fly list, to enter the security line with a fake document. Instead he got another kind of attention.
For those unfamiliar with the story, it’s one I’ve been following in my blog and in a proper news story for Wired News since Soghoian told me about his site Wednesday night.
Soghoian, a security researcher who has done work at Google, Apple and IBM, told me the site’s purpose was to demonstrate the futility of the No-Fly list:

I want Congress to see how stupid the TSA’s watch lists are. Now even the most technically incompetent user can click and generate a boarding pass. By doing this, I’m hoping [Congress] will see how silly the security rules are. I don’t want bad guys to board airplanes but I don’t think the system we have right now works and I think it is giving us a false sense of security.

Even without his generator, the No-Fly list can be avoided:

If you can purchase a ticket over the internet with a pre-paid debit card and can fly without I.D., then for domestic flights the No-Fly list doesn’t work.

On Friday, Congressman Ed Markey (D-Mass) called for the site to be shut down and arrested, and later that day, the FBI shuttered the site and met with Soghoian. Whatever he said must not have been convincing, since the FBI raided his house with a search warrant signed by a judge at 2 a.m. Saturday morning and seized his computers, though they didn’t arrest him. Markey then retracted his call for Soghoian’s arrest on Sunday and in fact, suggested the government hire him instead (though Markey called the site a ‘lousy way’ of publicizing the problem).
Since Sunday, the story has slowed considerably. Soghoian has lawyers now and isn’t talking to reporters, though is occasionally updating his blog.
Soghoian’s site exploited a well-known security hole, one first publicized by security expert Bruce Schneier in 2003, given the full-on Slate treatment in 2005, and, according to security blogger Adam Shostack, was explained to high-level Homeland Security officials in 2004.
That doesn’t mean all security researchers applaud Soghoian’s method. Indeed, Avi Rubin, who’s best known for his voting security work, told Xeni Jardin that his former teaching assistant should have shown this to the government privately.
So what’s the upshot? Will the government ban boarding passes ticketed at home? Will they prosecute Soghoian for building this site? Won’t other hackers put their own version online? Will this prompt reconsideration of the use of notoriously ineffective watch lists for domestic travel?
The short anwsers, in my opinion, are No, No, Maybe but not as many as you’d expect, Definitely Not.
The long answers are here at 27BStroke6, which despite Noah’s dig, is a great name for a blog. (Think Brazil).
- Ryan Singel
Photo: VeganStraightEdge

  • Allen Thomson

    Extensive evidence shows that there is no way to effectively point out vulnerabilities to corporate entities. If you try the internal route, it will fail and you’ll get branded a loose cannon. If you try the external route, it will fail and you’ll be put on the enemies list. So do it for whatever reasons you want to, but don’t expect to change the objective situation, ever.

  • ted

    Will they also go after Senator Schumer for somthing similar?

  • john s

    he should have added void across the boarding pass

  • Joel Mackey

    Lets see, a Democrat has government agents harass a private citizen because he is exercising his 1st Amendment rights…and the Republicans are a threat to civil liberties?

  • reefdiver

    The TSA still screens the individuals and their bags, and the air-line checks the ticket on entrance to the plane. The airline assures all passengers who checked bags also board the aircraft. Why worry?
    Right now this fake ticket would be a great way to be to get into to the terminal to be with your departing family or friends while they’re waiting to depart. Or you could use this to once again meet them at the gate on arrival. Great idea.