Student Unleashes Uproar With Bogus Airline Boarding Passes
By Brian Krebs
Washingtonpost.com Staff Writer
Wednesday, November 1, 2006; D01
Christopher Soghoian said he was simply trying to highlight a flaw in the nation's airline security procedures when he put a tool on his Web site letting anyone create fake boarding passes, but federal authorities didn't see it that way.
FBI agents visited the 24-year-old doctoral candidate's home in Bloomington, Ind., Friday and returned on Saturday to cart off his computers and other equipment. While Soghoian has not been charged with a crime, the incident has stirred a national tempest and renewed concerns about passenger screening procedures.
Soghoian, a Virginia native and student at Indiana University's School of Informatics, declined to comment yesterday on the advice of his attorney. But he has been writing about the incident on his Web site.
"I came back today, to find the glass on the front door smashed," Soghoian wrote on Saturday. "Inside, is a rather ransacked home, a search warrant taped to my kitchen table, a total absence of computers -- and various other important things."
Wendy Osborne, a special agent with the FBI's Indianapolis field office, confirmed that a search warrant was executed at Soghoian's home but declined to discuss the case further because she said it had been sealed.
Osborne said that the FBI would investigate jointly with the Transportation Security Administration and then decide whether charges would be filed.
Reached at his home in Charlottesville, Stephen Soghoian, Christopher's father, defended his son's actions. "Chris was only pointing out that the government is not using its resources in a good way to provide real public safety at airports," the elder Soghoian said. "Instead, what they're doing is probably best described as security theatre."
The feature Christopher Soghoian created, which was removed from his Web site Friday night, allowed anyone to type in their name and flight information and print a boarding pass for Northwest Airlines. The bogus passes might help a terrorist get past the initial security checkpoints, Soghoian wrote, but probably would not let a terrorist board a plane. That's because at the departure gates, boarding passes are screened electronically and compared against the airline's passenger list.
Amy Kudwa, a spokeswoman for the TSA, declined to say whether the agency was considering changing check-in procedures because of the incident. She said that while the fake boarding pass generator "had the potential to promote illegal activity, it will not aid anyone in circumventing airport security."
She added: "The TSA assures that every person is thoroughly screened at the checkpoint for dangerous weapons or explosives. There are many layers of security at the nation's airports, including many methods that are not obvious to the casual observer."
Last week, Rep. Edward J. Markey (D-Mass.) publicly called for the arrest of Soghoian and the shuttering of his site. But on Sunday, Markey praised Soghoian's actions as a public service that called attention to a security weakness.
"He picked a lousy way of doing it, but he should not go to jail for his bad judgment," Markey said. "Better yet, the Department of Homeland Security should put him to work showing public officials how easily our security can be compromised."
Markey said yesterday that the TSA was contradicting itself by saying fake boarding passes were not a problem but the pass-generator was. "TSA has to make up its mind, but it can't have it both ways," he said. "Either the public is in jeopardy or it is not. If the public is not in jeopardy, then this young man should not be in jeopardy.''
Markey indicated Congress might have to act if the TSA doesn't. "I think TSA should close the loophole," he said. "We shouldn't have to wait until a new Congress reconvenes to protect the public if a loophole jeopardizes public safety."
Critics of airline security restrictions say Soghoian's site automated a loophole that others have written and spoken about for more than three years. The loophole is that boarding passes are compared to a person's ID only at initial security checkpoints, not at the gates where passengers board planes. Also, the passes are scanned and verified only at departure gates, not security checkpoints.
Bruce Schneier, a security expert and chief technical officer for Mountain View, Calif.-based Counterpane Internet Security, wrote about the loophole in 2003. To close it, he said, airports should scan boarding passes and compare passes with photo IDs at both checkpoints.
Schneier said yesterday that it would be easy for someone to use a fake boarding pass to bypass the TSA's "no-fly list," which contains the names of thousands of people whom the U.S. government has flagged as potential security or terror risks. A terrorist on the list could make a reservation in someone else's name and print a legitimate pass, along with a fake one in his real name. He'd present the fake pass and real ID at the security gate, then use the legitimate pass to board.
"I think we really need to ask why the government is shooting the messenger here when it should be spending its time fixing this obvious loophole," Schneier said.
Facebook
Twitter