Security researcher Christopher Soghoian created the Northwest Airline Boarding Pass Generator in the hope of spurring Congress to look closely at the nation's aviation security policies, which he calls "security theater."
The site lets anyone create a facsimile of a Northwest Airlines boarding pass, with whatever name they choose.
On Friday, Congress heard Soghoian's message loud and clear. But instead of promising to reform broken airport security procedures, Rep. Edward Markey (D- Massachusetts), a member of the House Homeland Security committee known for his defenses of privacy, wants the site shut down and Soghoian arrested.
"The Bush administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey said in a statement Friday.
"There are enough loopholes at the back door of our passenger airplanes from not scanning cargo for bombs; we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane."
In reality, the "loophole" is nothing new. Security expert Bruce Schneier wrote about it in 2003, and the online magazine Slate covered it as major news in 2005. Soghoian points out that Sen. Chuck Schumer (D-New York) publicized the same security hole in April 2006. "Perhaps Sen. Schumer will end up being my cellmate," Soghoian said.
Soghoian, a Ph.D. student at Indiana University, says he has never used one of the fake boarding passes, which are likely good enough to get someone through airport security into the "sanitized" area of the airport, but not good enough to get anyone on a plane. He was waiting for clearance from lawyers at Indiana University before attempting to test if the method worked to get through security.
Soghoian told Wired News Thursday he built the site to expose security holes, not to help terrorists.
"I want Congress to see how stupid the (Transportation Security Administration)'s watch lists are," he said. "Now even the most technically incompetent user can click and generate a boarding pass. By doing this, I'm hoping (Congress) will see how silly the security rules are. I don't want bad guys to board airplanes but I don't think the system we have right now works and I think it is giving us a false sense of security."
A fake boarding pass would be nearly impossible for airport screeners to detect, because they have no access to airline databases at the screening checkpoint and simply compare the name on the boarding pass to an identification card.
For its part, Northwest Airlines says it is "cooperating with law enforcement and government," and that the company verifies boarding passes using bar scanners as passengers board planes. The company says it alerts the Transportation Security Administration and the police when it catches anyone using a fraudulent boarding pass.
Now Soghoian says he's scared, and that Indiana University's lawyers told him that "the flip side of academic freedom is that the university won't defend me if there are problems."
Even if Soghoian's site is shut down, any boarding pass purchased over the web can still be easily edited in any browser. That means fliers can buy a legitimate ticket through an airline's website under a false name -- evading the TSA's no-fly list -- then use a fake boarding pass under their real name to get past airport metal detectors, the only spot where IDs are checked. Fliers prone to selection for additional screening could also create boarding passes without the "SSSS" mark that tells TSA to search them more thoroughly.
"The website in question has the potential to promote illegal activity," said TSA spokesman Christopher White. "Submitting fraudulent documents to airline security is illegal. But the site will not aid anyone in circumventing security, since a boarding pass offers entry into a TSA security checkpoint and TSA ensures that every person and their property is fully screened."
The Transportation Security Agency did not return calls for comment by press time.
![[serious]](/data/avatars/m/160/160873.jpg?1431539545){kind=avatar}
