Christopher Soghoian, a PhD student in the School of Informatics at Indiana University Bloomington, created a fake boarding pass generator to expose flaws in airport security. A reader sent this link to the generator, but it looks like it has been taken down.
Looks like he could be in big trouble for blowing the whistle. Wired News reports:
Security researcher Christopher Soghoian created the Northwest Airline Boarding Pass Generator in the hope of spurring Congress to look closely at the nation’s aviation security policies, which he calls “security theater.”
The site lets anyone create a facsimile of a Northwest Airlines boarding pass, with whatever name they choose.
On Friday, Congress heard Soghoian’s message loud and clear. But instead of promising to reform broken airport security procedures, Rep. Edward Markey (D- Massachusetts), a member of the House Homeland Security committee known for his defenses of privacy, wants the site shut down and Soghoian arrested.
What he should get is a commendation and an appointment to a high-ranking position at TSA. More:
Soghoian, a Ph.D. student at Indiana University, says he has never used one of the fake boarding passes, which are likely good enough to get someone through airport security into the “sanitized” area of the airport, but not good enough to get anyone on a plane. He was waiting for clearance from lawyers at Indiana University before attempting to test if the method worked to get through security.
Soghoian told Wired News Thursday he built the site to expose security holes, not to help terrorists.
“I want Congress to see how stupid the (Transportation Security Administration)’s watch lists are,” he said. “Now even the most technically incompetent user can click and generate a boarding pass. By doing this, I’m hoping (Congress) will see how silly the security rules are. I don’t want bad guys to board airplanes but I don’t think the system we have right now works and I think it is giving us a false sense of security.”
A fake boarding pass would be nearly impossible for airport screeners to detect, because they have no access to airline databases at the screening checkpoint and simply compare the name on the boarding pass to an identification card…
…Even if Soghoian’s site is shut down, any boarding pass purchased over the web can still be easily edited in any browser. That means fliers can buy a legitimate ticket through an airline’s website under a false name — evading the TSA’s no-fly list — then use a fake boarding pass under their real name to get past airport metal detectors, the only spot where IDs are checked. Fliers prone to selection for additional screening could also create boarding passes without the “SSSS” mark that tells TSA to search them more thoroughly.
“The website in question has the potential to promote illegal activity,” said TSA spokesman Christopher White. “Submitting fraudulent documents to airline security is illegal. But the site will not aid anyone in circumventing security, since a boarding pass offers entry into a TSA security checkpoint and TSA ensures that every person and their property is fully screened.”
Let me repeat that. “TSA ensures that every person and their property is fully screened.”
Screeners at Newark Liberty International Airport failed 20 of 22 security tests conducted by undercover U.S. agents last week, missing an array of concealed bombs and guns at checkpoints throughout the hub’s three terminals, federal security officials familiar with the results said.
The tests, conducted Oct. 19 by U.S. Transportation Security Administration “Red Team” agents, also revealed significant failures by screeners to follow standard operating procedures while checking passengers and their baggage for prohibited items, said the officials, who spoke on condition of anonymity because it is against TSA policy to release covert-test results…
… The poor test results at Newark come after heightened security procedures that the TSA put in place at U.S. airports in August, after authorities in Great Britain said they foiled an attempt by terrorists to blow up trans-Atlantic flights using liquid explosives.
One of the security officials familiar with last week’s tests said screeners at Newark missed fake explosive devices that were hidden under bottles of water in carry-on luggage, taped beneath an agent’s clothing and concealed under a leg bandage another tester wore.
Additionally, the official said screeners failed to use hand-held metal detector wands when required, missed an explosive device during a pat-down and failed to properly hand-check suspicious carry-on bags. Supervisors also were cited for failing to properly monitor checkpoint screeners, the official said.
“We just totally missed everything,” the official said.
But Rep. Markey won’t be calling for their arrests.