Boarding Pass Hacker Under Fire
By Ryan Singel Also by this reporter
Security researcher Christopher Soghoian created the Northwest Airline Boarding Pass Generator in the hope of spurring Congress to look closely at the nation's aviation security policies, which he calls "security theater."
The site lets anyone create a facsimile of a Northwest Airlines boarding pass, with whatever name they choose.
On Friday, Congress heard Soghoian's message loud and clear. But instead of promising to reform broken airport security procedures, Rep. Edward Markey (D- Massachusetts), a member of the House Homeland Security committee known for his defenses of privacy, wants the site shut down and Soghoian arrested.
"The Bush administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey said in a statement Friday.
"There are enough loopholes at the back door of our passenger airplanes from not scanning cargo for bombs; we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane."
This angers me for several reasons.
First, Markey acknowledges that we are not checking ANY air cargo. I can't take my 6 ounce tube of tooth paste on the plane, because someone might break the laws of physics and chemistry turn it bomb, but anyone could ship 100 pounds of explosives in the cargo hold of a loaded passenger plane. Of course the reason is that it would cost the shippers money, and more importantly, the voters don't SEE the scanning. The advantage of TSA, is that the voters see Congress spending money on "security" and think their reps are doing something.
Second, anyone with rudimentary knowledge of HTML can edit or create a boarding pass that will get anyone past the ID checker. This is not a revolutionary or complicated hack at all.
Third, so what if someone can fake a boarding pass for the ID checker. And it doesn't matter because they still aren't getting on a plane with it. At the door, gate agent will just scan the barcode and catch the fake. Or they'll catch it when the scanned "boarding pass" doesn't match what's in the system. And if the gate agent doesn't catch the fake, the passenger who has that ACTUAL seat assignment will catch it.
Fourth, again, so what? If TSA is competent, they are screening the passengers anyway. Even if someone has a fake boarding pass, their luggage is being X-Ray'ed, they are being screened through the metal detector, and their mouth wash is being taken away.
Fifth, historically, why would a terrorist fake a boarding pass? Expedia is not that hard to use -- they'll just buy the damn ticket. There's not point in faking it.
Sixth, it's outrageous that Markey is calling for the arrest of this guy. The idea that we should prosecute him for pointing out there is a problem, rather than trying to fix the problem is one more demonstration that TSA is more of a fancy PR move than an actual enhancement to security.
And, now, for saying this, Rep. Markey will probably call for my arrest.
At least I have a guarantee that my right to Habeas Corpus will be protected.