Website Exposes Airline Security Flaw
Posted on Nov 2, 2006
Christopher Soghoian created a boarding pass generator, allowing visitors to his website to sneak through airport security with fake documents. Though the FBI has shut down Soghoian’s site, the flaw that enabled it remains a security threat.
This vulnerability is nothing new. There was an article on CSOonline from February 2006. There was an article on Slate from February 2005. Sen. Chuck Schumer spoke about it as well. I wrote about it in the August 2003 issue of Crypto-Gram. It’s possible I was the first person to publish it, but I certainly wasn’t the first person to think of it.
It’s kind of obvious, really. If you can make a fake boarding pass, you can get through airport security with it. Big deal; we know.
You can also use a fake boarding pass to fly on someone else’s ticket. The trick is to have two boarding passes: one legitimate, in the name the reservation is under, and another phony one that matches the name on your photo ID. Use the fake boarding pass in your name to get through airport security, and the real ticket in someone else’s name to board the plane.
This means that a terrorist on the no-fly list can get on a plane: He buys a ticket in someone else’s name, perhaps using a stolen credit card, and uses his own photo ID and a fake ticket to get through airport security. Since the ticket is in an innocent’s name, it won’t raise a flag on the no-fly list.