DIY boarding pass site gets shut down

Student in FBI probe says he created Web site to underscore security problems with print-at-home airline boarding passes.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
A Web site that let anyone with an Internet connection and a printer create fake airline boarding passes has been shut down after federal agents visited the creator.

FBI agents raided Christopher Soghoian's home over the weekend, seizing computers and other equipment, Soghoian wrote on his blog. They first visited him Friday afternoon with a request to take the site down, but when he got online, he found that the site had already been removed, he wrote.

Soghoian, reached via e-mail on Monday, declined to comment for this story, citing advice from his lawyers to lie low.

Fake NWA pass

Wendy Osborne, a spokeswoman for the FBI's Indianapolis office, confirmed that agents had searched Soghoian's home as part of a joint investigation with the Transportation Security Administration. "We will conduct a thorough and complete investigation," Osborne said. "We are certainly concerned with any potential breach in security, particularly at the airports."

Soghoian, a computer security student at Indiana University Bloomington built the Web site to underscore an airport security weakness, he wrote. The site was spotlighted late last week after Wired News and ABC News reported on it. U.S. Rep. Edward Markey, a Massachusetts Democrat, called for Soghoian's arrest, but then backed off on Sunday.

The FBI will present the findings of its investigation to the U.S. Attorney's Office for the Southern District of Indiana, which will determine whether Soghoian violated any federal laws, she said. At this point, the student has not been charged and he has not been arrested, Osborne said.

Soghoian's "Northwest Airlines Boarding Pass Generator" let people create boarding passes that look virtually identical to the ones printed from the Northwest Airlines Web site. They could be used to get past airport security, but not to get on an airplane, because the airline would have no record of the reservation, Soghoian said.

"I have not flown, or even attempted to enter the airport with one of these fake boarding passes," Soghoian wrote Friday. "I haven't even printed one out. All I have done is create PHP script, which highlights a security hole made public by others before me."

The Web site went online last Wednesday and immediately attracted attention. Bruce Schneier, a noted security expert, linked to it from his blog on Thursday. Schneier highlighted the same issue with the print-at-home boarding passes on his mailing list more than three years ago. U.S. Sen. Charles Schumer, a New York Democrat, warned of the same security issue last year and again in April this year.