The Boarding Pass Brouhaha

Bruce Schneier’s latest piece in Wired:

Last week Christopher Soghoian created a Fake Boarding Pass Generator website, allowing anyone to create a fake Northwest Airlines boarding pass: any name, airport, date, flight.

This action got him visited by the FBI, who later came back, smashed open his front door, and seized his computers and other belongings. It resulted in calls for his arrest — the most visible by Rep. Edward Markey (D-Massachusetts) — who has since recanted. And it’s gotten him more publicity than he ever dreamed of.

All for demonstrating a known and obvious vulnerability in airport security involving boarding passes and IDs.

This vulnerability is nothing new. There was an article on CSOonline from February 2006. There was an article on Slate from February 2005. Sen. Chuck Schumer spoke about it as well. I wrote about it in the August 2003 issue of Crypto-Gram. It’s possible I was the first person to publish it, but I certainly wasn’t the first person to think of it.

It’s kind of obvious, really. If you can make a fake boarding pass, you can get through airport security with it. Big deal; we know.


  1. ugh… seriously, wtf. It’s just an excuse to raid someone’s home, really. I mean, when sh!t like this is happening (they didn’t see concealed BOMBS and GUNS?!) is there really any reason to be this intrusive?

  2. Oh, please! You play with fire and you get burned. Is creating fake boarding passes, or enabling others to make them, illegal or not? Not not I would say, or if not it should be! What a wanker this guy is! Is he twelve? I’d have no pity for him anyway. If no one seems to be heeding your cries that you’ve found it to be possible to do something that is wrong, when you think it should not be possible, are you then justified to go ahead and do it without expecting punishment – however good your intentions might be?

  3. Droth, read the article. The vulnerability was well known. All this moron did was implement it and in the process draw major attention to the failures of our airline security. The people who should be prosecuted are the officials who approved the current system. They must have been aware of the holes and choose not to fix them. Any smart terrorist would have been able to figure out how to bypass this.

  4. I agree with droth. I understand that he was just revealing the flaws of airport security, but that doesn’t give him the right to enable more people to take advantage of those flaws. If a troubled kid found that website, we could have had a Columbine incident imposed on an International airport. Just because you figured out vulnerabilities doesn’t mean you should open them up for people to use harmfully. He should try being more productive. How about starting a website with a petition to create an airport security system not based upon boarding passes that you can print and mass produce at home.

Comments are closed.