FBI pulls plug on boarding pass hack

Student finds home sansacked after offering fake airplane boarding passes.

The FBI has forced a security researcher who created an online service for printing fake Northwest Airlines boarding passes to take down his website.

The php script based online service allowed users to create and print boarding passes for the airline under any name and for random itineraries and seats. Although the phoney passes wouldn't allow passengers to board any airplanes, they could be used to pass initial airport security clearings and gain access to the gate area.

Terrorists could potentially use a similar method to bypass security and avoid detection against name based blacklists.

The website was available from Wednesday 25 October through Friday 27 October. It can still be accessed through Google's cache.

The creator of the website is 24-year-old computer security grad student Christopher Soghoian at the Indiana University Bloomington.

When he first published the service, Soghoian suggested that people use it to "meet your elderly grandparents at the gate", upgrade themselves to business class seats or demonstrate the ineffectiveness of the US passenger screening process.

The service prompted congressman Edward Markey to call for Soghoian's arrest. The student on Friday afternoon was presented with an order from the FBI, instructing him to take down his website.

He came home on Saturday to find the glass of his front door smashed. He found an FBI search warrant was taped to the kitchen table and authorities had seized all his computers and storage media as well as several documents.

Before his apartment was searched, Soghoian ridiculised Markey's comments. He pointed out that the theory behind his service has been widely publicised by senator Schumer in 2005.

"Sure, he didn't produce a php script that'd do it for you, but he provided detailed enough instructions that a terrorist or evil-doer with basic computer skills could do it," argued Soghoian.

"I have not flown, or even attempted to enter the airport with one of these fake boarding passes. I haven't even printed one out. All I have done is create a php script, which highlights a security hole made public by others before me. "

The student has opened a Paypal account where he is soliciting contributions to fund his legal defence.

Copyright ©v3.co.uk

boardingfbihackonpassplugpullssecurity