The FBI has
forced a security researcher who created an online service for printing fake
Northwest
Airlines boarding passes to take down his website.
The PHP script-based online service allowed users to create and print
boarding passes for the airline under any name and for random itineraries and
seats.
Although the bogus passes would not allow passengers to board a plane, they
could be used to pass initial airport security clearing and gain access to the
gate area.
Terrorists could use a similar method to bypass security and avoid detection
by name-based blacklists.
The website was available from 25 to 27 October, and can still be accessed
through
Google's
cache.
The creator of the website is 24 year-old Christopher Soghoian, a computer
security graduate student at the Indiana
University
Bloomington.
Soghoian suggested in his
Slight
Paranoia blog that people could use the fake boarding passes to "meet
elderly grandparents at the gate", upgrade to business class or demonstrate the
ineffectiveness of the US passenger screening process.
The service prompted US congressman Edward Markey to call for Soghoian's
arrest. The student was presented with an order from the FBI on Friday
afternoon, instructing him to take down his website.
Soghoian came home on Saturday to find the glass of his front door smashed.
He found an FBI search warrant taped to his kitchen table, and the authorities
had seized all his computers and storage media as well as several documents.
Before his apartment was searched, Soghoian ridiculed Markey's comments,
pointing out that the idea behind his website has been widely publicised by
Senator
Charles E Schumer in 2005.
"Schumer did not produce a PHP script that would do it for you, but he
provided detailed enough instructions that a terrorist or evil-doer with basic
computer skills could do it," argued Soghoian.
"I have not flown, or even attempted to enter the airport with one of these
fake boarding passes. I have not even printed one out. All I have done is create
a PHP script which highlights a security hole made public by others before me."
The student has opened a
PayPal
account where he is soliciting contributions to fund his legal defence.
Do you agree?
Have your say on this article