Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists

  • Christopher Soghoian
Part of the The International Federation for Information Processing book series (IFIPAICT, volume 261)

In this paper, we discuss a number of existing problems with the airport transportation security system in the United States.We discuss two separate, yet equally important issues: The ease with which a passenger can fly without any identification documents at all and the ease with which print-at-home boarding passes can be modified, tampered with, and faked. The significance of these vulnerabilities becomes clear when viewed in light of the US government’s insistence on maintaining passenger watch lists, whose contents are secret and effectiveness depend upon the government being able to verify the identity of each flying passenger. We then introduce a method of determining if any particular name is on the no fly list, without ever having to step foot into an airport. We introduce a physical denial of service attack against the Transportation Security Administration (TSA) checkpoints at airports, distributed via an Internet virus. Finally, we propose technical solutions to the user modifiable boarding pass problem, which also neutralize the physical denial of service attack. The solutions have the added benefit of meshing with TSA’s publicly stated wish to assume responsibility for verifying passengers names against the watch lists, as well as enabling them to collect and store real time data on passengers as they pass through checkpoints, something they are currently not able to do.


Identity Document Service Attack Airport Security Transportation Security Transportation Security Administration 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    John Adams. Document gennreator [sic], November 1 2006.
  2. 2.
    American Civil Liberties Union.Frequently Asked Questions About the“No Fly List”, October262005.
  3. 3.
    Anonymous. Airport Security’s Achilles’ Heel. CSO: The Resourcec for Security Executives, February01 2006.
  4. 4.
    Associated Press. TSA’s Secure Flight program suspended, February 09 2006.
  5. 5.
    Matt Blaze. Human-scale security and the TSA, January 01 2007. paranoia.
  6. 6.
    Sara Bodenheimer. Super Secret Information? The Discoverability Of Sensitive SecurityInformation As Designated By The Transportation Security Administration. UMKC L. Rev.,73:739, Spring 2005.Google Scholar
  7. 7.
    Andy Bowers. A dangerous loophole in airport security. Slate Magazine, February 07 2005.
  8. 8.
    Simon Byers, Aviel D. Rubin, and David Kormann. Defending against an internet-based attack on the physical world. ACM Trans. Inter. Tech., 4(3):239-254, 2004.CrossRefGoogle Scholar
  9. 9.
    Samidh Chakrabarti and Aaron Strauss. Carnival booth: An algorithm for defeating the computer-assisted passenger screening system. First Monday, 7(10), 2002.
  10. 10.
    Jayen Clark. Just who do you think you are, without ID? USA Today, April 28 2005.
  11. 11.
  12. 12.
    Continental Airlines. Online Check-in FAQ, 2007.
  13. 13.
    John T. Cross. Age Verification In The 21st Century : Swiping Away Your Privacy. John Marshall J. of Comp. & Info. Law, 23(2), Winter 2005.Google Scholar
  14. 14.
    Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium, August 2004.
  15. 15.
    Serge Egelman and Lorrie Faith Cranor. The Real ID Act: Fixing Identity Documents with Duct Tape. I/S: A Journal of Law and Policy for the Information Society, 2(1):149-183, Winter 2006.Google Scholar
  16. 16.
    Electronic Privacy Information Center. EPIC Secure Flight Page, February 09 2006.
  17. 17.
    Justin Florence. Making The No Fly List Fly: A Due Process Model For Terrorist Watchlists. Yale Law Journal, 115(8):2148-2181, June 2006.CrossRefGoogle Scholar
  18. 18.
    Gilmore v. Gonzales. 04-15736 (9th Cir. 2006).
  19. 19.
    Jim Harper. Identity Crisis: How Identification Is Overused and Misunderstood, chapter 23, page 215. CATO Institute, Washington, DC, 2006.Google Scholar
  20. 20.
    Kip Hawley. Prepared statement. U.S. Senate Committee on Commerce, Science and Transportation, January 17 2007. testimony.shtm.
  21. 21.
    Kaywa Reader. What is the Kaywa Reader, 2006.
  22. 22.
    Leigh A. Kite. Red Flagging Civil Liberties and Due Process Rights of Airline Passengers: Will a Redesigned CAPPS II System Meet the Constitutional Challenge? Wash. & Lee L. Rev., 61(3), Summer 2004.Google Scholar
  23. 23.
    Brian Krebs. Student Unleashes Uprorar With Bogus Airline Boarding Passes. The Wash-ington Post, November 1 2006.
  24. 24.
    Steve Kroft.Unlikely terrorist on no fly list.60Minutes, October8 2006.
  25. 25.
    Linda L. Lane. The Discoverability of Sensitive Security Information in Aviation Litigation. Journal of Air Law and Commerce, 71(3):427-448, Summer 2006.Google Scholar
  26. 26.
    Jaeil Lee, Taekyoung Kwon, Sanghoon Song, and JooSeok Song. A model for embedding and authorizing digital signatures in printed documents. In ICISC, pages 465-477, 2002.Google Scholar
  27. 27.
    Ron Lieber and Susan Warren. Southwest Makes It Harder To Jump the Line. The Wall Street Journal, June7 2006.
  28. 28.
    Eric Lipton. U.S. Official Admits to Big Delay in Revamping No-Fly Program. The New York Times, February 21 2007.
  29. 29.
    Andrew Mayeda and Sheldon Alberts. Harper offers Arar apology - and $10M. The Star Phoenix, January 27 2007.
  30. 30.
    Declan McCullagh. Airport ID checks legally enforced? CNET, December 82005. 3-5987820.html.
  31. 31.
    Leslie Miller. Report: Thousands Wrongly on Terror List. The Associated Press, Octo-ber 6 2006.
  32. 32.
    Mima Mohammed and Jenny Allen.Grad files national suit.The Stanford Daily, February 16 2006.
  33. 33.
    Eric Nguyen. No ID, June 12 2006.
  34. 34.
    Northwest Airlines. Press Release: Northwest Expands Boarding Pass Faxing Ser-vice to International Locations, October 19 2006.
  35. 35.
    Yousri Omar. Plane Harassment: The Transportation Security Administration’s Indifference To The Constituion In Administering The Government’s Watch Lists. Wash. & Lee J. Civil Rts. & Soc. Just., 12(2), Spring 2006.Google Scholar
  36. 36.
    Soumya Panda. The Procedural Due Process Requirements for No-Fly Lists. Pierce L. Rev., 4(1), December 2005.Google Scholar
  37. 37.
    Mark Pilgrim.What is greasemonkey, May92005.
  38. 38.
    Ryan. Changing A Southwest Boarding Pass, July 30 2006.
  39. 39.
    Bruce Schneier. Flying on Someone Else’s Airplane Ticket. Crypto-Gram, August 15 2003.
  40. 40.
    Charles Schumer. Schumer reveals new gaping hole in air security, February 13 2005. releases/2005/PR4123.aviationsecurity021305.html.
  41. 41.
    Charles Schumer. Schumer Reveals: In Simple Steps Terrorists Can Forge Boarding Pass And Board Any Plane Without Breaking The Law!, April 09 2006.
  42. 42.
    Adam Shostack. On Printing Boarding Passes, Christopher Soghoian-style. Emergent Chaos, October 28 2006. boarding pass.html.
  43. 43.
    Ryan Singel. Fliers can’t balk at search. Wired News, March 20 2006.,70450-0.html.
  44. 44.
    Ryan Singel. The Great No-ID Airport Challenge. Wired News, June 9 2006.,71115-0.html.
  45. 45.
    Christopher Soghoian. Slight Paranoia: TSA Love, September 21 2006.
  46. 46.
    Christopher Soghoian.ID rules inna Babylon: A police confrontation at DCA Airport, February192007.
  47. 47.
    Christopher Soghoian.Slight Paranoia: A clearer picture of how to fly with no ID, January212007.
  48. 48.
    Christopher Soghoian. Slight Paranoia: Much fun at SFO airport, January 29 2007.
  49. 49.
    Christopher Soghoian.Slight Paranoia: No ID on United: Piece of Cake, February022007.
  50. 50.
    Daniel J. Solove. Access And Aggregation: Public Records, Privacy And The Constitution. Minn. L. Rev., 86:1137, June 2002.Google Scholar
  51. 51.
    Spark Productions. Japanese QR codes provide marketers a glimpse of the future. Japan Marketing News, January 17 2007. previousart.html.
  52. 52.
    Daniel J. Steinbock. Designating The Dangerous: From Blacklists To Watch Lists. Seattle Univerity Law Review, 30(Issue 1), Fall 2006.Google Scholar
  53. 53.
    Randall Stross. Theater of the Absurd at the T.S.A. The New York Times, December 17 2006.
  54. 54.
    Transportation Security Administration. TRIP: Traveler Identity Verification Form, February 202007.
  55. 55.
    Transportation Security Administration. TSA: Our Travelers: What you need, February 132007.
  56. 56.
    Siva Vaidhyanathan. Can you board a plane without ID?, March 24 2006.
  57. 57.
    Deborah von Rochow-Leuschner. CAPPS II and the Fourth Amendment: Does It Fly? Journal of Air Law and Commerce, 69(1):139-173, Winter 2004.Google Scholar
  58. 58.
    David Wagner. Flying without ID, October 20 2000.

Copyright information

© International Federation for Information Processing 2008

Authors and Affiliations

  • Christopher Soghoian
    • 1
  1. 1.School of InformaticsIndiana University BloomingtonUSA

Personalised recommendations