Frequent travelers were thrilled when the Transportation Security Administration rolled out its PreCheck Expedited Screening, which allowed them to leave shoes, belts on and other items on as they already have been pre-screened as safe travelers. Earlier this month a vulnerability was revealed with the new expedited screening though.

On Oct. 19, John Butler on his blog Puckinflight started his post saying ” I am seriously concerned with boarding pass security in the United States.” He explained the flaw he found was in the  barcode of his PreCheck passenger and flight information ID, which is printed on boarding passes. Using a website, he was able to decode this barcode and reveal that he was eligible for PreCheck for that flight, as well as other detailed info — all of which was unencrypted. To Butler, this means “terrorists or really anyone” could manipulate their own barcode, allowing them to go through PreCheck, and use a PhotoShop-like program to alter their ticket. He also said this flaw allows people to change their names as well.

Blogger Shows Ticket Barcodes Could Be Manipulated by Passengers to Pass Through TSA PreCheck

Butler X’ed out some of his information so it couldn’t be tampered with, but he was unable to decode his barcode to reveal his flight information as well as that he would be passed through PreCheck. (Image: Puckinflight/John Butler)

“So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID,” Butler wrote. “The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information.”

As Butler goes on to explain, not every passenger who has opted-in for PreCheck will get to go through the fast track every time. Whether or not they will be randomly selected for the PreCheck line is embedded in this barcode. Given that the barcode can be manipulated, Butler writes that the “randomness” of the program is invalidated because the person could in theory change their ticket to read eligible for PreCheck every time.

Blogger Shows Ticket Barcodes Could Be Manipulated by Passengers to Pass Through TSA PreCheck

TSA map showing airports that have enabled PreCheck. (Image: TSA)

Security Analyst with the American Civil Liberties Union, Chris Soghoian, seconded this sentiment with USA Today:

“If people can verify their PreCheck status at home 24 hours before the flight, the randomness is gone. [...] The randomness needs to occur the moment you are in line, when it’s too late to swap bags with your colleague or it’s too late to throw something in the trash.”

Butler wrote:

So, there are two problems here. First, is the that data on the barcode is not encrypted. This allows people to alter information on the front of the boarding pass. Second, is the more serious issue of the Pre-Check information not only out there but where it is also possible to edit the Pre-Check status and place it back on the boarding pass. However, there is a solution.

Not to be the bearer of bad news without a solution, Butler provided two easy fixes: encrypt the barcode information, and/or require TSA make sure the barcode match that which is on file with the airline.

Butler said he contacted the United Airlines, although he believes the flaw would work with other airlines as well, and TSA about the vulnerability. He  also wrote that he did not try to see if a tampered with barcode would make it past security.

“Actually creating a fake boarding pass even for this blog is a legally grey area and morally black one,” Butler wrote.

All passengers, even those passed through PreCheck, still go through a metal detector or body scanner. USA Today reported TSA saying in a statement that it ”does not comment on specifics of the screening process, which contain measures both seen and unseen.”

“We continue to explore and implement additional mitigation measures to prevent the manipulation of boarding passes and are working with the airlines to enhance existing security systems, programs and methods to prevent illegal tampering,” TSA said in its statement, according to USA Today.

Related:

(H/T: Daily Mail)