What Security Vulnerability Has Been Revealed on Boarding Pass Barcodes?
Frequent travelers were thrilled when the Transportation Security Administration rolled out its PreCheck Expedited Screening, which allowed them to leave shoes, belts on and other items on as they already have been pre-screened as safe travelers. Earlier this month a vulnerability was revealed with the new expedited screening though.
On Oct. 19, John Butler on his blog Puckinflight started his post saying ” I amΒ seriously concerned with boarding pass security in the United States.” He explained the flaw he found was in the Β barcode of his PreCheck passenger and flight information ID, which is printed on boarding passes. Using a website, he was able to decode this barcode and reveal that he was eligible for PreCheck for that flight, as well as other detailed info — all of which was unencrypted. To Butler, this means “terrorists or really anyone” could manipulate their own barcode, allowing them to go through PreCheck, and use a PhotoShop-like program to alter their ticket. He also said this flaw allows people to change their names as well.
Butler X’ed out some of his information so it couldn’t be tampered with, but he was unable to decode his barcode to reveal his flight information as well as that he would be passed through PreCheck. (Image: Puckinflight/John Butler)
“So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID,” Butler wrote. “The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they donβt check against the real time information.”
As Butler goes on to explain, not every passenger who has opted-in for PreCheck will get to go through the fast track every time. Whether or not they will be randomly selected for the PreCheck line is embedded in this barcode. Given that the barcode can be manipulated, Butler writes that the “randomness” of the program is invalidated because the person could in theory change their ticket to read eligible for PreCheck every time.
TSA map showing airports that have enabled PreCheck. (Image: TSA)
Security Analyst with the American Civil Liberties Union, Chris Soghoian, seconded this sentiment with USA Today:
“If people can verify their PreCheck status at home 24 hours before the flight, the randomness is gone. [...] The randomness needs to occur the moment you are in line, when it’s too late to swap bags with your colleague or it’s too late to throw something in the trash.”
Butler wrote:
So, there are two problems here. First, is the that data on the barcode is not encrypted. This allows people to alter information on the front of the boarding pass. Second, is the more serious issue of the Pre-Check information not only out there but where it is also possible to edit the Pre-Check status and place it back on the boarding pass. However, there is a solution.
Not to be the bearer of bad news without a solution, Butler provided two easy fixes: encryptΒ the barcode information, and/or require TSA make sure the barcode match that which is on file with the airline.
Butler said he contacted the United Airlines, although he believes the flaw would work with other airlines as well, and TSA about the vulnerability. He Β also wrote that he did not try to see if a tampered with barcode would make it past security.
“Actually creating a fake boarding pass even for this blog is a legally grey area and morally black one,” Butler wrote.
All passengers, even those passed through PreCheck, still go through a metal detector or body scanner. USA Today reported TSA saying in a statement that itΒ ”does not comment on specifics of the screening process, which contain measures both seen and unseen.”
“We continue to explore and implement additional mitigation measures to prevent the manipulation of boarding passes and are working with the airlines to enhance existing security systems, programs and methods to prevent illegal tampering,” TSA said in its statement, according to USA Today.
Related:
- Internal DHS Report: ‘Vulnerabilities’Β IdentifiedΒ in TSA Body Scanner Screening Process
- ‘A New Era of Reform’: TSA Tentatively Allows Private Screeners in Orlando
- Guess What: New Tech Could Mean TSA Isn’t Done With You Until You Get on the Plane
(H/T: Daily Mail)
In CONTROL, Glenn Beck presents a passionate, fact-based case for guns that reveals why gun control isnβt really about controlling guns at all; itβs about controlling us. Find out more HERE.
Comments (11)
Sign In To Post Comments! Sign In
Popular Stories
The Scathing Speech That Just Got a Standing Ovation During the IRS Hearing 365 Comments
Was It Against Uniform Protocol for the Marine to Hold Obama’s Umbrella? 356 Comments
S.E. Cupp vs. Michael Moore on Guns: ‘I Just Happen to Be Informed’ 278 Comments
Pat Robertson Has Some Tough Advice for Cheated-On Women: Do You Agree With Him? 246 Comments
Carney to Piers: The Three Government Scandals This Week ‘Don’t Exist’ 240 Comments
Faith
-
Congressman: IRS Demanded to Know Content of Pro-Life Group's Prayers
Read More
-
You Criticized Obama: Famed Christian Radio Host Alleges Outrageous IRS Intimidation
171 Comments
-
Network Releases Statement on Pat Robertson's Controversial Advice to Cheated-On Women
135 Comments
-
'Blasphemy': Prominent Faith Leader Calls Obama Out Over His 'God Bless You' During Planned Parenthood Speech
175 Comments
-
Graphic New Details About Gosnell's Filthy and Flea-Ridden Home and Clinic Emerge: 'The Smells Were Just Unbearable'
Read More
Business
- This Map Shows the 'Riskiest' Places in the World Read More
-
Krauthammer's Impressed With Obama's IRS Answers: He Makes Bill Clintonâs Parsing Look Unsophisticated
Read More
-
Congressman: IRS Demanded to Know Content of Pro-Life Group's Prayers
Read More
- America off Limits: Soviet Tourists Were Banned from Visiting These Areas During the Cold War Read More
-
These Are the 4 Most Important Takeaways from Today's IRS Hearing
134 Comments
Technology
-
Woman Who Lost All Limbs to Flesh-Eating Bacteria Gets $200K Bionic Arms
Read More
-
Why Are These Zoo Keepers Baffled by This Anteaterâs Babies?
Read More
-
Largest Lunar Explosion in NASA History Caught on Video
106 Comments
-
Ever Wonder How It'd Look to Have Your Face Eaten by a Bear? Here's Your Answer
Read More
-
New Energy Secretary Named With Unanimous Confirmation
146 Comments
Submitting your tip... please wait!
HI_Don
Posted on October 30, 2012 at 11:50pmOnce again a lack of Blaze copy editor competency:
“Butler Xβed out some of his information so it couldnβt be tampered with, but he was UNABLE to decode his barcode to reveal his flight information”
I think you meant “was able to”, after all if he was unable to the that would kind of negate the whole story.
Report this comment
00100111
Posted on October 29, 2012 at 4:00pmThat’s another behavior of TSA I’ve never quite understood. Most people take criticism and improve themselves. There have been multiple instances of people exposing holes in security, exposing vulnerabilities, showing where things break down and don’t work. It’s done to help the system, to fix it, to show where the point of failure is and improve it. Think of it as reliability testing. All tech companies have a reliability dept that does exactly that. Mess with the system until it breaks then fix what broke and test more. But the TSA doesn’t do that. They get offended, threaten you, and even try to put people in prison. It makes no sense.
Report this comment
NOTAMUSHROOM
Posted on October 29, 2012 at 1:25pmWe were flying yesterday. We were literally threatened, in an intimidating way, with a pat down for being unhappy with the naked body scanners. One of us submitted to being groped and it wasn’t I. The agent doing the pat down babbled incessantly with something about the “airlines asked the government for help after 9/11 because they have a right to protect their planes,” to which I replied, “That’s not the point but I appreciate that you’re just doing your job.” As we exited the TSA area, we remarked that no matter how you look at it, it’s NOT CONSTITUTIONAL. A TSA supervisor and one of his goons interjected themselves into our conversation and started to follow us in a very threatening, intimidating fashion. He kept asking if the agent was rude to us. I told him that we just have a difference of opinion and I asked him if we’re still allowed to have those. He finally backed off because we didn’t take the bait and ignored his attempts to draw us into a conflict.
We have a problem, America.
Report this comment
Dachande
Posted on October 29, 2012 at 1:22pmWho’s actually surprised by this? Bar codes are codes, they can easily be broken. Also, it’s something implemented by the TSA, so you already know it’s crap. Don’t act surprised when the terrorists actually figure out what we already know about the TSA, just be very angry with every elected official and vote them out for allowing the TSA to set us up for a lot of people to be killed in the future.
Report this comment
Larry E
Posted on October 29, 2012 at 12:04pmTSA is a major security vulnerability in itself!
Report this comment
wingedwolf
Posted on October 29, 2012 at 9:44amPeople need to understand that nothing that goes on with the federal agencies is for our good. I am really weary of people thinking that the administration is incompetent. They are not. They are doing all the things they are doing to weaken and destroy America. And people aren’t pushing back because they think they’re just incompetent. Meanwhile, we are showing our papers more than they did in nazi germany.
Report this comment
G-WHIZ
Posted on October 29, 2012 at 11:27amThe more the TSA relies on machines-only…the more “holes” exist!! The votes are taken and tallied by electronic-hackable machines, and these machines/etc. are made by acompany overseas and owned by GeoSoros!
Report this comment
hi
Posted on October 29, 2012 at 9:41amIsn’t it racist to make minorities and women wearing burkas to show their ID’s?
Report this comment
QuincySmith
Posted on October 29, 2012 at 9:39amPlease President Romney, immediately after ending oblamacare, end the TSA, EPA, DOE, abc (not Abetting Benghazi Coverup), and xyz.
Report this comment
Snowleopard {gallery of cat folks}
Posted on October 29, 2012 at 9:37amI imagine the administration has already informed their terror allies in the Middle East of this newest debaticle in our security.
How many other flaws and open doors wait to be found and exploited by our nations enemies while the ever worthless TSA and DHS continue to hound the citizens of this nation as ‘enemies?’ How much longer until someone is pushed too far by TSA and they fight back? Or until the TSA pushes someone into a heart attack with their molestations?
Report this comment
Walkabout
Posted on October 29, 2012 at 9:44amAny news on the Battle Group admiral that was relieved of duty?
Report this comment