Aviation blogger John Butler recently reported that boarding passes using the TSA’s Pre-Check expedited screening system store passengers’ travel information in a barcode with no encryption, making it possible both to alter the data in the barcode and to determine whether the passenger has been pre-selected for security screening.
“Butler published the decoded information and pointed to a digit — either a 1 or a 3 — that he said indicated whether he would be expedited or sent through conventional security,” writes TechNewsDaily’s Ben Weitzenkorn. “Not only could an individual use this knowledge of the barcode to cause harm, Butler warned, but he could also change it. Anyone can ‘use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode,’ Butler warned. ‘Finally, using a commercial photo-editing program or any program that can edit graphics, replace the barcode in their boarding pass with the new one they created.'”
“The findings highlight serious vulnerabilities in the current TSA security systems, according to Chris Soghoian, a security expert who sought to draw attention to airline security vulnerabilities in 2006 by building a Web site that permitted travelers to produce fake boarding passes,” writes The Washington Post’s James Ball. “‘If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,’ said Soghoian, now a senior policy analyst at the American Civil Liberties Union.”
“Thankfully, there is a really simple solution … encode the information before putting it on the boarding pass,” Butler noted in his blog post. “If that happens the traveler would either have to have a huge number of boarding passes to reverse engineer the encryption algorithm or algorithm itself. Also, TSA could connect their scanners to the airline database and check the boarding pass against what the Airline has. Either one of these solutions would solve the problem, and they are not that hard to implement.”