Travel Tech

Unencrypted bar codes on airline boarding-passes pose threat

Unencrypted boarding-pass barcodes allow those so inclined to find out if they are "Pre-Checked" or not. Isn't the next logical step to see if the bar code can be tampered with?

Transportation Security Administration (TSA) is once again in the hot seat. Their "Pre-Check" program appears to be gamed. But, is it their fault? I did a little checking, and I'd like to share what I found:

First, what is Pre-Check?

When I first heard about Pre-Check, I didn't know much about it. As a traveler myself, I was curious. It turns out to be a program that makes risk assessments on travelers prior to their arrival at the airport. Then:

If TSA determines a passenger is eligible for expedited screening, information is embedded in the bar code of the passenger's boarding pass. TSA reads the bar code at designated checkpoints, and the passenger may be referred to a lane where they will undergo expedited screening, which could include no longer removing the following items:

  • Shoes
  • 3-1-1 compliant bag from carry-on
  • Laptop from bag
  • Light outerwear/jacket
  • Belt

Not encrypted?

The latest ruckus started when John Butler wrote:

I'm publishing this because I am seriously concerned with boarding pass security in the United States. The way TSA Pre-Check works is the organizations that participate transmit travel information for passengers who opt-in to the program to the TSA.

Butler continues:

Then the TSA in a way that randomizes security determines if the passenger is or is not eligible for Pre-Check, and sends information back to the airline. The airline then encodes that information in a bar code that is on the boarding pass it issues.

Then, Butler drops the bomb:

The problem is the passenger and flight information encoded in bar code is not encrypted in any way.

Below is an example of a boarding pass similar to the one Butler used for his tests.

Next, the information Butler pulled from the bar code:

M1PUCK/COLWMR YXXXXXX PHXEWRUA XXX

294RXXXFXX 11F>30B

WWXXX BUA 0E016 3

Butler crossed out the information relevant to his reservation, and wanted to focus in the last digit "3":

What is interesting is the bold three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check.

It's that simple to determine your Pre-Check status. Bruce Schneier, in this weekly blog, pointed out many things wrong with the current boarding-pass program. Bruce also answered why knowing your Pre-Check status is a big deal. By reading the bar code, those trying to subvert the system know for sure the type of screening they'll be facing, and can adjust accordingly. Bruce had this to say:

What a dumb way to design the system. It would be easier -- and far more secure -- if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of Pre-Check passengers to send through regular screening. Why go through the trouble of encoding it in the bar code and then reading it?

If you read Bruce's blog post, make sure to look at the first few comments. Several people came up with innovative ways to use the unencrypted bar code to their advantage.

What does it mean?

Experts are saying the problem is two-fold. Bar codes are not encrypted. And, it appears possible to alter the bar code; allowing the printing of illegitimate boarding passes. In his blog, Butler offered two solutions: first and foremost, encrypt the bar-code information. Second, Butler suggested TSA should incorporate a method enabling TSA to verify the details -- carried by the bar code -- with the airline.

Final thoughts

Not exactly related to IT security, but I know plenty of IT professionals who travel. And, I wanted to get the word out on how important it is to protect boarding passes from prying eyes.

As for who's responsible: TSA, IATA, FAA, or some other acronym, I couldn't tell you. I just hope the next time I travel, the problem is fixed.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

21 comments
lshanahan
lshanahan

The weakness isn't in the barcode, encrypted or otherwise. Barcodes are no more than machine-readable text, and there is no need to encrypt them if used correctly. The problem is the actual data for the person's check status is encoded within the barcode instead of kept separately. What should happen is that some form of unique ID for a traveller is encoded on the boarding pass, which is then compared at the time of the scan against a database of some kind where the person's "pre-check code" is located. Since the check status never appears on the boarding pass, the question of being able to discover/change it is rendered moot. Also, although altering a barcode is possible, it isn't as easy as you think. It's far easier to simply create a bogus boarding pass en toto with the appropriate barcodes ahead of time. I would point out, however, that the barcodes in the pictures are what is known as "1D" barcodes, where the data is encoded along a single axis. By changing them to any one of several "2D" barcodes (QR codes are an example of a 2D barcode), manually altering them becomes next to impossible since the barcodes have error correction capability built-in and 2D barcodes have a much more complicated mathematic algorithm to create their pattern.

Slayer_
Slayer_

I can't take a bottle of water on board, but I can drink it in front of the guard and get on board myself. If this was explosive, it's now inside me, I could still ingest something to start the reaction. But heaven forbid I have a bottle of water.... And let's not forget, after security there is duty free liqueur stores that you can carry on bottles of booze. Did you know alcohol is explosive? Apparently airport security doesn't to miss such an obvious thing. And as XKCD points out, a rigged laptop battery can explode, but be undetectable. http://xkcd.com/651/

HAL 9000
HAL 9000

The last time I flew in AU was to Canberra for one of my brothers funeral. A quick trip down and back on the same day not a big deal and because I was only there for the day I wore what I was wearing to the Funeral and only took a Carry On. The Security took fits because I had a Tie Pin on and wanted to remove it. Didn't matter that I had a Medical Certificate for Needles and Syringes they where Perfectly OK but a Tie Pin with a sharp point on it all of 5 mm long was dangerous and not allowed. Apparently I could stick the pin between my fingers and somehow injure someone so I just asked what about the Needles? Surely I could do far worse with those? Their reply was No you couldn't they are Medical and you need them which is true so I just suggested that maybe if I was so inclined I would forge a Medical Certificate and not draw any attention to myself with the Tie Pin to begin with. I returned to the car and removed the tie pin and didn't have any more issues other than a Government Representative at my brothers funeral asking why I was incorrectly dressed with no Tie Pin. :^0 Col

shunmugapandiyan
shunmugapandiyan

Hi, Encrypting and decrypting of the entire bar-code information may create few practical issues. Alternatively the pre-check status alone can be auto generated (instead of a predefined code) using a check digit which shall be arrived based on the other information in the bar-code. So if either the bar code information or the pre-check status is altered, the same can be identified by the system and appropriate action could be taken. S S Pandiyan

webh
webh

As with any government involved undertakings, there's a high probability of being astonished with the lack of logical thought processes being used, always seems to leave you "scratching your head." To be so incompetent with such a serious undertaking as traveler safety is inexcusable, and the arrogance that always seems to be the hallmark of TSA's reply to any criticism continues to numb our sense of assuming our leaders have any morality. Taking responsibility, being truthful, exhibiting any ethical behavior whatsoever seems to be foreign conspets at every level of our government. "May we live in interesting times!"

robo_dev
robo_dev

The specific type of attack that is attempted depends on where the weaknesses are and where the baddies THINK the weaknesses are. Could the specific type of attack that happened in 2001 recur? I don't think it could, since now there are multiple overlapping controls to prevent that. I don't think it's useful to discuss where we think weaknesses still exist. A critical mindset we need to adopt, whether it's physical security, logical security, or even business continuity is to think about this from the perspective of 'what has nobody ever thought of?'. To be more specific, things fail, quite often, due to a 'failure of imagination'. This means you need to not only harden the targets for the risks/threats you know about, but also THINK about what nobody ever dreamed someone would do. There's a saying 'it's so stupid it just might work' which very much applies. To use a sports analogy, we have to adopt a 'zone' defense, considering a wide array of attack vectors, and be careful relying too much on a 'man to man' defense thinking we know what the most likely attack will be.

jeasterlingtech
jeasterlingtech

it is all about the appearance of protection the TSA searches toddlers and takes toy guns from children and nail clippers for heaven sake (i have tried for years to figure out how someone can attack anyone with nail clippers but haven't yet) but still every day there is a risk of someone doing something crazy on a flight it just makes the masses feel better

Michael Kassner
Michael Kassner

What prevents a bad guy from stealing the unique ID for the traveler, particularly if you feel the bar-code information does not need to be encrypted?

Michael Kassner
Michael Kassner

I guess they aren't worried unless someone is selling EverClear.

JCitizen
JCitizen

you'd make a good terrorist! ;) If it wasn't for the fact that you had a brain between your ears - that is!

Michael Kassner
Michael Kassner

I am sorry for your loss. As for what TSA has in mind, I can only guess. I wasn't leaving them completely off the hook. I just think this time, they did not have control of the bar code.

Michael Kassner
Michael Kassner

I was just reading that some airlines have a verification process in place. That doesn't remove the ability to learn if you are allowed to pre-check or not though, right?

Michael Kassner
Michael Kassner

It is squarely on who ever (IATA?) designates how the boarding pass looks. As all the airlines must do the same thing.

Michael Kassner
Michael Kassner

It seems the bad guys employ that type of thinking all the time.

michaellashinsky
michaellashinsky

For the longest time they took away disposable safety razors. How are you going to hijack a plane with a bic razor? "Infidel! I will cut your throat! Hold still now, this will take a while..." The no fly list is another joke. Suspected terrorists aren't put on the no fly list because they don't want them to know they are being watched. So, the million people (Yes, a million people!) on the no fly list are not suspected of being terrorists. So, why are they on the list? Why is there a list at all?

Michael Kassner
Michael Kassner

What advantages a nefarious type would have if he did not have to remove those four-five items.

HAL 9000
HAL 9000

Buy the Newspaper every day and read the Death Notices first to see if we died and no one has bothered to tell us. ;) That was a a few years ago now as I don't fly that much any more it's just got too difficult and being the Old Fart that I am I've got lazy and don't find it useful half stripping just to go through Security. Not sure how females get on with Under-wired Brassieres but I know I have to remove my shoes, belt buckle, belt, wallet and empty my pockets at the very least just to get through Security to wave someone good-by. It's worse if I was actually getting on a plane and I'll make no mention of Parking at Airports so I honestly just try to avoid planes of any shape or form now days. I only fly anywhere when I have to be there in a hurry and driving is out of the question/time frame that is involved. I really didn't want to go to that funeral as there where going to be way too many Government Types involved as the Ambassador from Indonesia was attending so that meant half the Diplomatic Force from the Federal Government being there and the remainder of my brothers. Defiantly not a good mix and it was my little sister who insisted that I attend to hold her hand. The brother who died has 2 sons who are actually older than their Auntie who's my sister and it always brings confused looks to a lot of people. Besides I don't like the Limelight on me all that much I much prefer to be in the background and remain unnoticed that way I can get away with Murder and no one notices. ;) But Airport Security is all [b]Show and No Go[/b] to make the Flying Public feel safe or to give them the impression of safety when actually there is none at all. An airline here was grounded last year for breaking the rules and flying in way below the lower limit in Melbourne so much so that if they had of had to land on another route they would have flown into buildings as they where well below the buildings tops. Flying here is an [b]Extreme Sport[/b] and way too dangerous for my liking now days. I remember a shrink who claimed I was suicidal because I rode a racing motorcycle at 200 + KPH and was running the risk of death or serious injury as [b]Speed Kills.[/b] He however thought it was perfectly acceptable to allow another unknown person to move him around in excess of 600 KPH and that it was perfectly normal and safe. Apparently having someone with unknown training and no responsibility to the passengers in control of the aircraft is OK but taking responsibility for your own actions is unacceptable. I'm not really sure on that one, but none the less anything related to Commercial Flying is all Illusion to make people believe that they are safe when actually the Authorities do as little as possible and what it is that they do do is to make as much inconvenience as possible and claim it's for Security. [i]That way the people who have to jump through hoops to fly feel better.[/i] The reality is that any Airport Security isn't even Reactive like an AV Product on a computer it's Illusion. Best not to think about things like that too hard as you'll get Disillusioned very quickly. :D [i]edited to add[/i] I nearly missed this I noticed that you had a United Airlines Ticket so I have to ask did they break your Guitar? Or anything else for that matter. ;) Col

JCitizen
JCitizen

in fact I'm never astonished - I just assume the government never knows what its doing when it comes to any security - IT or otherwise. Benghazi anyone?Doesn't Homeland Security have any say on what IATA does?

Michael Kassner
Michael Kassner

How does one secure the safety of millions of passengers in constant flux?

Michael Kassner
Michael Kassner

I suspect you have a many more years to keep us on the straight and narrow, Col. I certainly hope so.

JCitizen
JCitizen

I commend you for being there for your little sister - I hate funerals; but they are more for the living among us anyway.

Editor's Picks