Unencrypted boarding-pass barcodes allow those so inclined to find out if they are "Pre-Checked" or not. Isn't the next logical step to see if the bar code can be tampered with?
Transportation Security Administration (TSA) is once again in the hot seat. Their "Pre-Check" program appears to be gamed. But, is it their fault? I did a little checking, and I'd like to share what I found:
- 2003: Airlines began allowing passengers to print their boarding passes.
- 2003: Security pundit, Bruce Schneier raised concerns about altering printed boarding passes.
- 2006: A majority of passengers were printing their passes.
- 2007: Privacy expert, Christopher Soghoian's paper, Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists, once again raised concerns about forging boarding passes.
- 2009: International Air Transport Association mandated that all boarding passes must contain a bar code.
- 2012: TSA introduced their "Pre-Check" program.
- 2012: Aviation security expert, John Butler posted his concerns that the bar-code information is not encrypted.
First, what is Pre-Check?
When I first heard about Pre-Check, I didn't know much about it. As a traveler myself, I was curious. It turns out to be a program that makes risk assessments on travelers prior to their arrival at the airport. Then:
If TSA determines a passenger is eligible for expedited screening, information is embedded in the bar code of the passenger's boarding pass. TSA reads the bar code at designated checkpoints, and the passenger may be referred to a lane where they will undergo expedited screening, which could include no longer removing the following items:
- 3-1-1 compliant bag from carry-on
- Laptop from bag
- Light outerwear/jacket
The latest ruckus started when John Butler wrote:
I'm publishing this because I am seriously concerned with boarding pass security in the United States. The way TSA Pre-Check works is the organizations that participate transmit travel information for passengers who opt-in to the program to the TSA.
Then the TSA in a way that randomizes security determines if the passenger is or is not eligible for Pre-Check, and sends information back to the airline. The airline then encodes that information in a bar code that is on the boarding pass it issues.
Then, Butler drops the bomb:
The problem is the passenger and flight information encoded in bar code is not encrypted in any way.
Below is an example of a boarding pass similar to the one Butler used for his tests.
Next, the information Butler pulled from the bar code:
M1PUCK/COLWMR YXXXXXX PHXEWRUA XXX
294RXXXFXX 11F>30BWWXXX BUA 0E016 3
Butler crossed out the information relevant to his reservation, and wanted to focus in the last digit "3":
What is interesting is the bold three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check.
It's that simple to determine your Pre-Check status. Bruce Schneier, in this weekly blog, pointed out many things wrong with the current boarding-pass program. Bruce also answered why knowing your Pre-Check status is a big deal. By reading the bar code, those trying to subvert the system know for sure the type of screening they'll be facing, and can adjust accordingly. Bruce had this to say:
What a dumb way to design the system. It would be easier — and far more secure — if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of Pre-Check passengers to send through regular screening. Why go through the trouble of encoding it in the bar code and then reading it?
If you read Bruce's blog post, make sure to look at the first few comments. Several people came up with innovative ways to use the unencrypted bar code to their advantage.
What does it mean?Experts are saying the problem is two-fold. Bar codes are not encrypted. And, it appears possible to alter the bar code; allowing the printing of illegitimate boarding passes. In his blog, Butler offered two solutions: first and foremost, encrypt the bar-code information. Second, Butler suggested TSA should incorporate a method enabling TSA to verify the details — carried by the bar code — with the airline.
Not exactly related to IT security, but I know plenty of IT professionals who travel. And, I wanted to get the word out on how important it is to protect boarding passes from prying eyes.
As for who's responsible: TSA, IATA, FAA, or some other acronym, I couldn't tell you. I just hope the next time I travel, the problem is fixed.