October 19, 2012 Security Flaws in the TSA Pre-Check System and the Boarding Pass Check System.
I’m publishing this because I am seriously concerned with boarding pass security in the United States. The way TSA Pre-Check works is the organizations that participate transmit travel information for passengers who opt-in to the program to the TSA. Then the TSA in a way that randomizes security determines if the passenger is or is not eligible for Pre-Check and sends that information back to the Airline. The Airline then encodes that information in a barcode that is on the boarding pass it issues.
The problem is, the passenger and flight information encoded in barcode is not encrypted in any way. Using a web site I decoded my boarding pass for my upcoming trip.
M1PUCK/COLWMR YXXXXXX PHXEWRUA XXX 294RXXXFXX 11F>30B
WWXXX BUA 0E016 3
So, here you see my flight information for my United flight from PHX to EWR. It is my understanding that this is similar to digital boarding passes issued by all U.S. Airlines; so the same information is on a Delta, US Airways, American and all other boarding passes. I am just using United as an example. I have X’d out any information that you could use to change my reservation. But it’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.
What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.
Pre-Check balances the need to expedite security, and keep it thorough. The TSA does by stating that Pre-Check is random even if one is enrolled in the program. However, editing or really even just viewing the data invalidates the “randomness” of the program, allowing people to chose go through the Pre-Check line any time they want.
So, there are two problems here. First, is the that data on the barcode is not encrypted. This allows people to alter information on the front of the boarding pass. Second, is the more serious issue of the Pre-Check information not only out there but where it is also possible to edit the Pre-Check status and place it back on the boarding pass. However, there is a solution.
Thankfully, there is a really simple solution encode the information before putting it on the boarding pass. If that happens the traveler would either have to have a huge number of boarding passes to reverse engineer the encryption algorithm or algorithm itself. Also, TSA could connect their scanners to the airline database and check the boarding pass against what the Airline has. Either one of these solutions would solve the problem, and they are not that hard to implement.
For the record, while I did validate the process I did not create a proof of concept. Actually creating a fake boarding pass even for this blog is a legally grey area and morally black one. To then actually present that board pass at the TSA checkpoint has to be come kind of crime I would think.
P.S. I have reached out to United Airlines and the TSA to see if they would like to comment on this post.