Experts warn of security defect with airline boarding passes
Washington Post
Security flaws in airline boarding passes could allow would-be terrorists or smugglers to know in advance whether they will be subject to certain security measures, and perhaps even permit them to modify the designated measures, security researchers have warned.
The vulnerabilities center around the Transportation Security Administration’s pre-screening system, a paid-for program in which the screening process is expedited for travelers at the airport: laptops can remain in hand baggage, as can approved containers of liquid, and belts and shoes kept on.
Under the program, passengers can still be subject at random to conventional security screening.
Flight enthusiasts, however, recently discovered that the bar codes printed on all boarding passes — which travelers can obtain up to 24 hours before arriving at the airport — contain information on which security screening a passenger is set to receive.
Details about the vulnerability spread after John Butler, an aviation blogger, drew attention to it in a post late last week. Butler said he had discovered that information stored within the bar codes of boarding passes is unencrypted, and so can be read in advance by technically minded travelers.
Simply by using a smartphone or similar device to check the bar code, travelers could determine whether they would pass through full security screening, or the expedited process.
Butler’s findings are supported by information in a technical specification publicly available on the website of the International Air Transport Association, and some details about the vulnerability appear to have circulated in aviation chat forums since at least July.
The TSA declined to comment on the reports, and would not say whether the agency had been made aware of the issue. A spokesman stressed that screening at airport checkpoints is only one part of a much wider security process.
“TSA does not comment on specifics of the screening process, which contain measures both seen and unseen,” spokesman Sterling Payne said. “TSA Pre Check is only one part of our intelligence-driven, risk-based approach.”
The findings highlight serious vulnerabilities within the current TSA security systems, according to Chris Soghoian, a security expert who sought to draw attention to airline security vulnerabilities in 2006 by building a website that permitted travelers to produce fake boarding passes.
“If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,” said Soghoian, now a senior policy analyst at the American Civil Liberties Union. “If you know who’s getting screened before you walk into the airport, you can make sure the right guy is carrying the right bags.
“The entire security system depends on the randomness,” he said. “If people can do these dry runs, the system is vulnerable. We at the ACLU are not fans of profiling, we think it doesn’t work and has civil liberties issues. The watch list approach doesn’t ensure security.”
The reported vulnerabilities also raise the possibility that travelers could tamper with boarding passes in an attempt to alter the type of security screening they will receive.
Most passes are issued with verification codes to prevent tampering. But some security experts have said that certain passes are marked as “unverified,” suggesting they could be modified. They were unable to test whether it was possible to do so, however, as it is illegal to tamper with a boarding card under U.S. law.
Sen. Charles E. Schumer (D-N.Y.), who has been critical of TSA security measures on several previous occasions, said the new findings were a cause for concern.
“The pre-check system is extremely valuable for making airport screening more efficient, but it is imperative that security not be compromised,” he said. “This has the potential to be a gaping flaw in the system that would be all too easy to exploit. At the very least, if someone is flagged for a random screening, that information should be encrypted.”