Aviation vulnerability: Scan boarding passes to discover if you're in for deep screening; print new barcodes if you don't like what you find

Want to know if you're in for a date with Doctor Jellyfinger the next time you go to the airport? Just print out your boarding-card and scan in the barcode: it encodes whether you're getting the "full security screening" or just the normal humiliation. Information about this vulnerability spread after a John Butler blog-post documented it. Not only can you discover if you're headed for the full monte, but you can also change your screening status by re-encoding the barcode with a different search-depth attached to your reservation.

I have X’d out any information that you could use to change my reservation. But it’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.

What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.

October 19, 2012 Security Flaws in the TSA Pre-Check System and the Boarding Pass Check System. (via /.)


    1. Noooooo you are helping the terrorists win!.  Giving them the TSA budget plus this super secret squirrel scanner info will doom us all….

      That is until either of the Bush Twins or Jeb are old enough to be installed in the White House… to protect us like old Georgie did.

  1. How does he know that 1/3 decides whether he gets checked or not? Has he tested it himself? Found the TSA secret manual? Citation needed.

    1. It’s amazing what you can find on the Internet these days.  Behold TSA’s secret manual!

      The entire barcode schema is documented here: http://www.iata.org/whatwedo/stb/Documents/BCBP_Implementation_Guidev4_Jun2009.pdf

      The flag for precheck is character 104 described on page 39.

      This topic has been discussed for months on Flyertalk.  I use a barcode scanner to check my boarding passes to see if I’m going to get PreCheck or not at the airport and it works great.

          1. It’s actually character 104 in the data stream when it’s decoded from the barcode.

            If you scan the boarding pass with a barcode reader app that supports PDF147 format, you’ll see output like this:

            M1LAST/FIRSTHMR ABCDEFG UA 1234 293R001D54 11F>30B MM293 BUA 0E016 3

            It’s the last ‘3’ that’s the key…if it’s a ‘3’ then you’re good to go for PreCheck. A ‘0’ means you don’t qualify for that flight.

  2. I enjoyed his insinuation that the easy way to fix it is to encrypt the data in the barcode somehow. Because hackers never figure that stuff out! 

    I mean he gets points for discovering this vulnerability if it turns out to be true, but perhaps he should have avoided suggesting solutions in the absence of any kind of cryptography background. 

    1. Encryption works fine – it’s just a matter of using a big enough key  to ensure that it can’t be brute-forced and having a robust method for changing the key so that a compromised key doesn’t compromise the whole system.

    2.  He is right and you are wrong. Strong public/private key encryption of the screening code along with the flight and person identifying information would work.  The codes could be encrypted such that it could be decrypted on the spot by any scanner while being effectively impossible to forge or alter. The screener could then cross-check the decrypted information with the unencrypted name, flight # etc. If they don’t match, you take the bearer aside for further questioning.

      1. My point was supposed to be that that’s not what he said. He just said “encode” like all you have to do is feed the data through an encryption algorithm to scramble the data and the job is done.

        An effective implementation would be a lot more complicated. Knowing the TSA it would require them to buy an entirely new set of scanners that could handle private keys (and they’d still screw that up).

        1. what you think ‘encode’ means is beside the point. The author is not the one doing the insinuating. That’s you.

          1. No, he really does imply that he’s not talking about strong encryption. His suggestion that the system he proposes would be useless if anyone discovered the algorithm behind it means that it’s just scrambling the data.

          2. How about we use what ‘encode’ means to a computer scientist, which is categorically not ‘encrypt’.

            ‘Encode’ means convert for storage or transmission in a coded form – generally this is done to make things easier to read, or to transmit across certain media.  ASCII text is a code, barcodes are a code, Morse code is a code.  128-bit AES-CBC encryption is not a code, it is an encryption method.

            The other point the author makes alongside the ‘encoding’ one is valid though – it this were just a pointer into a database, it would work.

            The database would contain all the stuff that’s currently stored on the barcode; if you change the pointer value you either get no result, or completely wrong information (that’s not the name on your passport and the flight isn’t until next week – step this way please) – the attacker doesn’t get to change only part of the entry.

            That’s quite aside from the question of whether any screening the TSA is doing does any good at all…

          3.  How about -you- do that.

            And how about we follow what the author said, rather than what you or I say?

          4. (replying to this post because I can’t reply to the one below – thread depth limit maybe?)

            from the article:
            “The Airline then encodes that information in a barcode that is on the boarding pass it issues.

            The problem is, the passenger and flight information encoded in barcode is not encrypted in any way. “

            The author definitely appears to know the difference between encoding an encryption.

            As Stephen Schenck also points out, the author then says that someone with enough boarding passes could reverse-engineer the transformation applied to the data, which would break the scheme.  Modern encryption algorithms don’t work like that – they’re widely studied public knowledge, with the key being the only secret; however, a secret-sauce encoding scheme absolutely would work that way – a large enough sample could allow reverse engineering the whole thing. This further supports the idea he’s using the terms in the standard, correct, manner.  (Yes, I said “correct” – because that’s what it is).

            A subsequent blog post (which neither of us had access to initially) suggests he is being sloppy with the terms, even though he does apparently understand the distinction:

            “I would like to know why the TSA in collaboration with the Airlines couldn’t come up with an encoding system for the bar codes on airline boarding passes. The effect of such a system would be that when anyone puts their boarding pass into one of the online barcode readers, the output is just a string of characters. The airline and TSA scanners would have chip that contains the decryption key, which would turn the data into the information we see currently.”

            Regardless of how he uses the terms, that’s a bad security design.  A single secret has to be widely distributed, the devices containing it can be bought new or used, dumpstered, stolen, lost, etc.  If the attacker gets the key, the defender may not know; if the defender does find out the key is compromised, the choice is between the huge expense and hassle of rekeying all the devices, or accepting that the security provided by the system was so trivial it’s not worth it anyway.

          5. and the assumed audience for the original article, was it comp sci grad students?

            You can make points all day long, it wasn’t, and isn’t about what YOU understood. But keep being disruptive and making his point.

          6. For the one insisting we refer to what the author said, you’re making remarkably few (0) references to what the author said.  Those who you suggest are wrong, are the ones who are referring to the actual text in question.

      2. “Strong public/private key encryption” is usually done using a 2048-bit key.  Even a couple of bits of plaintext is going to encrypt into like 1k of cryptext.  And that’s a lot to fit in a barcode – even a QR code.

        Now, I’m sure that the TSA could figure out some ingenious way to implement a new encryption system which allows asymmetric encryption to output a barcode-sized cryptext output.  But I think I’d rather not trust the TSA’s homebrewed encryption system, thanks.

        Probably the only solution is a networked system where the barcode itself just stores a key which must be looked up in a database to retrieve the actual info.  Of course, then you’d have to ensure that the creator of the pass and every verifier of the pass has easy access to this database, but that nobody else does.  I don’t really trust that the TSA can handle that level of complexity, either.

        1. They should talk to encryption mage Bruce Schneier, I’m sure he’d love the chance to talk with them about security…  :)

        2. Crypto doesn’t increase the length of the message – there’s no need for it mathematically. At most, the message is rounded up to the next nearest block size … AES is a 128 bit block (using a 256 bit keysize). But, even 2048 bits are easy to print – the attached 2d code is 1992 bits. 

          1.  AES is not a public/private key encryption algorithm.

            RSA is the most commonly used public/private key system.  The message to be encrypted under RSA must be padded to make it the same size as the modulus used (e.g. 2048 bits or more).

        3. “Of course, then you’d have to ensure that the creator of the pass and every verifier of the pass has easy access to this database, but that nobody else does.”
          yeah, channeling Bruce Schneier here, but the more secure something seems, the more we’re likely to trust it, and when it’s hacked the bigger the consequences. truly random checks at the gate would eliminate the problem altogether ( not to mention the issues of thought crime profiling ). then the tsa, and fbi could spend their resources on, say, actual law enforcement.

    3. Infosec guy here. More than needing to fix this with encryption, this entire model is just bad. See: 


      This is essentially the physical equivalent of the worst-practice described in the above. Rather than encoding user data onto the ticket (which can be tampered with), each ticket would ideally simply contain an identifier associated with the traveler’s data that would be stored only on the TSA servers.

      Essentially the TSA could have just implemented best-practices web session management techniques here (translated into physical form) and they wouldn’t have had this problem. This is entry-level security stuff, and it’s distressing they got this wrong – especially given the budget they have to work with.

      1. Except for the day when their internet goes down and nobody is allowed to board the plane until they can be cleared with the little green light.

        1. Well, then you presumably fall back to everyone getting the full brown-person security treatment.

          The fact that they decided to completely de-secure their system (assuming they are able to retain competent security engineers), rather than risk having to subject aristocrats to the treatment reserved for peasants, even in the rare event of a network failure, is somewhat revealing as to the priorities of the system.

    4. What about just making the barcode a barcode? Why keep this info in the barcode at all? Why shouldn’t the barcode just refer to the database profile they made of you when you booked the flight?

      I realize this is partially answered by the fact that their scanners are not connected to anything, but connecting them to the database would seem trivial in this day and age. We can do it in the library with barcodes or RFID. No patron or book information is encoded in the barcode or RFID, it all just refers back to the database. Of course you still have to worry about database security but I would assume? they are already doing that.

      1. >> connecting them to the database would seem trivial in this day…

        That makes the immense assumption that there is even a database of flights and who is on them! The airlines are required to check if a passenger is on the no-fly list but they aren’t required to report who is flying and when.

        If you think about it for a minute, there almost can’t be such a database without a huge change in policy and permissiveness of the American people. Would you want our government to have that data? It would mean tracking everyone who flies, each time they fly.

        1. I don’t think you would need to give the TSA full access to each airline’s database. The barcode scanner could simply query the database and return the relevant info instead of encoding it in the barcode.

          Obviously the airlines already have such a database because they are the ones encoding those barcodes.

  3. Not quite right to say “full security screening” or just the normal humiliation. What this code means is not whether you will be screened or not but whether you’ve qualified for the special “pre-checked” program. The point being, a “non-pre-checked” passenger who was excluded from the program for good reason (terrorist ties, let’s say) could re-code himself as a “pre-checked” passenger and cruise through security with a cursory check.

  4. Listen, no-one’s perfect.  The TSA has the humiliation of breastfeeding mothers and iPad theft down.  And they’re irradiating a huge swath of the American populace.  What more do you want out of them?

  5. Obviously, this is proof that we must outlaw private ownership of bar code scanners!

    And Photoshop.

    And text editors.

    And the internet.


  6. The supposition here is that a terrorist can easily manipulate a boarding pass and somehow smuggle a bomb onto a plane to bring it down.
    Well, we’ve known for years that it’s trivial to modify a boarding pass with different names and by using a fake ID, someone could easily board a plane when they’re not supposed to.  This is nothing new.

    The PreCheck program works behind the scenes to “pre-verfify” that you are a trusted traveler who has been subjected to additional background checks.  All it does is allow a person who’s already been checked out to avoid the worst of the screening procedures like shoes-off, laptops out nonsense.  Everyone still has to go thru a metal detector and every bag is x-rayed.

    What it really means is the TSA is finally admitting that the backscatter nude-o-scopes are pointless and that there’s no real reason why we need to take off our shoes, etc.  It’s a tacit admission that the airport checkpoint really is just kabuki security theater and all the extra headache is unnecessary. 

    1. They will never, ever, ever, ever admit anything of the kind.  It would literally be like you walking into your job one day to openly declare that all of the money that has been paid to you was completely wasted and you have done nothing but be an annoyance to everyone for years.

      The TSA would never have the balls to step up and tell everyone they’ve never caught anyone or anything.  They need to work to protect their pointless jobs with access to the shrimp cocktail buffet.

  7. Why is this news? We’ve all known for many years that the methods used at the gate are silly at best. 

    1. Rational thinking people have known.  There are a good amount of mouthbreathers who are convinced ter’rists are going to storm every flight if we don’t check all the rectums first.  And nobody in Congress wants to be seen as Soft On Terror.

    2. Really, this is just act 57 of Security Theater.  The only good thing I can say about it is that even the terrorists are entertained by the production, as there has been no major hijacking incidents in the US for as long as I can remember and most of the bomb attempts have been hilarious failures. 

      Rag on the TSA all you want, but they’re not as incompetent as the old private security screeners. 

  8. Wasn’t there a different solution for how to flag people for extra-screening without telling them that they’re going to do so, in a transparent way, that was posted recently?

    Above people are commenting that a secure private-key encryption would not work because it would create a message that’s at least a thousand bits of text, and that’s hard to put in a barcode.

    Why not, instead of really “encrypting” everything, just pre-assign 3000 random “flag” numbers each day, then give everyone a number between 1 and 10,000 on their ticket. Now you don’t need any encryption to know if someone needs extra-screening, you just need to see if they have one of the 3000 numbers. And the person holding the ticket doesn’t know what those numbers are.

    Of course, this all goes out the window if the computer is increasing the likelyhood of extra-screening based on other factors, like buying a ticket with cash. If that were the case, it would always be worth your while (as a terrorist) to create a new boarding pass no matter what, on the assumption that you’re more likely to create a non-screening number.

  9. Of course some contractor(s) will need more $$$ to fix the problem.  How convenient for them.  While TSA screeners seem to vary widely in the I.Q. department, the suppliers and contractors are a sharp bunch.

  10. At Los Alamos, the most heavily guarded military installation in the USA, Richard Feynman learned to pick locks, and would often leave safes and filing cabinets open to show that they were no good. He also enjoyed sneaking out a hole in the fence and then going around to the front of the compound and surprising the guards.

    The response was an order to keep Richard Feyman off the premises.

    TSA is applying security measures based on old inefficient methods (security via obscurity, throwing people at the problem, more crappy checks equal more security) , that is all. Oh, and you and I are paying for it.

    1. I am glad that after having watched nearly all (to my knowledge?) readily available video of Feyman on the net, there are still little bits of delicious Feyman goodness that trickle into my life, one day at a time! Thank you!

  11. Techie games aside there was one early hijacking when the dudes just ran past security and onto a boarding plane and took control. I don’t think it would be hard to get an accomplice hired on as a baggage handler or some other airport grunt worker. Boarding passes are used to give travelers an illusion of security.

  12.  Here’s something even more hilarious: Getting people extra thoroughly identified is a bullshit ruse that *looks* like security and has nothing to do with such.  You cannot sell your expensive tickets to a third party.  That’s it.  That’s all it’s been about since the requirement came about, way before 9/11.  And fun fact: all of the the alleged hijackers on 9/11 presented correct and proper and accurate identification.  When it comes to aviation in the US, they implemented a couple of one-time-deal smart measures here and there, and a metric shitload of stupid, ineffective, dehumanizing, EXPENSIVE measures that are purely theatrical, to hand money to cronies and to “look like” they’re doing something.

    This, sadly, is not exclusive to aviation… most security is about showing the “customer” how safe they should feel, and not a damn bit else.

  13. So what apps can read the PDF147 bar code on a boarding pass? I’ve tried a few and none have worked.

    1. I found a whole bunch of results from online versions to ios apps… no boarding pass at the moment to test with, but I’m sure there’s got to be one somewhere… 

Comments are closed.