Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Warn About Security Flaws In Airline Boarding Passes

Posted by samzenpus on from the to-screen-or-not-to-screen dept.

concealment writes in with a story about a newly found security issue with the bar codes on boarding passes. "Flight enthusiasts, however, recently discovered that the bar codes printed on all boarding passes — which travelers can obtain up to 24 hours before arriving at the airport — contain information on which security screening a passenger is set to receive. Details about the vulnerability spread after John Butler, an aviation blogger, drew attention to it in a post late last week. Butler said he had discovered that information stored within the bar codes of boarding passes is unencrypted, and so can be read in advance by technically minded travelers. Simply by using a smartphone or similar device to check the bar code, travelers could determine whether they would pass through full security screening, or the expedited process."

40 of 199 comments (clear)

  1. Same security for all by Kwyj1b0 · · Score: 5, Interesting

    Has anyone seen a case where a passenger is waved through security? Each time I go through, everyone in line for screening goes through the same process (then again, I am completely average and might not have seen advanced/reduced security for anyone except pilots).

    1. Re:Same security for all by Anonymous Coward · · Score: 3, Interesting

      Most countries don't check entering the country other than customs. I suspect the TSA does it for more funding. It is a department with the largest scope creep I have ever seen.

    2. Re:Same security for all by GumphMaster · · Score: 5, Informative

      Once you pass passport checks the 'security' on entering Australia is to do with biological security. A US national entering from a US flight is low risk for carrying biological hazards like viable seeds, eggs, infested timber products etc. Had you entered on a flight you joined in Africa or Asia, or been a Chinese national (think suitcase full of traditional remedies), they would likely have X-rayed everything for biological matter. We have stiff penalties for failing to declare prohibited biological items.

      Security on leaving Australia bound for the US is largely dictated by US policy.

      --
      Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
    3. Re:Same security for all by psiclops · · Score: 3

      i got that when i came back from the U.S.

      i figured it was due to the fact that i had previously travelled to saudi arabia

      --
      i spent five minutes thinking and all i got was this crappy sig
    4. Re:Same security for all by fustakrakich · · Score: 5, Interesting

      It is a department with the largest scope creep I have ever seen.

      You mean aside from the CIA, NSA, IRS, DOD, FBI, the executive branch of the government, the entire government itself? It's pretty hard to quantify 'scope creep' when everybody is guilty.

      --
      “He’s not deformed, he’s just drunk!”
    5. Re:Same security for all by Joce640k · · Score: 5, Informative

      When I entered Australia as a U.S. citizen studying abroad I was waved through security. I'm still not sure why, but I don't think it had anything do with my boarding pass showing me as definitely not a terrorist.

      You mean you were treated like a human being? In the rest of the world that's what we call "normal".

      --
      No sig today...
    6. Re:Same security for all by camperdave · · Score: 4, Funny

      It is a department with the largest scope creep I have ever seen.

      You mean aside from the CIA, NSA, IRS, DOD, FBI, the executive branch of the government, the entire government itself? It's pretty hard to quantify 'scope creep' when everybody is guilty.

      You misunderstand. Sure, all those agencies have creeps at the scope; but the TSA has the biggest creeps.

      --
      When our name is on the back of your car, we're behind you all the way!
  2. Photoshop? by x_IamSpartacus_x · · Score: 5, Interesting

    How possible would it be to do very subtle Photoshop (or the GIMP) changes to ensure someone goes through the expedited process? Heck, terrorism aside, I'D do it just to avoid the cancer machines.

    1. Re:Photoshop? by DecimalMan · · Score: 3, Informative

      Probably not a good idea. From TFA: "it is illegal to tamper with a boarding card under U.S. law."

    2. Re:Photoshop? by Swampash · · Score: 4, Insightful

      Printing an entirely new one with your own bar code doesn't tamper with the existing card at all.

    3. Re:Photoshop? by whoever57 · · Score: 3, Insightful

      Probably not a good idea. From TFA: "it is illegal to tamper with a boarding card under U.S. law."

      As already pointed out, if you are a terrorist cell, you don't need to alter the boarding passes, just buy enough and see which ones have the minimum screening. Heck, the people selected for maximum screening could make the proccess longer (carry some items that are not allowed but are common and largely innocuous, such as scissors, bottles of water, etc..), thus reducing the likelyhood of the minimum screening catching anyone because of the distraction.

      --
      The real "Libtards" are the Libertarians!
    4. Re:Photoshop? by PerformanceDude · · Score: 4, Insightful

      On the other hand, if you are a terrorist cell, you are probably not terribly concerned about U.S. law...

      --
      Meus subcriptio est nocens Latin quoniam bardus populus reputo is sanus callidus
    5. Re:Photoshop? by zazzel · · Score: 4, Insightful

      It's not tampering, it's forgery. How much of a tech/nerd guy do you have to be to NOT immediately see this?

    6. Re:Photoshop? by AmiMoJo · · Score: 3, Interesting

      I usually print my own boarding pass these days. Check-in online and print a web page with barcode image on it. Altering that barcode before printing would be trivial.

      Fortunately I don't really need to because last time I travelled it appeared that the nude scanners and shoe removal queue had all gone and just the metal detector was left.

      You can still get cheap thrills by putting on a metal belt buckle if you are into that sort of thing. I noticed that a lot of guys wait until they can see how is doing the checks, and if she looks hot they keep their belt on, otherwise it comes off and goes in the tray.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Photoshop? by gutnor · · Score: 4, Interesting

      That is the scary thing about all that. There is no real screening on site or behaviour analysis, or you know, normal police work. No the level of scrutiny you get is dictated in advance by some random algorithm and independent of what you do there.

      Security theater indeed !

    8. Re:Photoshop? by 1u3hr · · Score: 4, Interesting

      the level of scrutiny you get is dictated in advance by some random algorithm and independent of what you do there.

      Which is actually the safest method, short of checking 100% of passengers. It's easy to game any system that predictably targets specific groups, you just makes sure your agents aren't in those groups and you're safe. If the chances of being searched are random, you can't reduce the risk of getting caught.

      Of course, you'd ideally also want to have some smart guys to do additional searches based on observation. But they seem in short supply.

      The real security theatre is the immense effort devoted to imaginary threats, liquids and shoes, for instance, which were never a real threat to begin with.

    9. Re:Photoshop? by dkleinsc · · Score: 5, Informative

      quite possible, as Bruce Schneier explains in detail.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    10. Re:Photoshop? by wienerschnizzel · · Score: 3, Funny

      Or perhaps to do a good ol' "DROP TABLE flights;"?

  3. Link to the actual blog by AlphaEcho35 · · Score: 5, Informative

    http://puckinflight.wordpress.com/2012/10/19/security-flaws-in-the-tsa-pre-check-system-and-the-boarding-pass-check-system/

  4. How long till John Butler gets arrested? by Nyder · · Score: 4, Insightful

    Wonder how long till John Butler gets arrested for sharing this info. National security and all that.

    --
    Be seeing you...
    1. Re:How long till John Butler gets arrested? by fatphil · · Score: 5, Informative

      Not likely to be long at all. Here's wikipedia's take on Chris Soghoian's tale:

      On October 26, 2006, Soghoian created a website that allowed visitors to generate fake boarding passes for Northwest Airlines. While users could change the boarding document to have any name, flight number or city that they wished, the generator defaulted to creating a document for Osama Bin Laden.

      Soghoian claimed that his motivation for the website was to focus national attention on the ease with which a passenger could evade the no-fly lists.[3] Information describing the security vulnerabilities associated with boarding pass modification had been widely publicized by others before, including Senator Charles Schumer (D-NY)[4][5] and security expert Bruce Schneier.[6] Soghoian received media attention for posting a program on his website to enable the automatic production of modified boarding passes. Democrat Edward Markey, House of Representatives committee (telecommunications and the internet) stated Soghoian should be arrested.[2]

      At 2 AM on October 28, 2006, his home was raided by agents of the FBI to seize computers and other materials.[7] Soghoian's Internet Service Provider voluntarily shut down the website, after it received a letter from the FBI claiming that the site posed a national security threat.[8] The FBI closed the criminal investigation in November 2006 without filing any charges.[9] The TSA also initiated a civil investigation in December 2006,[10][11] which was closed without any charges being filed in June 2007.[12][13]

      --
      Also FatPhil on SoylentNews, id 863
  5. Re:Profiling by Black+Parrot · · Score: 4, Insightful

    Indeed. It's pretty hard to say "random search" if the guy's badge code has a special section selecting him for "extra screening"

    It could be determined randomly before people are able to print their boarding passes.

    In fact that would probably be the best way to ensure a random search, since a person at the gate might be influenced by your appearance.

    Plus, if you have legitimate reason to believe someone is higher than average risk, you could just specify what's needed on the boarding pass, and not have to rely on the staff to spot you based on a picture.

    --
    Sheesh, evil *and* a jerk. -- Jade
  6. Re:The truth... by lightknight · · Score: 4, Insightful

    'Tis a jobs program, and nothing more. Even the congressmen who are against the idea of the TSA are busy spinning it as providing jobs to their constituents.

    Which is funny on so many levels. We all know that the TSA was built on a lie, we all know that it is worthless, we all know that it is bleeding the taxpayers dry, and we all know that we'd be better off without it. And yet, they're going to keep it, because jobs. Jobs which provide no net income, jobs which cost three times more than they are worth, jobs with glass ceilings built in, jobs which do not help America to grow anywhere but the waistline, and yet, they are so desperate to protect them. The money they are earning in kickbacks must be tremendous.

    --
    I am John Hurt.
  7. Re:What is wrong with that? by mi · · Score: 3, Insightful

    When people have tried to walk away from the airport upon discovering, they were selected for the extra microwaving (or groping), they were told, they can no longer leave and must go through the screening. The reason was given, that doing otherwise would allow terrorists to attempt to travel, but back away if they find themselves selected for more rigorous checks.

    Well, if the level of checking is printed right there on one's boarding pass, the terrorists don't have to reveal themselves. When they find out -- ahead of time -- that they were picked for extra attention, they can simply leave all the bombs at home, fly away and back, and then try again until they draw a "lucky" boarding pass.

    --
    In Soviet Washington the swamp drains you.
  8. Re:Profiling by PerformanceDude · · Score: 5, Insightful

    Actually - for many years when I was traveling in the US, if (and only if) my boarding pass had SSSS printed on it, I would be subjected to extra screening. The SSSS would be printed in large clear letters on the document. I don't know what genius came up with that advance warning, but it sure as hell would tell a wannabe terrorist not to go through with his plan and try again some other time. The people managing these processes really need to think such things through a little bit better.

    --
    Meus subcriptio est nocens Latin quoniam bardus populus reputo is sanus callidus
  9. Re:Profiling by ryanov · · Score: 4, Informative

    Bingo. http://en.wikipedia.org/wiki/Secondary_Security_Screening_Selection

    I got into an argument with a customer service representative (and flew standby -- not sure which was responsible) and received this.

  10. Re:Profiling by xenobyte · · Score: 3, Informative

    Ah, for all values of random where random = any flag in a DHS database anywhere.

    Just so thrilled that we have discrimination down to a science.

    Profiling is awesome. It surpasses all other screening methods in efficiency and effectiveness.

    Not only is it fast (it can be done entirely before the passenger even arrives at the airport), and those not flagged can be sent through with a minimum of screening (all this equals much less waiting), it is also efficient as it would have caught all the 9/11 hijackers as well as the 'shoe bomber' and the 'underwear bomber', while none of the scanners would have caught anything, and even the grope search is likely to have missed almost everything.

    Another backside to the current scanner-fixated system is that it creates some awfully attractive long queues filled with people outside the secure area where even a small nail bomb easily could kill hundreds. If you are going to assemble a lot of people in a confined space at the airport it should be inside the secured areas where they are less of a target.

    And of course there's plenty of other places with lots of people assembled and little or no security - like malls, concerts, amusement parks, train- and bus stations or so on. There's a lot of potential targets so the only efficient means to secure them it to take out any potential terrorists way before they can get near such places or even get their hands on bomb materials and explosives.

    --
    "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
  11. TSA only = US focused by ardiri · · Score: 4, Informative

    this only applies to the TSA who actually scan and pass people around the security scanning solution based on the results of what is in the barcode. in europe, you always have to go through scanning process, regardless of what your 2D barcode has encoded within in. all the TSA is doing here, is opening up a chance for terrorists based on local soil to get through the security scanning process simpler. the challenge is that the USA has the most number of travelers through the airline system than anywhere else in the world; doing extensive security checks does choke the system - so, they need to try and filter out the more frequent/trusted flyers, the net result is they are wasting time screening some since they done screen everyone.

  12. You think the barcode is bad... by T-Bucket · · Score: 4, Interesting

    Not only could you photoshop the barcode, but hell, you could photoshop the name, the destination, the flight number, pretty much anything you wanted... The brainless goons at the security checkpoint wouldn't know the difference. (They don't scan tickets or anything).

    In my experience (working for a contractor for a major US airline), you could even use a photoshopped (printed at home) boarding pass to get on the plane. When they scan it at the gate and the computer beeps saying "no such thing", generally the non-english-speaking gate agent will just scan it a few more times, give up, and let the person on the plane. When the passenger count from the computer later doesn't match up to the number of people on the plane, they'll just "go with what's on the plane" in the interest of getting the plane out on time. This happens on a DAILY BASIS. "Security" is a joke.

    1. Re:You think the barcode is bad... by jwdb · · Score: 4, Interesting

      I've actually had this happen to me. Connecting flight, they gave me a new boarding pass at the gate (one with a boarding group number), and I neglected to check that it was the right one. The ticket scanner beeped weirdly when I tried to board but the agent waved me on anyway, and only when I found someone else in my seat did I realize that I had been given someone else's boarding pass, and that person had already boarded.

      I believe it was Washington Dulles, westbound.

    2. Re:You think the barcode is bad... by RobertLTux · · Score: 3, Insightful

      its funny how close the "unlock cockpit" and "vent cabin" buttons are on the planes control panel.

      don't forget the most dangerous weapon on an airplane is THE AIRPLANE ITSELF.

      all a pilot would have to do in the worst case is 1 vent the cabin 2 disable the autopilot 3 have a bit of "fun" with aerobatics

      result 1 plane full of folks that have been tossed about like dice in a cup. ("ATC this is flight 34583 request immediate clearance for landing and Medical meet us on the ground." "roger flight 34583 nature and scope of injuries...")

      --
      Any person using FTFY or editing my postings agrees to a US$50.00 charge
  13. Re:Profiling by PerformanceDude · · Score: 4, Interesting

    Hmm - funny that. I once got that too after complaining to an American Airlines check-in lady about a checked luggage fee. Qantas passengers are exempt from such fees, as I tried to point out to her, but she wanted to hit me with it anyway. After a long debate and a visit from her supervisor the fee was waived - but - surprise surprise - SSSS appeared on the boarding card. This was on one leg out of 10 flights around the US, so it could not have been on the basis of any kind of passenger profiling. Maybe some slashdotter in the airline industry can enlighten us here...

    --
    Meus subcriptio est nocens Latin quoniam bardus populus reputo is sanus callidus
  14. Re:The truth... by OrigamiMarie · · Score: 4, Insightful

    Jobs which slow the economy by discouraging pleasure travel (and all of the nice tourist spending) and business travel (and the kinds of business deals and chance new acqaintances you only get in person). Travel is incredibly important to our economy, it is part of what makes a large country so strong. When people opt out of it, the ripple effects are amazing.

  15. Re:The truth... by wvmarle · · Score: 3, Insightful

    Besides that it's election time, you guys have high employment already so it's political suicide for either party to say "hey you couple hundred thousand (or however many work in TSA) low-educated workers, please go find another job as we're shutting you down".

  16. Re:Profiling by excelblue · · Score: 5, Interesting

    Airline employees can manually mark any boarding pass as SSSS.

    How do I know? When it was possible to fly by purposely refusing to present ID, I once flew on a ticket that was paid for by another family member. When I went to check in and check my bags, they asked for ID. I told nicely told them that I prefer not to be identified and will be flying as a selectee. Person at ticket counter gives me a dirty look and responds (expectedly) that the SSSS is required if you don't present ID, but everything flowed smoothly after that. It's a shame that you can't refuse to identify yourself anymore these days.

    After that, I think I was flagged as all my boarding passes for the next couple years had SSSS on it.

  17. The Joys Of Flying by rally2xs · · Score: 5, Interesting

    including the inability to get non-stop flights for most routes, having to pay to park in a lot that is still a 10 minute ride to the terminal, having to arrive 2 hours early to ensure getting thru security on time to board, having small innocuous items in my pockets stolen by TSA, risking having large innocuous items in my bags stolen by TSA, getting severely overcharged for food at airport terminals, getting X-rayed by someone who is not my doctor or dentist, having to do mini-marathons thru airports to make connecting flights, getting my bags lost, etc. etc. have all combined to cause me to decide to drive everywhere I go. Eventually, the Alcan Highway is going to get photographed up the wazoo, by me, 'cuz I'll drive up and ferry back. But the X-rays were the last straw, that shall not stand. I quit. You can find me on I-10 to Tucson next year, I-74 from Indy to La Crosse, I-64 to St. Louis, etc. etc. Until the unconstitutional TSA activity is removed, I will not choose to fly anywhere I can drive, or boat, or travel by train.

  18. Re:The truth... by dkleinsc · · Score: 3, Informative

    we all know that it is bleeding the taxpayers dry

    All your arguments except that one are valid. Some math will tell you why.
    TSA budget: $8.1 billion
    US federal budget: $3.7 trillion

    So the TSA makes up approximately 0.2% of the federal budget. You could cut it to $0 and still make no significant dent in the deficit. The big ticket items are, and have been for decades: Social Security, Medicare, Medicaid, and Defense. After the crash in 2008, unemployment insurance, food stamps, WIC, and housing assistance jumped up because more people are unemployed, hungry, or homeless. But the TSA just isn't even remotely close to what's bleeding the taxpayers dry.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  19. Re:The truth... by Fnord666 · · Score: 3, Funny

    We could retrain these guys and up their salaries at the same time to be Air Marshalls.

    Seriously? These are people that couldn't qualify for a position as a security guard at the local mall and you want to arm them and put them on a pressurized airplane? No thank you.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  20. Re:Profiling by myowntrueself · · Score: 3, Insightful

    Another backside to the current scanner-fixated system is that it creates some awfully attractive long queues filled with people outside the secure area where even a small nail bomb easily could kill hundreds. If you are going to assemble a lot of people in a confined space at the airport it should be inside the secured areas where they are less of a target.

    The fact that nothing remotely like this has happened speaks volumes about the threat faced

    --
    In the free world the media isn't government run; the government is media run.
  21. Re:Meaning of SSSS? by Half-pint+HAL · · Score: 3, Insightful

    It means "even the Nazis were only half as thorough as us"....

    --
    Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'