Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Is TSA's PreCheck System Easy To Game?

Posted by Unknown on from the it's-probably-a-crime dept.

OverTheGeicoE writes "TSA has had a preferred traveler program, PreCheck, for a while now. Frequent fliers and other individuals with prior approval from DHS can avoid some minor annoyances of airport security, like removing shoes and light jackets, but not all of the time. TSA likes to be random and unpredictable, so PreCheck participants don't always get the full benefits of PreCheck. Apparently the decision about PreCheck is made when the boarding pass is printed, and a traveler's PreCheck authorization is encoded, unencrypted, on the boarding pass barcode. In theory, one could use a barcode-reading Web site (like this one, perhaps) to translate a barcode into text to determine your screening level before a flight. One might even be able to modify the boarding pass using PhotoShop or the GIMP to, for example, get the screening level of your choice. I haven't been able to verify this information, but I bet Slashdot can. Is TSA's PreCheck system really that easy to game? If you have an old boarding pass lying around, can you read the barcode and verify that the information in TFA is correct?"

6 of 157 comments (clear)

  1. Re:Probably, but watch out for the Audit. by NIK282000 · · Score: 5, Informative

    There is a very good DefCon talk on youtube about barcodes and how easy they are to scam. It's so trivial to encrypt the data in a barcode but of course TSA has spared every expense in the defence of america.
     
      Here's the DefCon talk: http://www.youtube.com/watch?v=qT_gwl1drhc

    --
    Dear aunt, let's set so double the killer delete select all
  2. Re:Could be a honeypot by iiii · · Score: 4, Informative

    Yeah, and the "who".

    Their thought: "hey, well catch the bad guys who are trying to get around security!"
    Reality: they catch the nerds who know how to hack barcodes and want to save 10 minutes of waiting in a security line.

    But this is giving them too much credit. They are not thinking that far ahead. They are still stuck on shoe bombs (22 Dec 2001).

    --
    Light cup, beer drink, thin so chain, neck turtle fat, man I won't say it again
  3. Easy to Read, not sure easy to change by Anonymous Coward · · Score: 5, Informative

    Look the code to determine pre-check is in the clear and easy to read. What's not obvious is if it's also easy to change. There is a base-64 message below all the normal data that seems to decode to a hash. I would expect that this hash is protecting the integrity of the data above. No one I have seen has modified their barcode and presented it to the TSA. So while there is speculation that it is easy to change, there is no proof and some mild evidence that says this may not be so.

  4. Schneier by Penurious+Penguin · · Score: 5, Informative

    As usual, a good thread on the topic from Schneier-ville: https://www.schneier.com/blog/archives/2012/10/hacking_tsa_pre.html

    --
    Forward! -- Emperor Norton, 2012
  5. Re:Yes by Jeremiah+Cornelius · · Score: 5, Informative

    " this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives."

    DING DING DING DING DING!

    Ladies and gentlemen, please lower your bids. We have a winner.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  6. Re:Yes by Sqr(twg) · · Score: 3, Informative

    Unless you want to give all your flight details to some random web server operator, you're better off installing something like http://sourceforge.net/projects/zbar/ and decoding yourself.