Slashdot Mirror
Ask Slashdot: Is TSA's PreCheck System Easy To Game?
OverTheGeicoE writes "TSA has had a preferred traveler program, PreCheck, for a while now. Frequent fliers and other individuals with prior approval from DHS can avoid some minor annoyances of airport security, like removing shoes and light jackets, but not all of the time. TSA likes to be random and unpredictable, so PreCheck participants don't always get the full benefits of PreCheck. Apparently the decision about PreCheck is made when the boarding pass is printed, and a traveler's PreCheck authorization is encoded, unencrypted, on the boarding pass barcode. In theory, one could use a barcode-reading Web site (like this one, perhaps) to translate a barcode into text to determine your screening level before a flight. One might even be able to modify the boarding pass using PhotoShop or the GIMP to, for example, get the screening level of your choice. I haven't been able to verify this information, but I bet Slashdot can. Is TSA's PreCheck system really that easy to game? If you have an old boarding pass lying around, can you read the barcode and verify that the information in TFA is correct?"
If I were designing a security system for TSA, I would definitely consider printing a (possibly fake) screening status in the barcode in plain text. If you keep a database of what status you assigned to which boarding ticket, then you can more thoroughly screen (or arrest and jail indefinitely) anyone who changes the easily hackable obvious screening status on their boarding pass. This is much like a honeypot that folks sometimes use in network security. (For those who don't know, a honeypot is an easily hackable machine that serves no purpose except to be hacked so that an observer can find folks who are trying to break in.)
There is a very good DefCon talk on youtube about barcodes and how easy they are to scam. It's so trivial to encrypt the data in a barcode but of course TSA has spared every expense in the defence of america.
Here's the DefCon talk: http://www.youtube.com/watch?v=qT_gwl1drhc
Dear aunt, let's set so double the killer delete select all
Yes it is.
Wrong question is being asked
A better question is -- Would it matter if TSA PreCheck System were easy to game?
Seeing how TSA has no record of ever catching or thwarting a terrorist, I would say "no"
These people are lazy. They're annoying, and they're a blight to society. However, for the time being we're all stuck with them until the rest of the general population rises up and says "We've had enough, out you go!".
So I ask you this- even if the system is "easy to game", why the hell would you want to risk it? Maybe you get past their security once, twice, a dozen times, etc. Maybe it is easy to game. That's nice and all.
The question you should be asking yourself is: "What are the consequences of being caught?". These people will happily label you as a terrorist and put you on a no-fly list FOR THE REST OF YOUR LIFE. You think you have legal rights, that they can't do that? They have and they will. Have fun spending the next 5 years of your life debating the finer details of the law in court so you can continue to fly down to Hawaii with the family on occasion for vacation.
It doesn't matter that their system is broken, or that the whole thing is a security theatre and a complete and utter farce. It matters what they're going to do to you when they find out you've been tampering with the system. If you make them look like idiots, their reaction will be to label you as a nefarious terrorist or hacker who was out to get the TSA and thank god they eventually stopped you because who knows what you would have done if they hadn't.
So are you **really** willing to live with the consequences of tampering with the system? Or are you just talking big because someone said the TSA was hackable and now it's all cool and hip to point that out to other people and pretend like you're actually gonna go ahead and do it?
Look the code to determine pre-check is in the clear and easy to read. What's not obvious is if it's also easy to change. There is a base-64 message below all the normal data that seems to decode to a hash. I would expect that this hash is protecting the integrity of the data above. No one I have seen has modified their barcode and presented it to the TSA. So while there is speculation that it is easy to change, there is no proof and some mild evidence that says this may not be so.
Wrong question is being asked
A better question is -- Would it matter if TSA PreCheck System were easy to game?
Seeing how TSA has no record of ever catching or thwarting a terrorist, I would say "no"
No, neither question is really relevant. It doesn't matter if the system is easy to game for someone with technical aptitude because this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives.
As usual, a good thread on the topic from Schneier-ville: https://www.schneier.com/blog/archives/2012/10/hacking_tsa_pre.html
Forward! -- Emperor Norton, 2012
Well, they're semi-effective at catching TSA employees who steal iPads, laptops and expensive camera gear.
No, they're not. There are occasional busts, but most go unreported or unaddressed.
Fun fact: The TSA refuses to report such thefts to local authorities, as a matter of policy.
I'm a nature photographer.
" this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives."
DING DING DING DING DING!
Ladies and gentlemen, please lower your bids. We have a winner.
"Flyin' in just a sweet place,
Never been known to fail..."
I am not a fan of the TSA, but let's be fair here: the purpose of doing security checks is not to catch terrorists with bombs in their shoes, but rather to eliminate shoe-bombing as a viable form of attack.
The problem is, there are a large (but not technically infinite) number of such attacks. With the TSA only re-acting to the threat as it is used, that means there are (largeNum -1) attacks remaining. So, with such a large number of attacks to choose from, any terrorist would have no problem with the TSA.
In other words, the TSA only started checking shoes after someone tried to hide a bomb in one. The TSA only started their asinine 3-1-1 liquid rules after a liquid bomb plot was uncovered. And no doubt, the TSA will start rectal exams after a terrorist shoves a bomb up their ass.
Responding to the PREVIOUS threat is not security.
What would be your response if a liquid bomb threat was discovered and then the TSA did nothing to screen for it? Everyone would be screaming their heads off that the TSA should be checking for known threats. It is absurd to try to claim that the TSA airport checks are not security.
Not everybody is screaming for increased authority being given to the TSA to declare martial law in airports. Too far? I think it was too far on September 10th, 2001, as the security procedures in pace prior to the 9/11 attacks should have stopped those terrorists from getting on board those planes in the first place as well as stopping even the shoe bomber.
These guys are simply being lousy rent-a-cops that really don't know the first thing about how to act as a law enforcement agency in a once free representative democracy. It is sad that they can't simply act like almost every other police agency acting outside of those airports and *gasp* actually investigate crimes when they happen, to do gum shoe detective work, and root out would be criminals who might be causing problems. I also think this "zero tolerance" for terrorist actions is maddening as well.
The real issue here is that stupid people do stupid things. We can't afford to have TSA level security in malls, public schools, banks, or elsewhere. Certainly not in bus stations or on freeways. In reality we can't afford to have this in airports either, but some stupid congressmen had a knee jerk reaction to a non-problem and didn't really address the issues involved either... trading one form of corruption for another.
What the TSA should be doing is real security and police work in airports. There may even be a need to keep it a federal agency, so far as threats to airport security typically do cross state borders and even become international problems. There are even national security issues involved so far as there are foreign governments who are using "terrorist groups" as surrogates to cause chaos and disorder deliberately in an attempt to further their own national goals. Yes, I'm saying that Al-Queida and other similar groups are not merely spontaneous but rather are supported, financed by, and encouraged by many countries (almost all of whom have seats at the United Nations along with national capitals and recognizable leaders) and this is a real war going on.
If these doughnut loving idiots would get off their behinds, turn off their scanning machines, and actually do some real police work to find those people who are causing problems... then I might be encouraged by the work that the TSA is doing. For now, I consider them to be lazy asses that are wasting billions of tax dollars on a futile exercise that won't stop a real terrorist attack in America by somebody determined to cause problems. This security theater is utter bullshit and needs to stop. If there is a real threat that soliders or mercenaries from foreign governments are coming into America... they should also be stopped. But it should be painfully obvious who they are as well and stopping those foreign soldiers from committing acts of war inside of America can be done without infringing on the rights of ordinary citizens or molesting toddlers.