A newly discovered flaw with barcodes on US airline boarding passes could allow passengers to take unauthorized items onto flights, according to security experts.
The vulnerability has to do with the US Transport Security Administration (TSA) and its PreCheck program, which allows a certain number of frequent fliers on each flight to board the plane after undergoing less stringent security checks.
Passengers are selected for what’s known as “expedited screening” at random – the point being that they will never know until they arrive at the security checkpoint if they have to undergo more thorough checks or not.
Airport staff scan a barcode on each passengers boarding pass to see if they have been selected for expedited screening or not. Those chosen are not required to remove their belts, shoes and jackets, and can keep items such as laptops and toiletries.
However, there is a fundamental weakness with the barcode system – as these can be read by any smartphone using a bog-standard barcode reader app, meaning that passengers can print their boarding pass at home and find out whether or not they’ll be subject to heavier security checks.
The flaw was highlighted by security expert John Butler in his aviation blog last week, where he showed that the barcodes are not encrypted.
Butler explains that he wanted to expose the vulnerability because he is “seriously concerned with boarding pass security”.
He also points out that potential terrorist looking to carry dangerous materials on board a flight wouldn’t even have to wait until they got lucky, as it’s possible to easily alter the barcodes as well:
“What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode,” he writes.
“Finally, using a commercial photo-editing program or any program that can edit graphics [they can] replace the barcode in their boarding pass with the new one they created.”
Butler also points out that terrorists could also change other information on the boarding pass too, such as the flight details or passenger name:
“The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information.”