A newly discovered flaw with barcodes on US airline boarding passes could allow passengers to take unauthorized items onto flights, according to security experts.
The vulnerability has to do with the US Transport Security Administration (TSA) and its PreCheck program, which allows a certain number of frequent fliers on each flight to board the plane after undergoing less stringent security checks.
Passengers are selected for what’s known as “expedited screening” at random – the point being that they will never know until they arrive at the security checkpoint if they have to undergo more thorough checks or not.
Airport staff scan a barcode on each passengers boarding pass to see if they have been selected for expedited screening or not. Those chosen are not required to remove their belts, shoes and jackets, and can keep items such as laptops and toiletries.
However, there is a fundamental weakness with the barcode system – as these can be read by any smartphone using a bog-standard barcode reader app, meaning that passengers can print their boarding pass at home and find out whether or not they’ll be subject to heavier security checks.
The flaw was highlighted by security expert John Butler in his aviation blog last week, where he showed that the barcodes are not encrypted.
Butler explains that he wanted to expose the vulnerability because he is “seriously concerned with boarding pass security”.
He also points out that potential terrorist looking to carry dangerous materials on board a flight wouldn’t even have to wait until they got lucky, as it’s possible to easily alter the barcodes as well:
“What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode,” he writes.
“Finally, using a commercial photo-editing program or any program that can edit graphics [they can] replace the barcode in their boarding pass with the new one they created.”
Butler also points out that terrorists could also change other information on the boarding pass too, such as the flight details or passenger name:
“The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information.”
Before joining SiliconANGLE, Mike was an editor at Argophilia Travel News, an occassional contributer to The Epoch Times, and has also dabbled in SEO and social media marketing. He usually bases himself in Bangkok, Thailand, though he can often be found roaming through the jungles or chilling on a beach.
Got a news story or tip? Email Mike@SiliconANGLE.com.
Latest posts by Mike Wheatley (see all)
- Businesses like the Internet of Things, but they’re not doing it right - September 25, 2016
- Microsoft boosts blockchain efforts with Ethereum-based Project Bletchley - September 25, 2016
- HyTrust survey highlights worrying lack of data encryption in the cloud - September 23, 2016