The last time the TSA got this much press for screwing up a basic technology task it was because someone didn’t know how to properly create a redacted PDF. This time it is all about barcodes and boarding passes. It turns out that the data stored in the bar code on your boarding pass is not encrypted. It is a plain text string covering pretty much all the details of your flight. The TSA can scan the barcode at the checkpoint to get your name and flight info to verify your ID against, helping to protect against forged boarding passes, at least in theory. Except it is just plain text encoded in the bar code, and creating a bar code is actually a trivial task.
Even worse than not encrypting the data is that in many cases it isn’t even signed. Other than comparing the text on the paper to the digital readout on the scanner at the checkpoint it does not appear possible for the TSA to confirm whether the information being presented to them is actually what the airline issued, or even if an airline issued it. This harkens back to the boarding pass generator from a few years ago, a site the FBI eventually forced offline. But the ability to create a fake still very much exists. The only thing stopping someone from doing so is that it is illegal. Generally speaking that’s not a huge deterrent to someone intending to break the law.
Even worse is that the latest flaw also exposes the PreCheck program data. This is the supposedly random selection program whereby some passengers will sometimes get security much more like 2000 than last week. No taking off shoes No taking laptops out. None of the silly things which the TSA has worked VERY hard for the past decade to convince us are necessary to keep us safe. Assuming they know you’re probably not a terrorist due to background checks they can allow you a less stringent screening process. But it is supposedly random. Reading the clear text data makes it trivial to know in advance if one will get the PreCheck clearance. So much for random. A program which truly was an advancement for passengers is now looking less and less secure. Ouch.
It is truly unfortunate that the TSA has whiffed so badly on the implementation of this technology. There was a very real opportunity – and relatively easy technical implementation – to build a system where the data was digitally signed or otherwise validated. The standards on which the bar code systems are based include that as part of the spec. But the TSA doesn’t require it. A simple digital signature from the airline could guard against tampering. Yet it isn’t part of the system in the USA. Why not?
At least the TSA response to this latest problem is consistent: the multiple layers of security will protect us. Never mind that matching a passenger to an ID to their huge lists of names was considered a keystone component of the security efforts. Apparently only when they want that to matter.
Truly an embarrassing implementation by the TSA.
Mobile boarding pass image courtesy of United/Apple Passbook demo
Related Posts:
- TSA blaming airlines for limited PreCheck success
- Congress to force private screeners on the TSA
- TSA says its OK; layers will protect us
- The TSA document is gone. Or is it?
- The TSA makes another stupid move
Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.
It’s definitely not encrypted (I scanned an AA boarding pass from a few weeks ago and read it). But I’m pretty sure it was signed.
It depends on the airline and the type of BP (mobile v. paper). Some are signed and some are not.
I promise.
At least the military members using Pre-Check are using defacto encryption since they must present thier Common Access Card (CAC) card and TSA scans it with DoD before letting the person through.
The best question to ask is whether or not info from the BP is compared with Secure Flight data when scanned? More generally, are the scanners at checkpoints connected to a network? If they are, then it doesnt matter much that the QR code is signed/encrypted etc since it is just a PNR locator to an actual database at TSA (fed by airlines).
Ron, it isn’t. There is no real-time link between the readers at the checkpoints and any centralized database.
Selfishly, I hope they don’t go and shut down TSA pre-check lanes until they figure this out…
The (good?) news here is that this is fairly easy to rectify. I’ll be curious to see how long it takes TSA to fix. Count me in the camp of those that hopes they don’t close down Pre-Check while they figure it out. I just got it at my home airport (IAD) and don’t want to go back to the old checkpoints underground.
WTF, have they even responded about this finding?
Their official response is the same as every other time someone points out when they screw up: “We have layers of security.”
In other words, they just don’t care.