US Boarding Pass Flaw Exposes Valuable Data

A flaw could allow passengers to avoid security checks

Passenger security when travelling on American domestic airlines has been thrown into doubt after a serious vulnerability was discovered on US boarding passes.

The vulnerability was highlighted by aviation blogger John Butler last week.

Unencrypted barcode

The flaw stems from a barcode found on US domestic airline boarding passes. This barcode is only meant to be read by US Transportation Security Administration (TSA) technology. But according to Butler, most smartphones can decode the data because the data it contains is unencrypted.

The flaw is serious, because it could allow certain American passengers to bypass some security checks and bring unauthorised items aboard the aircraft. This is because the barcode on the boarding pass is unencrypted and the data shows what type of airport security checks the passenger will receive before they board their aircraft.

Most of us will be familiar with the fairly rigorous security screening and checks an airliner passenger currently faces. Passengers are often asked to remove their shoes and belts, empty their toiletries, and have their bags scanned. The US, however, operates a PreCheck system, which randomly decides which frequent fliers can skip part of this pre-boarding security process.

The barcodes could therefore be used to allow passengers to work out if they had been picked, and if they have not, for certain security checks. The fear is that they could use this data to potentially smuggle illegal items on board.

“The problem is, the passenger and flight information encoded in barcode is not encrypted in any way. Using a website I decoded my boarding pass for my upcoming trip,” wrote Butler.

Butler was able to reveal details on his own upcoming domestic flight in the United States. This included his seat assignment, flight number and name. “But what is interesting is the bolded three on the end,” explained Butler.

“This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.”

Photo editing

Butler is concerned because the flaw may allow terrorists to use a website to decode the barcode and get their hands on the info and then tamper with tickets.

They could then place this data in a text file, “change the 1 to a 3, then use another website to re-encode it into a barcode,” the researcher said. “Finally, using a commercial photo-editing program or any program that can edit graphics, replace the barcode in their boarding pass with the new one they created,” Butler warned.

“Even more scary is that people can do this to change names… So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID.

“The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.”

Butler said a simple solution could encode the information before putting it on the boarding pass. This would mean that passengers would need to break the encryption before accessing the data. The other solution is for the TSA to connect their scanners to the airline database and check the boarding pass against what the airline has.

Security remains a sensitive subject for the airline industry, which has to balance the security needs of the flight with the rights of passengers.

In the summer, it was revealed that British Airways was facing questions over potential privacy issues, because its staff were using the Internet to gather personal information about certain airline passengers.

Are you a security expert? Try our quiz!