Share This Page

Boarding pass bar codes could aid would-be terrorists, experts say

| Thursday, Oct. 25, 2012, 8:12 p.m.

Security flaws in airline boarding passes could allow would-be terrorists or smugglers to know in advance whether they will be subject to certain security measures, and perhaps even permit them to modify the designated measures, security researchers have warned.

The vulnerabilities center around the Transportation Security Administration's pre-screening system, a paid-for program in which the screening process is expedited for travelers at the airport: Laptops can remain in hand baggage, as can approved containers of liquid, and belts and shoes kept on.

Under the program, passengers can still be subject at random to conventional security screening.

Flight enthusiasts, however, recently discovered that the bar codes printed on all boarding passes —which travelers can obtain up to 24 hours before arriving at the airport — contain information on which security screening a passenger is set to receive.

Details about the vulnerability spread after John Butler, an aviation blogger, drew attention to it in a post late last week. Butler said he had discovered that information stored within the bar codes of boarding passes is unencrypted, and so can be read in advance by tech-minded travelers.

Simply by using a smartphone or similar device to check the bar code, travelers could determine whether they would pass through full security screening, or the expedited process.

Butler's findings are supported by information in a technical specification publicly available on the website of the International Air Transport Association, and some details about the vulnerability appear to have circulated in aviation chat forums since at least July.

The TSA declined to comment on the reports, and would not say whether the agency had been made aware of the issue. A spokesman stressed that screening at airport checkpoints is only one part of a much wider security process.

“TSA does not comment on specifics of the screening process, which contain measures both seen and unseen,” spokesman Sterling Payne said. “TSA Pre Check is only one part of our intelligence-driven, risk-based approach.”

The findings highlight serious vulnerabilities within the current TSA security systems, according to Chris Soghoian, a security expert who sought to draw attention to airline security vulnerabilities in 2006 by building a website that permitted travelers to produce fake boarding passes.

“If you have a team of four people ⅛planning an attack⅜, the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who'll take potentially problematic items through security,” said Soghoian, now a senior policy analyst at the American Civil Liberties Union. “If you know who's getting screened before you walk into the airport, you can make sure the right guy is carrying the right bags.”

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.