Risk
10/26/2012
01:44 AM
Connect Directly
RSS
E-Mail
50%
50%

TSA PreCheck Program Security Hole Exposes Screening Status

Airline boarding passes available to participants in the TSA's PreCheck program contain unencrypted information that could be used to determine whether the person will receive expedited screening

A program that was supposed to be a convenience for frequent airline passengers has turned into a bit of a security flap for the Transportation Security Administration (TSA).

The situation centers on the PreCheck program in which select passengers are allowed to receive what the TSA calls "expedited screening benefits," such as the right to leave their shoes on and keep their laptops in carry-on bags when they travel on domestic flights. The program does not guarantee such benefits will be bestowed upon the traveler each time he or she is at a designated checkpoint, and the TSA says in its description of the program that it will still use "random and unpredictable security measures" throughout the airport.

That randomness, however, may be in jeopardy. The reason is that the passenger and flight information encoded in barcode on the boarding passes PreCheck passengers receive -- which can be printed up to 24 hours before a flight -- is not encrypted. That means it can be read by those with the technical know-how, giving them a heads-up if they are going to be subjected to lesser scrutiny.

"What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode," aviation blogger John Butlerwrote last week. "Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created."

According to the Washington Post, some details of the situation have been circulating in online forums for months. However, the issue gained widespread media coverage only recently after Butler posted Oct. 19 that he was able to decode his boarding pass for an upcoming trip. In an updated post Oct. 24, he questions why the TSA and the airlines have not come up with an encoding system for the barcodes on boarding passes.

"The effect of such a system would be that when anyone puts their boarding pass into one of the online barcode readers, the output is just a string of characters," he blogs. "The airline and TSA scanners would have [a] chip that contains the decryption key, which would turn the data into the information we see currently."

In a Frequently Asked Questions section, TSA states that participants are not supposed to know in advance whether they have been cleared for expedited screening.

"If the agency determines a passenger is eligible for expedited screening through TSA [PreCheck], information will be embedded in the barcode of the passenger’s boarding pass," the agency notes on its site. "TSA will read the barcode at designated checkpoints and the passenger may be referred to an expedited screening lane."

The error here is the system in and of itself, says Christopher Burgess, chief security officer of technology firm Atigeo. If the TSA is going to preselect people, it should hide this information from those being selected; if they are sorting people, then it should be tied into real-time data, he argues.

"Remember, the TSA [PreCheck] is ostensibly for those with frequent flier status with airlines and individuals who have subjected themselves to Trusted Person verification by USG," he says. "A suggestion might be the scan of the ID being used at the TSA check and comparison to that of the last XX trips. Think about it. I am a trusted person as I travel a good bit. If someone with a forged ID shows up as me, that quick visual will quickly allow the TSA clerk to A) notice the difference in photo (one hopes); B) be able to ask a question re: recent travel for validation; C) compare ID to prior IDs -- none of which requires profiling."

Though the TSA did not respond to a request for comment from Dark Reading, a spokesperson did tell the Washington Postthat it does not comment on the specifics of the screening process, and that the "TSA PreCheck is only one part of our intelligence-driven, risk-based approach."

PreCheck is open to frequent travelers using Alaska Airlines, American Airlines, Delta Air Lines, United Airlines, US Airways, and certain members of CBP's Trusted Traveler programs, including Global Entry, SENTRI and NEXUS, who are U.S. citizens.

* This story was updated with additional commentary. Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.