Tricking the TSA

Published: November 20, 2012 1:01 am
• The Washington Post
This is an archived article that was published on sltrib.com in 2012, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.

If, queued up at the airport — shoes half off, belt slung over your shoulder, laptop balanced precariously on one hand — you've ever looked at the speedy "pre-check" security line and wondered how easy it would be to fake your way into a less invasive screening, you would have been onto something.

The Post's James Ball reports that frequent fliers and technology geeks have discovered that the Transportation Security Administration's boarding pass procedures are bizarrely insecure, allowing those with some basic software and know-how to read sensitive security information contained in boarding pass bar codes and even to alter those bar codes.

The result could be bad guys getting around tough screening or the government's no-fly list.

The bar codes contain information about how much scrutiny the TSA will give each ticket holder. But they aren't encrypted. Any passenger with a smartphone can figure out whether he or she is destined for the pre-check line, which was designed for very frequent fliers and others thought to pose few security risks, or the line for tougher screening.

In theory, this could tip off a terrorist who has managed to qualify himself for pre-check to the sort of security he will have to deal with. More troubling, though, is that it is also possible for said terrorist to fiddle with the bar code. He could place himself in the pre-check line. Or, if he is on a no-fly list, he could change the name printed on a copy of his boarding pass. That could fool the TSA agents checking tickets at security checkpoints, because they don't compare the names in the bar codes to the database of fliers that the airlines keep.

Longtime boarding pass security critic Chris Soghoian points out there are easy policy changes that can fix both problems. Requiring each bar code to bear a digital signature would make any tampering evident.

The TSA already has the technology to handle this — it is just a matter of making sure the airlines cooperate. The TSA could also shake up how it decides which passengers will undergo random checks.

The justification for extensive airline security is not that it will ever be foolproof but that the apparatus of no-fly lists, backscatter scanners, bar code machines and TSA agents is worth the expense of money, time and invaded privacy to make it more difficult for terrorists to attack the country's airlines.

That logic relies on the questionable notion that the TSA can anticipate flaws and, if it doesn't, quickly fix them when others point them out.

© Copyright 2024 The Salt Lake Tribune. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.