TSA barcode flaw could let terrorists bypass security

Posted by Emma Woollacott

A vulnerability in the system for US domestic airline boarding cards could tell terrorists when it's safe to take unauthorized items on board.

Under what's known as the PreCheck system, certain randomly-chosen frequent fliers are allowed to skip part of the normal security processes, such as removing shoes and taking laptops out of bags.

Passengers can become eligible for the PreCheck system by paying $100 to the US customs agency, which then carries out a background check. Frequent fliers are also often enrolled for free.

The information on whether or not a particular passenger is to be given an easier ride is contained in a barcode on his or her boarding card.

But according to aviation expert John Butler, it's possible for passengers to use their smartphone to discover what type of security check they're about to face, 24 hours in advance.

"The problem is, the passenger and flight information encoded in barcode is not encrypted in any way. Using a web site I decoded my boarding pass for my upcoming trip," he says.

"It’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check.  On this trip as you can see I am eligible for Pre-Check."

The flaw was first detected back in July, when the barcode data was analyzed by a poster on the flyertalk forum. Characters 104 and 105, he says, reveal whether a passenger has been selected for the full security process or not.

Astonishingly, much of the information needed to decode the barcode is published online in the International Air Transport Association's (IATA) implementation guide.

Most worryingly, says Butler, the data could even be used to create fake boarding cards with PreCheck eligibility.

"Thankfully, there is a really simple solution: encode the information before putting it on the boarding pass," he says.