The last time the TSA got this much press for screwing up a basic technology task it was because someone didn’t know how to properly create a redacted PDF. This time it is all about barcodes and boarding passes. It turns out that the data stored in the bar code on your boarding pass is not encrypted. It is a plain text string covering pretty much all the details of your flight. The TSA can scan the barcode at the checkpoint to get your name and flight info to verify your ID against, helping to protect against forged boarding passes, at least in theory. Except it is just plain text encoded in the bar code, and creating a bar code is actually a trivial task.
Even worse than not encrypting the data is that in many cases it isn’t even signed. Other than comparing the text on the paper to the digital readout on the scanner at the checkpoint it does not appear possible for the TSA to confirm whether the information being presented to them is actually what the airline issued, or even if an airline issued it. This harkens back to the boarding pass generator from a few years ago, a site the FBI eventually forced offline. But the ability to create a fake still very much exists. The only thing stopping someone from doing so is that it is illegal. Generally speaking that’s not a huge deterrent to someone intending to break the law.
Even worse is that the latest flaw also exposes the PreCheck program data. This is the supposedly random selection program whereby some passengers will sometimes get security much more like 2000 than last week. No taking off shoes No taking laptops out. None of the silly things which the TSA has worked VERY hard for the past decade to convince us are necessary to keep us safe. Assuming they know you’re probably not a terrorist due to background checks they can allow you a less stringent screening process. But it is supposedly random. Reading the clear text data makes it trivial to know in advance if one will get the PreCheck clearance. So much for random. A program which truly was an advancement for passengers is now looking less and less secure. Ouch.
It is truly unfortunate that the TSA has whiffed so badly on the implementation of this technology. There was a very real opportunity – and relatively easy technical implementation – to build a system where the data was digitally signed or otherwise validated. The standards on which the bar code systems are based include that as part of the spec. But the TSA doesn’t require it. A simple digital signature from the airline could guard against tampering. Yet it isn’t part of the system in the USA. Why not?
At least the TSA response to this latest problem is consistent: the multiple layers of security will protect us. Never mind that matching a passenger to an ID to their huge lists of names was considered a keystone component of the security efforts. Apparently only when they want that to matter.
Truly an embarrassing implementation by the TSA.
Mobile boarding pass image courtesy of United/Apple Passbook demo