Why the Delta BP “hack” isn’t a security risk


Earlier this week there was a lot of news about the Delta mobile boarding pass system was flawed or hacked and allowing travelers to display any boarding pass they wanted rather than just their own. Oopsie.

delta-mobile-boarding-pass
A sample Delta mobile boarding pass and Aztec barcode. Easy to decode, hard to forge

But, really, just oopsie. Yes, there is some theoretical privacy risk there where PNR data (including name and frequent flyer number) is visible. But it is not a security risk, despite the several claims I’ve read suggesting otherwise.

Let us assume, for the moment, that checking ID against the name on the boarding pass is a necessary part of the security process. Even if that were true this latest Delta situation does not actually increase any risk there. You may have read that the data in the barcode is stored in plain text. That is also true. It is easy to read what is there and, if so desired, to generate a new barcode with different data in it.

What is hard, however, is digitally signing the barcode with a valid signature. And every mobile boarding pass barcode is digitally signed. Which means you cannot just decode the barcode, alter the name, print yourself a new one and get through security. At least not with a mobile BP. (Note that this was not always the case.)

Take the sample boarding pass above. It has a passenger name and flight details encoded in it (Jane Smith is flying from LAX to ATL). But it also has a digital signature at the end.

M1SMITH/JANE          EGY4HV2 ATLLAXDL 0110 293C06D 0001 10FDL004BI7HPF06DN4cMDYCGQCV40DTCPaG9CjVi90lLYENm1t3NhUBamcCGQDp15QB//VkMNaP65mNa6smF0XbdO35sGo=

If you change the bits at the beginning then when it scans that hash won’t match and the TSA will know. The scanner beeps differently when that happens.

Here’s another boarding pass. This is a real one of mine from a trip earlier this year.

seth-united-boarding-pass
A United paper boarding pass printed at the airport. Also easy to decode.

And here’s what’s in the barcode:

M1MILLER/SETHBRIAN    ED6**** LAXLASUA 1458 265F002F0016 15C>318 0 K4265BUA              2901624226****** UA UA ******37            *30600    09  UAG

I’ve redacted it a bit but the important part to notice is that it is not digitally signed. It does not have the hash of text at the end. And none of this is particularly secret. The format for the contents of the barcode is a spec published by IATA.

Don’t get me wrong: it absolutely is possible to forge a boarding pass and not all of the barcodes are digitally signed. But it is also relatively trivial to get a fake ID or otherwise get past the TSA checkpoint.

This Delta SNAFU is a bit embarrassing for the company and may have exposed more personal information than they should have. But it is not a security risk. And, yes, there’s a difference.

Related Posts:

Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.


Seth Miller

I'm Seth, also known as the Wandering Aramean. I was bit by the travel bug 30 years ago and there's no sign of a cure. I fly ~200,000 miles annually; these are my stories. You can connect with me on Twitter, Facebook, and LinkedIn.

8 Comments

  1. Thanks for posting reasoned and rational thought on your blog, I appreciate the views you offer.

  2. People completely misuse the word security, it refers to several different things and can promote misunderstanding. There’s reservation and frequent flyer account security which is of course totally different from aviation security.

  3. A few thoughts:
    1) I’m surprised your paper boarding pass that is coded for PreCheck doesn’t have a digital signature
    2) While the TSA barcode scanners check to make sure a signature is valid, your paper boarding pass tells me that they don’t check that a signature actually exists. Thus, you could easily generate an Aztec barcode for a fake boarding pass on your mobile phone that doesn’t have a signature, and the TSA barcode scanner would treat it as valid. Of course, the solution to this is to simply have the data in all barcodes signed, regardless of format (PDF417 on a paper boarding pass or Aztec on a mobile boarding pass).
    3) You don’t quite make it clear, since you only mention it in connection with the signature-less paper boarding pass, but the applicable IATA specification includes details on how to include a (optional) digital signature.
    4) Finally, as Gary points out, this may not be an aviation security issue, but it is still an IT security issue–the fact that I can easily access someone else’s information is not a good thing, although the fact that the information revealed is random does make it significantly less useful.

    1. While it does say PreCheck on the BP, I don’t think he would have gotten the “3 beeps” to go through the PreCheck line. Look at this part: “15C>318 0 K4265BUA”… that 0 would need to be a 3.

  4. Privacy risk is the better term. And in this world that’s an issue of personal importance to more people. Simply having someone random know my FFN and itinerary is a concern for me – it’s enough for someone to play games canceling it as agents are inconsistent in asking for supporting info on the phone.

  5. Hi Seth,

    Probably a dumb question, and only semi-related, but any idea why your UA boarding pass shows LAST/FIRSTMIDDLE (which I believe mine should be, seeing that per TSA it must exactly match my ID)… mine always prints LAST/AUSTINCMR (where the C is my middle initial followed by MR)… its never been an issue but this is the first time I actually looked at someone else’s boarding pass and went hmmmmm. For what its worth, my ID has last, first, and full middle name.

    1. And now you’ve learned that the “exact match” bit isn’t really 100% a requirement. 😉

      Full name match matters more for PreCheck but just getting the first and last name correct is sufficient for the BP check. Middle name and title are less an issue.

Comments are closed.