Moderators: jsumali2, richierich, ua900, PanAm_DC10, hOMSaR

 
raffik
Topic Author
Posts: 1564
Joined: Tue Feb 28, 2006 9:50 am

Security Threat With Smartphone Boarding Pass

Fri Oct 26, 2012 10:03 am

I was reading this article which says that passengers can foresee whether they will be pre selected for security
by how their barcode is formed and the report suggests this poses a threat to airline safety.

Is it possible to just check everybody or will there always be a percentage of people who won't go through the
more rigorous checks because it would overload the security line?

http://www.bbc.co.uk/news/technology-20080621
- Alec
 
User avatar
CPHFF
Posts: 220
Joined: Fri Aug 19, 2011 11:03 am

RE: Security Threat With Smartphone Boarding Pass

Fri Oct 26, 2012 10:22 am

Interesting article, thanks for sharing.

I'm a bit confused in regards to the following quote: " Passengers can pay $100 (£62) to the US customs agency which then performs a background check. If the passenger is approved it gives him or her the right to use all of the US airlines' PreCheck systems for five years."

Is this based on name or cellphone number?

Per
If it weren't for UAW, Detroit would shine!
 
srbmod
Posts: 15446
Joined: Tue Mar 20, 2001 1:32 pm

RE: Security Threat With Smartphone Boarding Pass

Fri Oct 26, 2012 10:28 am

From the way the article reads, this is only in regards to those passengers who are enrolled in the Pre Check program that use the mobile boarding passes. Those who are in the Pre Check program have already undergone a background check as for the most part, they are members of Global Entry, SENTRI or NEXUS which are "trusted traveler" programs that the Customs & Border Protection offer. Elite members of FFPs of participating airlines in those programs may also be eligible for Pre Check if they meet the TSA requirements. Pre Check is expedited screening for trusted travelers and does not randomly decide which passengers can skip parts of the security screening process. They still have to have their bags scanned and still have to walk through the scanners/detectors that all other passengers have to. They just may not have to remove their shoes, belt, jacket, laptops from their bags, or their liquids from their bag. Are there risks of something getting past the screening process? Yes, but considering that TSA screeners have allowed stuff to get past in the regular security lanes, this article is much ado about nothing. The average passenger who travels a handful of times a year and happens to use their smartphone for a boarding pass does not apply to this at all.
 
PlaneInsomniac
Posts: 421
Joined: Tue Nov 20, 2007 7:34 am

RE: Security Threat With Smartphone Boarding Pass

Fri Oct 26, 2012 11:38 am

Well, the real issue is that this information appears to be encoded in the barcode in plain text without any encryption. Barcodes are not difficult to produce. This means it would be possible to modify any given boarding pass (under this pre-check program) to contain the flag indicating "skip thorough security", which would otherwise appear perfectly legal. It is not possible to detect such a modification, since there does not seem to be any checksum or anything of that kind contained in the barcode, much less any encryption. One could simply take the electronic version of the boarding pass (e.g, the PDF), manipulate the barcode, print it out, and arrive at the airport knowing that one will not be subjected to those thorough security checks.

Quoting srbmod (Reply 2):
They just may not have to remove their shoes, belt, jacket, laptops from their bags, or their liquids from their bag.

Well, if I can manipulate the system to ensure that these checks do not (ever) apply to me, it becomes a security issue.
Am I cured? Slept 5 hours on last long-haul flight...
 
Cubsrule
Posts: 14838
Joined: Sat May 15, 2004 12:13 pm

RE: Security Threat With Smartphone Boarding Pass

Fri Oct 26, 2012 12:14 pm

Quoting PlaneInsomniac (Reply 3):
Well, if I can manipulate the system to ensure that these checks do not (ever) apply to me, it becomes a security issue.

Pre Check is not automatic, so even if you could manipulate the system to ensure that you were in Pre Check, the checks would still sometimes apply to you.
I can't decide whether I miss the tulip or the bowling shoe more
 
PlaneInsomniac
Posts: 421
Joined: Tue Nov 20, 2007 7:34 am

RE: Security Threat With Smartphone Boarding Pass

Fri Oct 26, 2012 1:00 pm

Quoting Cubsrule (Reply 4):
checks would still sometimes apply

Well, yeah, and that is kind of the point. As far as I understand, the flag in the barcode determines whether "sometimes" is today. And if you can manipulate it, this in theory means that "sometimes" never comes...

The problem is that it appears the "random" picking for more thorough security checks is done when the boarding pass is produced and then encoded in the barcode.

Obviously, one would assume that they change that policy effective immediately.
Am I cured? Slept 5 hours on last long-haul flight...
 
gegarrenton
Posts: 203
Joined: Fri Aug 03, 2012 3:32 pm

RE: Security Threat With Smartphone Boarding Pass

Fri Oct 26, 2012 1:09 pm

Quoting PlaneInsomniac (Reply 3):
Well, if I can manipulate the system to ensure that these checks do not (ever) apply to me, it becomes a security issue.

That isn't how it works. You have to be in the Pre Check database to start with. Just encoding the barcode for it won't work if you don't match. Now, if you have had a back ground check and are still going to do something, well, that's a totally different conversation.
 
Cubsrule
Posts: 14838
Joined: Sat May 15, 2004 12:13 pm

RE: Security Threat With Smartphone Boarding Pass

Fri Oct 26, 2012 1:09 pm

Quoting PlaneInsomniac (Reply 5):
As far as I understand, the flag in the barcode determines whether "sometimes" is today. And if you can manipulate it, this in theory means that "sometimes" never comes...

There are other, more practical concerns. If the Pre Check checkpoint is not open, no one gets Pre Check regardless of what his boarding pass says.
I can't decide whether I miss the tulip or the bowling shoe more
 
PlaneInsomniac
Posts: 421
Joined: Tue Nov 20, 2007 7:34 am

RE: Security Threat With Smartphone Boarding Pass

Fri Oct 26, 2012 1:36 pm

Quoting gegarrenton (Reply 6):
That isn't how it works. You have to be in the Pre Check database to start with.

...which is why I wrote...

Quoting PlaneInsomniac (Reply 3):
modify any given boarding pass (under this pre-check program)
Am I cured? Slept 5 hours on last long-haul flight...
 
PlaneInsomniac
Posts: 421
Joined: Tue Nov 20, 2007 7:34 am

RE: Security Threat With Smartphone Boarding Pass

Fri Oct 26, 2012 1:38 pm

Quoting Cubsrule (Reply 7):
If the Pre Check checkpoint is not open, no one gets Pre Check regardless of what his boarding pass says.

Sure. However, one can still (hypothetically) massively reduce the risk of a thorough check. Which is what the entire discussion is about.
Am I cured? Slept 5 hours on last long-haul flight...
 
gegarrenton
Posts: 203
Joined: Fri Aug 03, 2012 3:32 pm

RE: Security Threat With Smartphone Boarding Pass

Fri Oct 26, 2012 1:44 pm

Quoting PlaneInsomniac (Reply 8):

...which is why I wrote...

I know, which I responded with...

Quoting gegarrenton (Reply 6):
Now, if you have had a back ground check and are still going to do something, well, that's a totally different conversation.

It's a totally different discussion.
 
Maverick623
Posts: 4726
Joined: Thu Nov 30, 2006 9:13 am

RE: Security Threat With Smartphone Boarding Pass

Sat Oct 27, 2012 4:15 am

Just another sensationalistic piece of garbage. I'm disappointed that the BBC would run such a story.

1) Regular boarding passes are far easier to read and manipulate.

2) The article cites a "security expert", but only posts a link to a blog run by some paranoid whack job with zero posted qualifications.


Nothing to see here...
"PHX is Phoenix, PDX is the other city" -777Way
 
chrisair
Posts: 2176
Joined: Fri Sep 01, 2000 11:32 pm

RE: Security Threat With Smartphone Boarding Pass

Sat Oct 27, 2012 6:12 am

Quoting PlaneInsomniac (Reply 3):
One could simply take the electronic version of the boarding pass (e.g, the PDF), manipulate the barcode, print it out, and arrive at the airport knowing that one will not be subjected to those thorough security checks.

No you can't actually. There's a digital signature on all of the barcodes. Trying to update the barcode with the PreCheck code would break the digital signature. Once that happens, the BP won't scan.
 
User avatar
tjcab
Posts: 358
Joined: Sat Oct 23, 2004 3:14 am

RE: Security Threat With Smartphone Boarding Pass

Sat Oct 27, 2012 7:22 am

hmm, the really scary part is that they feel that these secondary "random" checks are required in the first place. What does this tell us about the routine security that apply to the masses?
 
tdscanuck
Posts: 8573
Joined: Wed Jan 11, 2006 7:25 am

RE: Security Threat With Smartphone Boarding Pass

Sat Oct 27, 2012 5:30 pm

Quoting TJCAB (Reply 13):
hmm, the really scary part is that they feel that these secondary "random" checks are required in the first place. What does this tell us about the routine security that apply to the masses?

Random checks are one of the few things the airline security folks do well; it's what prevents potential threats from exploiting any real or perceived patterns in the screening process.

Tom.
 
PlaneInsomniac
Posts: 421
Joined: Tue Nov 20, 2007 7:34 am

RE: Security Threat With Smartphone Boarding Pass

Sun Oct 28, 2012 12:20 pm

Quoting chrisair (Reply 12):

Quoting PlaneInsomniac (Reply 3):
One could simply take the electronic version of the boarding pass (e.g, the PDF), manipulate the barcode, print it out, and arrive at the airport knowing that one will not be subjected to those thorough security checks.

No you can't actually. There's a digital signature on all of the barcodes.

According to the person who originally reported the security flaw, this is not correct:

http://puckinflight.wordpress.com/20...nd-the-boarding-pass-check-system/

"What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names."

He also has the entire content of one of his boarding passes listed there (with some personal information X'ed out).

According to him, the information is unencrypted and can basically be manipulated by anybody.
Am I cured? Slept 5 hours on last long-haul flight...

Popular Searches On Airliners.net

Top Photos of Last:   24 Hours  •  48 Hours  •  7 Days  •  30 Days  •  180 Days  •  365 Days  •  All Time

Military Aircraft Every type from fighters to helicopters from air forces around the globe

Classic Airliners Props and jets from the good old days

Flight Decks Views from inside the cockpit

Aircraft Cabins Passenger cabin shots showing seat arrangements as well as cargo aircraft interior

Cargo Aircraft Pictures of great freighter aircraft

Government Aircraft Aircraft flying government officials

Helicopters Our large helicopter section. Both military and civil versions

Blimps / Airships Everything from the Goodyear blimp to the Zeppelin

Night Photos Beautiful shots taken while the sun is below the horizon

Accidents Accident, incident and crash related photos

Air to Air Photos taken by airborne photographers of airborne aircraft

Special Paint Schemes Aircraft painted in beautiful and original liveries

Airport Overviews Airport overviews from the air or ground

Tails and Winglets Tail and Winglet closeups with beautiful airline logos