The situation centers on the PreCheck program in which select passengers are allowed to receive what the TSA calls "expedited screening benefits" such as the right to leave their shoes on and keep their laptops in carry-on bags when they travel on domestic flights. The program does not guarantee such benefits will bestowed upon the traveler each time he or she is at a designated checkpoint, and the TSA says in its description of the program that it will still use "random and unpredictable security measures" throughout the airport.
That randomness however may be in jeopardy. The reason is that the passenger and flight information encoded in barcode on the boarding passes PreCheck passengers receive â€" which can be printed up to 24 hours before a flight â€" is not encrypted. That means that it can be read by those with the technical know-how, giving them a heads-up if they are going to be subjected to lesser scrutiny.
"What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode," aviation blogger John Butler writes last week. "Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created."
According to the Washington Post, some details of the situation have been circulating in online forums for months. However, the issue gained widespread media coverage only recently after Butler posted Oct. 19 that he was able to decode his boarding pass for an upcoming trip. In an updated post Oct. 24, he questions why the TSA and the airlines have not come up with an encoding system for the bar codes on boarding passes.
"The effect of such a system would be that when anyone puts their boarding pass into one of the online barcode readers, the output is just a string of characters," he blogs. "The airline and TSA scanners would have [a] chip that contains the decryption key, which would turn the data into the information we see currently."
In a Frequently Asked Questions section, TSA states that participants are not supposed to know in advanced if they have been cleared for expedited screening.
"If the agency determines a passenger is eligible for expedited screening through TSA [PreCheck], information will be embedded in the barcode of the passenger’s boarding pass," the agency notes on its site. "TSA will read the barcode at designated checkpoints and the passenger may be referred to an expedited screening lane."
Though the TSA did not respond to a request for comment from Dark Reading, a spokesperson did tell the the Washington Postthat it does not comment on the specifics of the screening process and that the "TSA Pre Check is only one part of our intelligence-driven, risk-based approach."
PreCheck is open to frequent travelers using Alaska Airlines, American Airlines, Delta Air Lines, United Airlines, US Airways and certain members of CBP's Trusted Traveler programs, including Global Entry, SENTRI and NEXUS who are U.S. citizens. Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
No comments:
Post a Comment