Wait - if hacking a barcode is this easy for PreCheck, why isn't it just as easy to hack a barcode for the entire boarding pass? Surely they have some sort of encryption or checkdigit equivalent for the barcode that would spit it out as invalid because it doesn't conform to the algorithm.
Programs: CO Plat/1K, DL Silver, HH Diamond, bmi dirt, PWP General Secretary
Posts: 22,639
Quote:
Originally Posted by drewguy
Wait - if hacking a barcode is this easy for PreCheck, why isn't it just as easy to hack a barcode for the entire boarding pass? Surely they have some sort of encryption or checkdigit equivalent for the barcode that would spit it out as invalid because it doesn't conform to the algorithm.
It is possible. I wasn't able to identify the
Quote:
11F>30B
string in the barcode information. This maybe a CheckSum code. However, it doesn't matter. Not all boarding passes are scanned at the TSA checkpoint. The photoshop hack from like 5 years is still valid.
It is possible. I wasn't able to identify the string in the barcode information. This maybe a CheckSum code. However, it doesn't matter. Not all boarding passes are scanned at the TSA checkpoint. The photoshop hack from like 5 years is still valid.
All boarding passes for precheck are, though, right?
The text string isn't really what's important, though, it's the barcode that's important, and whether there's some additional bar code validation. I don't know enough about the tech as to how this is done.
It is possible. I wasn't able to identify the string in the barcode information. This maybe a CheckSum code. However, it doesn't matter. Not all boarding passes are scanned at the TSA checkpoint. The photoshop hack from like 5 years is still valid.
Programs: CO Plat/1K, DL Silver, HH Diamond, bmi dirt, PWP General Secretary
Posts: 22,639
Quote:
Originally Posted by drewguy
All boarding passes for precheck are, though, right?
The text string isn't really what's important, though, it's the barcode that's important, and whether there's some additional bar code validation. I don't know enough about the tech as to how this is done.
Yes, my boarding pass has the "3" which means if there was Pre-Check in T2 at PHX I could use it. I did not edit the data posted other than to remove personal information.
Possible. What I did to test the concept was decode the barcode, then take the information I got and re-encode it on another system. The barcode created looked the same as the first. If there was "hidden" data, it should have manifested in the design of the barcode. Though, I admit I am no great shake at understanding the creation of barcode.
Quote:
Originally Posted by FearFree
Seat/Gate assignment perhaps?
I X'd out my seat assignment, and none of those numbers correspond to a gate in PHX.
You do admit that this is really just a theoretical exercise.
It would be interesting to see if you could print one out from home and also a "real" one from the airport to see what happens when you try to scan it. (not that i'm advocating doing anything potentially illegal)
I would think that they would have thought of something as simple as reverse engineering a string of characters in a barcode and put security measures in place to prevent (or at least make more difficult) potential hacking.
Possible. What I did to test the concept was decode the barcode, then take the information I got and re-encode it on another system. The barcode created looked the same as the first. If there was "hidden" data, it should have manifested in the design of the barcode.
If the data you put in were the same, the barcode should look the same. If you changed a piece of data, would it look different, and, if so, would it look different in more ways than just the place representing the change you made?
That said, if the barcode creation program complies with the algorithm for that type of barcode, it should implement any check digits as well, so the point may be irrelevant.
Programs: CO Plat/1K, DL Silver, HH Diamond, bmi dirt, PWP General Secretary
Posts: 22,639
Quote:
Originally Posted by gobluetwo
You do admit that this is really just a theoretical exercise.
It would be interesting to see if you could print one out from home and also a "real" one from the airport to see what happens when you try to scan it. (not that i'm advocating doing anything potentially illegal)
I would think that they would have thought of something as simple as reverse engineering a string of characters in a barcode and put security measures in place to prevent (or at least make more difficult) potential hacking.
I agree I just validated the concept. Also, I just used two websites and MSpaint. However, people who are far more diligent can easily get a hold of barcode readers and do a complete study.
Also, by not encrypting the data one can still if they are eligible for pre-check allowing a person to make decision on whether or not to try and "beat the screening" at the airport long before they get to the TDC at the airport. So, even if the one can't modify the data, just by having it visible allows people to beat the system.
All of this could be stopped if the TSA and the Airlines just encrypted the data to begin with.
You do admit that this is really just a theoretical exercise.
It would be interesting to see if you could print one out from home and also a "real" one from the airport to see what happens when you try to scan it. (not that i'm advocating doing anything potentially illegal)
I would think that they would have thought of something as simple as reverse engineering a string of characters in a barcode and put security measures in place to prevent (or at least make more difficult) potential hacking.
While I would be interested in the result, I am far less interested in the consequences if its not smooth sailing
Programs: CO Plat/1K, DL Silver, HH Diamond, bmi dirt, PWP General Secretary
Posts: 22,639
Quote:
Originally Posted by drewguy
If the data you put in were the same, the barcode should look the same. If you changed a piece of data, would it look different, and, if so, would it look different in more ways than just the place representing the change you made?
That said, if the barcode creation program complies with the algorithm for that type of barcode, it should implement any check digits as well, so the point may be irrelevant.
True, but the issue was of hidden data. All I did was cut and paste the un-encoded data line. If it was missing hidden CheckSum data the the new barcode would look different than the original. It didn't. I am no expert, I could have missed something.
Now I can't identify some of the data, so it is possible that is CheckSum line that cause the scanner to tell the TSA I am a baddy if I altered it.
Perhaps the first test should be with a BP that is simply decoded and recoded? That way if you are asked to print a new one, the encoded digits in fact match on both, then just blame your cheap home printer for screwing up "again."
