|
Hacked Boarding Pass QR code?
If the hack is true and works, it likely means that Pre-Check will have to be suspended until the all airline with PreCheck update and secure their BP.
As with all things electronic, it is only a matter of time before someone figures out the work around. |
|
Does anyone know of any software that can decode iata bcbp? The article doesn't mention what site they used.
|
Originally Posted by nycedwardd
(Post 19534221)
Does anyone know of any software that can decode iata bcbp? The article doesn't mention what site they used.
If BP and precheck can be so easily fooled, precheck will have to be suspended. |
Originally Posted by FatherAbraham
(Post 19534373)
I imagine the "how to" thread was closed for good reason, this is a "what if" thread.
If BP and precheck can be so easily fooled, precheck will have to be suspended. |
My understanding is that, although the data on the barcode itself is not encrypted, each barcode has a signature. Change a data element without changing the signature and the BP will not work for PreCheck. It will beep three times, but with a red light. This means PreCheck eligible, but an invalid signature. In that case, you don't get PreCheck.
So it isn't going to work unless people figure out how to create a good signature, and that probably isn't that easy-- certainly not as easy as just changing a data element. So PreCheck doesn't need to be suspended (for this reason, anyway). |
Originally Posted by Ari
(Post 19536872)
My understanding is that, although the data on the barcode itself is not encrypted, each barcode has a signature. Change a data element without changing the signature and the BP will not work for PreCheck. It will beep three times, but with a red light. This means PreCheck eligible, but an invalid signature. In that case, you don't get PreCheck.
So it isn't going to work unless people figure out how to create a good signature, and that probably isn't that easy-- certainly not as easy as just changing a data element. So PreCheck doesn't need to be suspended (for this reason, anyway). |
Originally Posted by Loren Pechtel
(Post 19539945)
It depends on how good the signature is. There aren't a lot of digits on there and most of them can be identified. Gather enough boarding passes and you can crack the code. There simply aren't enough digits on there to do a secure crypto.
[A cryptographically secure algorithm and key yielding an 80-bit signature could be brute-forced... if you had a million computers that tried a million combinations a second, you could find the correct signature for a single boarding pass in just shy of 40,000 years. Good luck with that.] |
I'm sure a 12 yo NSA bound kid could do it.
|
Originally Posted by baliktad
(Post 19540267)
Don't confuse a short signature with insecure cryptography or weak keys. SHA-1 is still considered an effective hashing algorithm and produces a 160-bit output. For message authentication purposes, even half that would be more than sufficient for this lifetime. I'm not saying the TSA/airlines are secure against hacking, just that a short signature is not an indicator of a security weakness.
[A cryptographically secure algorithm and key yielding an 80-bit signature could be brute-forced... if you had a million computers that tried a million combinations a second, you could find the correct signature for a single boarding pass in just shy of 40,000 years. Good luck with that.] |
Originally Posted by baliktad
(Post 19540267)
Don't confuse a short signature with insecure cryptography or weak keys. SHA-1 is still considered an effective hashing algorithm and produces a 160-bit output. For message authentication purposes, even half that would be more than sufficient for this lifetime. I'm not saying the TSA/airlines are secure against hacking, just that a short signature is not an indicator of a security weakness.
[A cryptographically secure algorithm and key yielding an 80-bit signature could be brute-forced... if you had a million computers that tried a million combinations a second, you could find the correct signature for a single boarding pass in just shy of 40,000 years. Good luck with that.] The stuff is alphanumeric, giving 36 possibilities. That's only a little over 5 bits/char, I'll round up to 6. That means you need 14 characters to encode that 80 bit signature. Where are those 14 characters??? Consider the original:
Originally Posted by boarding pass
M1PUCK/COLWMR YXXXXXX PHXEWRUA XXX 294RXXXFXX 11F>30B
WWXXX BUA 0E016 3 The final 3 has already been identified as the pre-check status. The stuff right by the Xs is no doubt boilerplate, something that could easily be confirmed by examining several boarding passes. That leaves the first part which feels far more like data than signature, the "BUA" which I can't identify and the "0E016". If there is a signature it's almost certainly this last part--and that's simply not a big enough keyspace to be worth anything. |
Originally Posted by Loren Pechtel
(Post 19545776)
And where do you propose to put an 80 bit signature in that code?
The stuff is alphanumeric, giving 36 possibilities. That's only a little over 5 bits/char, I'll round up to 6. That means you need 14 characters to encode that 80 bit signature. Where are those 14 characters??? Consider the original: He blacked out identifiable data, we can be sure none of the Xs are a signature. I also see other obvious data, "PHX", "EWR", "UA" and one of "11F" and "30B". The final 3 has already been identified as the pre-check status. The stuff right by the Xs is no doubt boilerplate, something that could easily be confirmed by examining several boarding passes. That leaves the first part which feels far more like data than signature, the "BUA" which I can't identify and the "0E016". If there is a signature it's almost certainly this last part--and that's simply not a big enough keyspace to be worth anything. For some reason, a signature doesn't show up on a scan of UA's BPs; I don't know why. Here is an AA barcode I scanned today: M1LASTNAME/FIRSTNAME EXXXXXX ORDLGAAA 0380 XXXP005BXXXX 148>218 WW2296BAA 000000000000029001001XXXXXXX3 AA AA XXXXXXX AKr8oPk411EH7WMQ195Dods93Z3WdLl8bw==|GMjjBZfVst94c 7Ihde5S9Q69fI5vhpxj Is it possible to create a signature in a PDF417 barcode that doesn't show up unless the scanner is looking for it? We know UA BP's have signatures, and we know that none of the elements we see above are part of the signature. So it must be hidden somehow, right? |
Originally Posted by Ari
(Post 19545890)
Is it possible to create a signature in a PDF417 barcode that doesn't show up unless the scanner is looking for it? We know UA BP's have signatures, and we know that none of the elements we see above are part of the signature. So it must be hidden somehow, right?
That being said, it is still nice to know (or at least usually know) if you get Pre-Check prior to arriving at the airport. |
From IATA:
5.2.6. Digital signature The security field is optional and to be used only when required by the local security administration. This field contains a digital signature of variable length, the length of the field and a type of security data (that defines the algorithm used). The digital signature is part of a public key infrastructure (PKI): the airlines own their private key, used to generate the digital signatures, and distribute their public keys to third parties who need to verify the signatures. Each signature is unique to an airline and a boarding pass: if the bar code data are modified, they won’t match the signature any more. Moreover a signature cannot be generated without the private key. Consequently only an airline can generate a boarding pass with a digital signature and the bar code cannot be tampered with. |
Originally Posted by Ari
(Post 19545890)
The last part looks like a signature. The QR code read the same way.
Is it possible to create a signature in a PDF417 barcode that doesn't show up unless the scanner is looking for it? We know UA BP's have signatures, and we know that none of the elements we see above are part of the signature. So it must be hidden somehow, right? |
| All times are GMT -6. The time now is 5:49 am. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.