Hacked Boarding Pass QR code?
 

If the hack is true and works, it likely means that Pre-Check will have to be suspended until the all airline with PreCheck update and secure their BP.


As with all things electronic, it is only a matter of time before someone figures out the work around.

Does anyone know of any software that can decode iata bcbp? The article doesn't mention what site they used.

I imagine the "how to" thread was closed for good reason, this is a "what if" thread.

If BP and precheck can be so easily fooled, precheck will have to be suspended.

IMO, framing it as a "so easy" matter is disingenuous - possibility and ease are not synonyms.

My understanding is that, although the data on the barcode itself is not encrypted, each barcode has a signature. Change a data element without changing the signature and the BP will not work for PreCheck. It will beep three times, but with a red light. This means PreCheck eligible, but an invalid signature. In that case, you don't get PreCheck.

So it isn't going to work unless people figure out how to create a good signature, and that probably isn't that easy-- certainly not as easy as just changing a data element.

So PreCheck doesn't need to be suspended (for this reason, anyway).

It depends on how good the signature is. There aren't a lot of digits on there and most of them can be identified. Gather enough boarding passes and you can crack the code. There simply aren't enough digits on there to do a secure crypto.

Don't confuse a short signature with insecure cryptography or weak keys. SHA-1 is still considered an effective hashing algorithm and produces a 160-bit output. For message authentication purposes, even half that would be more than sufficient for this lifetime. I'm not saying the TSA/airlines are secure against hacking, just that a short signature is not an indicator of a security weakness.

[A cryptographically secure algorithm and key yielding an 80-bit signature could be brute-forced... if you had a million computers that tried a million combinations a second, you could find the correct signature for a single boarding pass in just shy of 40,000 years. Good luck with that.]

I'm sure a 12 yo NSA bound kid could do it.

The take-home point should be that one can decode the barcode very easily, but re-coding it to give onself PreCheck isn't as simple as it looks; to the contrary, it is quite difficult if it is even possible.

And where do you propose to put an 80 bit signature in that code?

The stuff is alphanumeric, giving 36 possibilities. That's only a little over 5 bits/char, I'll round up to 6. That means you need 14 characters to encode that 80 bit signature. Where are those 14 characters???

Consider the original:
He blacked out identifiable data, we can be sure none of the Xs are a signature. I also see other obvious data, "PHX", "EWR", "UA" and one of "11F" and "30B".

The final 3 has already been identified as the pre-check status. The stuff right by the Xs is no doubt boilerplate, something that could easily be confirmed by examining several boarding passes.

That leaves the first part which feels far more like data than signature, the "BUA" which I can't identify and the "0E016". If there is a signature it's almost certainly this last part--and that's simply not a big enough keyspace to be worth anything.

11F, 30B, BUA and 0E016 appear on every UA BP I can recall decoding.

For some reason, a signature doesn't show up on a scan of UA's BPs; I don't know why. Here is an AA barcode I scanned today:

The last part looks like a signature. The QR code read the same way.

Is it possible to create a signature in a PDF417 barcode that doesn't show up unless the scanner is looking for it? We know UA BP's have signatures, and we know that none of the elements we see above are part of the signature. So it must be hidden somehow, right?

My speculation is exactly this. AA's barcode is set to display the signature, and UA's is set not to display. Still doesn't get around the fact that one would need to re-sign if data in the bar code are changed.

That being said, it is still nice to know (or at least usually know) if you get Pre-Check prior to arriving at the airport.

From IATA:

5.2.6. Digital signature
The security field is optional and to be used only when required by the local security administration. This field contains a digital signature of variable length, the length of the field and a type of security data (that defines the algorithm used).

The digital signature is part of a public key infrastructure (PKI): the airlines own their private key, used to generate the digital signatures, and distribute their public keys to third parties who need to verify the signatures.

Each signature is unique to an airline and a boarding pass: if the bar code data are modified, they won’t match the signature any more. Moreover a signature cannot be generated without the private key. Consequently only an airline can generate a boarding pass with a digital signature and the bar code cannot be tampered with.

Ok, with that on there I will change my opinion. That's big enough that if they did the crypto right there's no way it's going to be cracked.

Interesting that it isn't mandated, so feasibly you could create an unsigned barcode in the right local,

It is up to the airline and the security authorities to decide if they want a signature; if neither require one, it doesn't have to be there.

MSM has picked this up...

http://www.usatoday.com/story/travel...-flaw/1654781/

This will not end well.

Does the bar code reader connect to the airlines' booking system? If not, then the reader would allow an unsigned BP.

TSA is stupid, but even I find it hard to believe that they are that stupid as to not realize this was readable with very rudimentary tools. And to suspend PreCheck, as I've already said in other threads, would be to admit that TSA made a mistake, which they categorically do not do.

If anything, I think this will coincide with PreCheck becoming a membership-based program and it will be an excuse to get people to submit to a background check and pay a fee. No different really than GE (other than the competency level of the administering agency).

It seems like the flaw mentioned in the article is that someone could know beforehand if they would need regular security or not before they get to the airport and thus could know if they could bring dangerous items, etc. because their BP would have that info already on it.

So why not make the scanner itself be what determines if regular screening is needed instead of the BP? Or am I missing something?

No, but it knows the airline's private key. I'm unclear why you think it would need a live link to the airline in order to verify signatures if it has the private key.

The TSA wants to assess a number of risk factors, including travel history and Trusted Traveler membership, to determine selection for PreCheck. An offline scanner can't make those assessments.

Thanks. That makes sense.

And herein lies the "problem". As long as passengers are permitted to print their own boarding passes outside of an airport, TSA will have a problem determining if the boarding pass is legitimate. Since TSA relies on the boarding pass to determine positive (PreCheck) or negative (SSSS) eligibility for screening, this is going to be an inherent flaw in the system.

I wonder if the "solution" to this is going to be a regression to the bad old days when you had to line up at the airline ticket counter to get a boarding pass issued ...

Good god-- why does everyone keep posting about a flaw that doesn't exist. Do people not understand what an electronic signature is? This has been posted several times already. :rolleyes:

I am starting to question the competence and literacy of my fellow FT'ers. :(

Not to mention the fact that I was under the impression that those with SSSS couldn't print a home BP...

There's no flaw and no security threat, only a great deal of speculation by uninformed individuals who haven't taken the time to verify any of their assertions.

The airlines send names to the TSA 72 hours prior to departure. The TSA determines who should not get PreCheck screening under any circumstances: the general public, those on "no-fly" lists, members who list a Trusted Traveler number that doesn't match their full name, etc. These people get a "0". Other people that are potentially approved for PreCheck screening get a "3". This information is stored in the boarding pass barcode, but it's not a secret. Security does not increase or decrease when passengers view the barcode information, including the PreCheck digit. The PreCheck approval digit and other identifying information in the bar code (like passenger name and flight details) are digitally signed by the airline which prevents any possibility of tampering. This signature uses public key encryption to allow the signature to be verified offline, without any connection to a live database maintained by the airline or the TSA.

At the airport when the BP is scanned, the reader makes a decision whether to allow the person into the expedited screening lane:
0 -> Normal screening
3 -> Expedited screening MOST of the time. The barcode reader or any TSA official can require a normal screening for any or no reason, whether there is a 3 there or not. This is the critical "random" element that ensures that getting a "3" on your BP is not a free pass.

The final screening decision is always made at the checkpoint, regardless of what is printed on the BP barcode. There's no hackery going on here (unless you call scanning a cereal box at the grocery store checkout "hacking") and no security threat.

We glaze over the most important point of the article:



Soghoian of the ACLU suggests that if keeping laptops and small amounts of fluids in carry-on bags are a threat, TSA should keep random screenings confidential, rather than alerting PreCheck passengers early. He says that if those materials aren't a threat, then everyone should get expedited screening such as PreCheck

Drudge has picked up this story.

@baliktad...true that a TSO can direct a person for additional screening even without any audible alarms indicating the person needs additional screening

However, if a person has the 3 beeps - which is generally believed to indicate approval for precheck, do you really think a TSO will "get away" with not allowing that person into precheck?

The purpose of not knowing your status was to make precheck authorization unpredictable - this is meant to discourage prechecker (allegedly we the American People can trust precheckers) from bringing items that are not allowed.

Knowing your status before you even pack your luggage, allows a prechecker to do exactly what TSA was trying to discourage by way of not letting the prechecker know till the airport.

So yes, not a garuntee even with authorization, likelyhood a TSO will deny you access to precheck - when the TSO, you, and everyone else in precheck knows you are approved for it - very very small.

Yes, TSO's routinely tell people to do whatever they want.

But more importantly, the response of the barcode reader is still fully in control of the TSA. Right now everyone assumes that a 3 on the barcode means LLL, 3 beeps, and expedited screening 100% of the time. This is an assumption made without a full understanding of the system. The barcode reader can still beep once even when a 3 is present in the barcode.

Even with an electronic signature, that won't stop people from trying to find workarounds, or ways to mess around with/otherwise exploit - that's what makes fields of work/study dedicated to such things incredibly fun to consider going into. :D

And note that even those programmers who don't focus on such matters still need to pay attention to them--if you don't understand how people might break your stuff you can't hope to make it so they can't break it.

This person tweeted their AA boarding pass back in April 2010. I decoded this using my old Windows Mobile 6.5 phone using an app.

http://bit.ly/SNhryv

Knowing that all AA tickets start with 001 I thought that the last 14 digits prior to the "AA AA" Advantage number was the ticket number plus a check digit. In this case it's zero. Are we now saying that it's 3 if you are pre selected for PreCheck?

Exactly.

IMO, Ari is a bit hasty in dismissing people in the manner done in the post I repled to.

Exactly. For a data point I checked the last 3 of my US Airways boarding passes that allowed for precheck and there was no 3 in there.

Without the 3 in the barcode, how did the offline scanner know to indicate LLL?

I haven't been able to figure the pattern out since I don't have enough passes to scan and compare yet but I can tell you that it's definitely not dependent on the number 3 at the end of the sequence.