PreCheck "Hack" reached press
#16
FlyerTalk Evangelist
Join Date: Aug 2005
Location: Chicago
Posts: 11,513
https://puckinflight.wordpress.com/2...-check-system/
The post continues:
What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.
. . .
So, there are two problems here. First, is the that data on the barcode is not encrypted. This allows people to alter information on the front of the boarding pass. Second, is the more serious issue of the Pre-Check information not only out there but where it is also possible to edit the Pre-Check status and place it back on the boarding pass.
. . .
So, there are two problems here. First, is the that data on the barcode is not encrypted. This allows people to alter information on the front of the boarding pass. Second, is the more serious issue of the Pre-Check information not only out there but where it is also possible to edit the Pre-Check status and place it back on the boarding pass.
I didn't see any hedging there at all. I believe he might also be wrong that 1 is no PreCheck-- 0 is no PreCheck. I don't know (I try to hedge when I don't know something for sure), but I think 1 means SSSS. I think 0 = CLR, 1 = SSSS, and 3 = LLL.
And then, when he figures out he is wrong:
https://puckinflight.wordpress.com/2...security-flaw/
Notice that the title is "Update on the TSA Security Flaw," not "Oops, I didn't know what I was talking about". It is hardly an 'update' when the information is only new to the author.
* * *
Whether knowing one has a '3' in advance of arriving at the security checkpoint constitutes a security risk is a topic open for debate; what Colpuck did was post fiction as fact to sound an alarm that didn't need sounding. There was no need to attract attention to a 'secret' frequent fliers find very convenient; the only thing that could come of it is that it changes, and that would be a bad thing for us.
What people also fail to recognize is that at airports like ORD, contract employees scan boarding passes before the line to security. Anyone wanting to probe the system can just turn around and go home if he doesn't get 3 beeps from the contract employee-- it isn't like one is already in the TSA area past some 'point of no return' when one finds out about PreCheck for a given flight. This 'flaw' (if it is one at all) was evident to me when AA first split the line in ORD T3 during PreCheck's first month. (Somehow, I resisted the temptation to post it, perhaps because I knew nothing good could come of running my mouth-- they could have reacted by shoving PreCheck back into the elite line). So one could probe the system long before people knew how to decode the barcode.
I take no pleasure in attacking my fellow FT'ers, but this poster's conduct is beyond irksome and requires calling out.
Last edited by Ari; Oct 25, 2012 at 4:42 pm
#17
Join Date: May 2006
Location: TUS/PDX
Programs: WN CP/A-List, AS MVPG75K
Posts: 5,798
While I agree with you, I don't expect this to ever happen again. Too many people are scared by the thought of people bringing "bad things" onto planes. The TSA has done a fantastic job scaring people into thinking bottled water and shoes are dangerous instruments.
#18
Join Date: Jan 2012
Posts: 267
The End of Pre-check?
Another article this morning about how terrorists can alter boarding passes to qualify for pre-check. Is this a TSA scam to end pre-check and increase their self worth?
http://news.yahoo.com/spoofed-boardi...231754237.html
http://news.yahoo.com/spoofed-boardi...231754237.html
#20
Join Date: Feb 2012
Posts: 36
#21
Join Date: Jul 2005
Location: PEK
Programs: A3*G, UA Gold EY Silver
Posts: 8,958
http://www.flyertalk.com/forum/check...pre-check.html
Well, it would not depend on the barcode, but rather on what's in the database on the backend.
Another article this morning about how terrorists can alter boarding passes to qualify for pre-check. Is this a TSA scam to end pre-check and increase their self worth?
http://news.yahoo.com/spoofed-boardi...231754237.html
http://news.yahoo.com/spoofed-boardi...231754237.html
Last edited by Ocn Vw 1K; Oct 26, 2012 at 9:48 am Reason: Merge consecutive posts of same member
#23
Senior Moderator
Join Date: Oct 2001
Location: San Francisco, CA
Programs: UA Plat/2MM [23-yr. 1K, now emeritus] clawing way back to WN-A List; MR LT Titanium; HY Whateverist.
Posts: 12,396
As this concerns travel security, please follow it as it moves to the Practical Travel Safety Issues forum. Ocn Vw 1K, Moderator, TravelBuzz.
#24
Guest
Posts: n/a
It shouldn't matter that the 1 or 3 referenced in the article above is in the clear. The barcode is digitally signed to prevent alteration. So long as the certificate(s) used to do the signatures remains secure, any alteration like that described in the article would mean that the barcode would fail the sig check. happened to me when my barcode was smudged and misread.
#26
Join Date: Sep 2011
Programs: AA SPG Amex
Posts: 4,644
That would/should be the beauty of it: scan an ID and you're good to go. I would imagine it's much easier to get this right if it's an ID issued by TSA, scanned by a TSA scanner and no interface with the airlines is required.
#27
FlyerTalk Evangelist
Join Date: Aug 2005
Location: Chicago
Posts: 11,513
But they want access to PNR data before giving out PreCheck on a given flight . . . though they don't require this of military.
#28
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
I have spent a good 15 minutes looking around for these mysterious websites that can decode barcodes, and not found anything but this one, which doesn't work on any barcode image file I give it.
I have seen many breathless articles about the Grave Threat To Our Security posed by being able to know ahead of time whether I'll be groped and scanned.
How can I decode a barcode, either on a website or with my phone? None of the barcode scanner apps for iOS seems to read boarding pass barcodes.
I have seen many breathless articles about the Grave Threat To Our Security posed by being able to know ahead of time whether I'll be groped and scanned.
How can I decode a barcode, either on a website or with my phone? None of the barcode scanner apps for iOS seems to read boarding pass barcodes.
#29
Join Date: Nov 2009
Location: PHL , EWR
Programs: AA Platinum, UA Gold, Hyatt Diamond, Avis First
Posts: 293
I have spent a good 15 minutes looking around for these mysterious websites that can decode barcodes, and not found anything but this one, which doesn't work on any barcode image file I give it.
I have seen many breathless articles about the Grave Threat To Our Security posed by being able to know ahead of time whether I'll be groped and scanned.
How can I decode a barcode, either on a website or with my phone? None of the barcode scanner apps for iOS seems to read boarding pass barcodes.
I have seen many breathless articles about the Grave Threat To Our Security posed by being able to know ahead of time whether I'll be groped and scanned.
How can I decode a barcode, either on a website or with my phone? None of the barcode scanner apps for iOS seems to read boarding pass barcodes.
#30
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
Ah, the missing link. Thanks! I just searched the app store for "pdf 417". Only one app showed up, but it seems to work. Thanks again! ^