My goodness, this terrible research by internet "reporters" is going to cause everyone to panic for no reason. So what if you can read the bar code. You cannot change the bar code and have it work, because it will no longer match the signature also encoded in the bar code, and you will be rejected.

This is simply the same system used to make sure that the pdf I am reading was not changed by someone. Just because I can read the pdf, does not mean I can change it.

The only "flaw" is that I can know before I go to the airport whether I will get PreCheck or not, which is not really a flaw.

It is a partial flaw.

If I'm an Evil Terrorist, attempting to subvert this system, I and my Evil Terrorist Co-Conspirators might try to establish a deep cover by doing enough air travel to qualify for PreCheck --- knowing that if we do qualify, we can take advantage of the lesser standards for PreCheck screening to smuggle our Evil Contraband through the checkpoint with high probability of success. If I know that I'm not going to get PreCheck, then I and my Evil Terrorist Co-Conspirators will have time to adjust our plans accordingly.

After all, it would be awfully suspicious if I come up to a checkpoint, present my boarding pass, and turn around and leave because I didn't qualify for PreCheck --- even if I'd be allowed to leave at that point. (I'm never quite clear about at what point TSA says I'm not allowed to leave without "completing the screening process".)

Sure, it's a small vulnerability. So is the chance that an aircraft is going to be taken down by a terrorist.

As I pointed out earlier in the thread, at major hubs, one is turned away from the PreCheck line long before getting to TSA; this is done by an airline-paid contract employee with a scanner. I doubt the contract employee will say anything much less notice or care if you just walk away if you don't get sent to the PreCheck line.

Just go to ATL. When denied for PreCheck by the airport private security, I turn around and go to the other screening checkpoint as the so-called elite line for NoS is just too long, and there's still some WTMD only lanes open on the opposite side. I've yet to have an issue.

Unless you get one who wants to try for the Big Catch, just like their brethren in the TSA ...

so what is the method to see if you'l qualify for pre-check on a Droid? Download a 417 barcode scanner, and then do what?

Scan the barcode on your BP. The last (some airlines 2nd to last) will be a 3 if you qualify.

So I checked in online for my Delta flight tomorrow from LGA (assuming they have pumped out LGA by then...). I scanned the bar code and the last digit was a 3. Yay!

Question: is the determination of getting into PreCheck static for the entire segment now, or might it change if I print out a boarding pass at the airport tomorrow?

Reprints should be ok; there was a problem during the summer when they didn't work, but that was very short lived.

No one here is privy to the internals of the PreCheck so this question is open. If I were designing such a system I would have a randomizer on both the check-in activity as well as at the check in location. I have no working knowledge of how this is actually done.

I doubt if its the best use of time uncovering details on pre-check as these can obviously be changed quickly at any time. I suspect in the near future the so called digit approval will be changed to a simple checksum verification and then the barscan party will be over and these threads will drift into the oblivion of Internet ether...

This is a much, much more serious problem than the scenario above about terrorists using these screening programs to insert a mole....

Firstly, what on earth are you talking about? If you can read a pdf you can certainly change it. Just because your crippled pdf reader doesn't let you change it doesn't mean Adobe has some magic hammer that forces everyone else in the world to not write software that allows you to change it. At worst imagine printing it and scanning it back in, doing OCR to generate a new PDF (which would be not unlike what the boarding pass barcodes would be going through). if you distribute your new pdf with a new signature or no signature at all how would the person who receives it know that they should expect there to be a signature?

Secondly, many people have asserted that these barcodes include signatures. But I've never seen any pointer to any evidence of this. Does anyone have any actual information on this purported signature? I'm quite skeptical because there doesn't seem to be enough bits in the barcodes to contain a particularly strong signature. Maybe that's good enough since you can't do offline attacks but I doubt it.

Moreover there's a fundamental weakness in a signature based scheme. The signing key would have to be in every terminal everywhere in the world belonging to every organization that can issue boarding passes. It wouldn't be very long before the key was leaked.

I did just scan a bunch of boarding passes. The US Airways and United boarding passes didn't contain very much of interest at all. The pre-merger Continental boarding pass did contain a 42 byte binary blob which could conceivably have been a signature. But the post-merge United boarding passes don't have the same thing. AC boarding passes appear to have a lot more bits but none of the barcode readers I found can read them.

From http://www.iata.org/whatwedo/stb/Doc...v4_Jun2009.pdf there is a signature field:
The PKI infrastructure used in the rest of the aviation industry for things like maintenance records and data interchange with airports appears to be ATA "Spec 42" which doesn't appear to be available for free anywhere. It does use IETF RFC 5280 certificates, but I don't see how any of the barcodes I'm looking at could be large enough to contain 5280 certificate.

Getting this (link to article) kind of press will result in a reaction from TSA. Recall that "Speak Your Name" started after the TSA got embarrassed by someone who got through the checkpoint....

I predict that Precheck gets even harder if it doesn't go away.

Maybe they start mandating signatures on all barcodes, but the article, as usual with media and the TSA, makes plenty of incorrect assumptions.

edit: did not realize WP article had been posted already.