PreCheck "Hack" reached press
#31
Join Date: Oct 2006
Location: ORD
Programs: AA Platinum, HHonors Diamond
Posts: 1,177
My goodness, this terrible research by internet "reporters" is going to cause everyone to panic for no reason. So what if you can read the bar code. You cannot change the bar code and have it work, because it will no longer match the signature also encoded in the bar code, and you will be rejected.
This is simply the same system used to make sure that the pdf I am reading was not changed by someone. Just because I can read the pdf, does not mean I can change it.
The only "flaw" is that I can know before I go to the airport whether I will get PreCheck or not, which is not really a flaw.
This is simply the same system used to make sure that the pdf I am reading was not changed by someone. Just because I can read the pdf, does not mean I can change it.
The only "flaw" is that I can know before I go to the airport whether I will get PreCheck or not, which is not really a flaw.
#32
Join Date: Nov 2008
Posts: 3,657
If I'm an Evil Terrorist, attempting to subvert this system, I and my Evil Terrorist Co-Conspirators might try to establish a deep cover by doing enough air travel to qualify for PreCheck --- knowing that if we do qualify, we can take advantage of the lesser standards for PreCheck screening to smuggle our Evil Contraband through the checkpoint with high probability of success. If I know that I'm not going to get PreCheck, then I and my Evil Terrorist Co-Conspirators will have time to adjust our plans accordingly.
After all, it would be awfully suspicious if I come up to a checkpoint, present my boarding pass, and turn around and leave because I didn't qualify for PreCheck --- even if I'd be allowed to leave at that point. (I'm never quite clear about at what point TSA says I'm not allowed to leave without "completing the screening process".)
Sure, it's a small vulnerability. So is the chance that an aircraft is going to be taken down by a terrorist.
#33
FlyerTalk Evangelist
Join Date: Aug 2005
Location: Chicago
Posts: 11,513
After all, it would be awfully suspicious if I come up to a checkpoint, present my boarding pass, and turn around and leave because I didn't qualify for PreCheck --- even if I'd be allowed to leave at that point. (I'm never quite clear about at what point TSA says I'm not allowed to leave without "completing the screening process".)
#34
Join Date: Nov 2007
Location: USA
Posts: 1,685
As I pointed out earlier in the thread, at major hubs, one is turned away from the PreCheck line long before getting to TSA; this is done by an airline-paid contract employee with a scanner. I doubt the contract employee will say anything much less notice or care if you just walk away if you don't get sent to the PreCheck line.
#35
Join Date: Nov 2008
Posts: 3,657
#37
Join Date: Feb 2011
Programs: AA, UA, Marriott Gold
Posts: 349
#38
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
So I checked in online for my Delta flight tomorrow from LGA (assuming they have pumped out LGA by then...). I scanned the bar code and the last digit was a 3. Yay!
Question: is the determination of getting into PreCheck static for the entire segment now, or might it change if I print out a boarding pass at the airport tomorrow?
Question: is the determination of getting into PreCheck static for the entire segment now, or might it change if I print out a boarding pass at the airport tomorrow?
#39
FlyerTalk Evangelist
Join Date: Aug 2005
Location: Chicago
Posts: 11,513
So I checked in online for my Delta flight tomorrow from LGA (assuming they have pumped out LGA by then...). I scanned the bar code and the last digit was a 3. Yay!
Question: is the determination of getting into PreCheck static for the entire segment now, or might it change if I print out a boarding pass at the airport tomorrow?
Question: is the determination of getting into PreCheck static for the entire segment now, or might it change if I print out a boarding pass at the airport tomorrow?
#40
Join Date: Oct 2012
Location: NYC
Programs: AADULtArer
Posts: 5,690
Question: is the determination of getting into PreCheck static for the entire segment now, or might it change if I print out a boarding pass at the airport tomorrow?
I doubt if its the best use of time uncovering details on pre-check as these can obviously be changed quickly at any time. I suspect in the near future the so called digit approval will be changed to a simple checksum verification and then the barscan party will be over and these threads will drift into the oblivion of Internet ether...
#41
Join Date: Oct 2012
Location: NYC
Programs: AADULtArer
Posts: 5,690
through? Or get a job with an airside vendor and have a 100% chance of getting the gun through?
#42
Join Date: Dec 2007
Posts: 3,607
My goodness, this terrible research by internet "reporters" is going to cause everyone to panic for no reason. So what if you can read the bar code. You cannot change the bar code and have it work, because it will no longer match the signature also encoded in the bar code, and you will be rejected.
This is simply the same system used to make sure that the pdf I am reading was not changed by someone. Just because I can read the pdf, does not mean I can change it.
This is simply the same system used to make sure that the pdf I am reading was not changed by someone. Just because I can read the pdf, does not mean I can change it.
Secondly, many people have asserted that these barcodes include signatures. But I've never seen any pointer to any evidence of this. Does anyone have any actual information on this purported signature? I'm quite skeptical because there doesn't seem to be enough bits in the barcodes to contain a particularly strong signature. Maybe that's good enough since you can't do offline attacks but I doubt it.
Moreover there's a fundamental weakness in a signature based scheme. The signing key would have to be in every terminal everywhere in the world belonging to every organization that can issue boarding passes. It wouldn't be very long before the key was leaked.
I did just scan a bunch of boarding passes. The US Airways and United boarding passes didn't contain very much of interest at all. The pre-merger Continental boarding pass did contain a 42 byte binary blob which could conceivably have been a signature. But the post-merge United boarding passes don't have the same thing. AC boarding passes appear to have a lot more bits but none of the barcode readers I found can read them.
From http://www.iata.org/whatwedo/stb/Doc...v4_Jun2009.pdf there is a signature field:
5.2.6. Digital signature
The security field is optional and to be used only when required by the local security administration. This field contains a digital signature of variable length, the length of the field and a type of security data (that defines the algorithm used).
The digital signature is part of a public key infrastructure (PKI): the airlines own their private key, used to generate the digital signatures, and distribute their public keys to third parties who need to verify the signatures.
The security field is optional and to be used only when required by the local security administration. This field contains a digital signature of variable length, the length of the field and a type of security data (that defines the algorithm used).
The digital signature is part of a public key infrastructure (PKI): the airlines own their private key, used to generate the digital signatures, and distribute their public keys to third parties who need to verify the signatures.
Last edited by zkzkz; Nov 3, 2012 at 11:55 am
#43
Join Date: Aug 2006
Location: DCA / WAS
Programs: DL 2+ million/PM, YX, Marriott Plt, *wood gold, HHonors, CO Plt, UA, AA EXP, WN, AGR
Posts: 9,388
Getting this (link to article) kind of press will result in a reaction from TSA. Recall that "Speak Your Name" started after the TSA got embarrassed by someone who got through the checkpoint....
I predict that Precheck gets even harder if it doesn't go away.
I predict that Precheck gets even harder if it doesn't go away.
#44
FlyerTalk Evangelist
Join Date: Aug 2005
Location: Chicago
Posts: 11,513
Getting this (link to article) kind of press will result in a reaction from TSA. Recall that "Speak Your Name" started after the TSA got embarrassed by someone who got through the checkpoint....
I predict that Precheck gets even harder if it doesn't go away.
I predict that Precheck gets even harder if it doesn't go away.