Concerns raised about airline boarding pass barcodes

Oct 26, 2012 by Lin Edwards report
Concerns raised about airline boarding pass barcodes
Credit: Wikipedia

(Phys.org)—Boarding passes for travel on airlines in the US (and many other countries) now include barcodes, but an aviation security researcher has now learned that these barcodes can be read by readily available tools and are unencrypted. The barcodes include information on the level of security check the passenger will be required to satisfy when they pass through pre-boarding checks.

The fear that barcode information could potentially be of use to terrorists was first raised in an article in the in July this year, but the fear was escalated last week by John Butler in his aviation blog, Puckinflight, when he reported that the barcode information was not encrypted.

Passengers can print their boarding passes before they leave home, and Butler said the barcodes can easily be read by online barcode readers or smartphone apps, and this would enable them to see in advance if they have been selected for the Transportation Security Administration's (TSA) PreCheck security level for the flight.

PreCheck security level is applied randomly to frequent fliers and can be purchased from US Customs, who carry out a background check on the applicant before approving the security level. Once approved and enrolled in the system, passengers are eligible to be selected for PreCheck on any flight. If selected, they bypass some of the pre-boarding security measures, are allowed to leave their toiletries and laptops in their carry-on bags, and do not have to remove shoes, jackets or belts as they are screened. They also avoid the controversial full-.

Butler suggested that the barcode could be altered to change the security level to PreCheck simply by reading the barcode, saving the information as a text file, and altering a single digit corresponding to the security level. The altered file could then be uploaded to another website to be re-encoded as a barcode, and this could easily be incorporated into the boarding pass using widely available photo-editing software.

Other information on the barcode could be altered in the same way, including the passenger name, and flight details, and as long as the security check level was changed to PreCheck, the passenger would avoid thorough security checking and be likely to get through.

The barcodes in US airports are read by machines operated by the TSA, but they are merely barcode readers and do not check the information. The TSA issued a statement that its security systems include "measures both seen and unseen," but it did not comment on the specifics of Butler's blog post.

In a later blog post Butler said the International Air Transport Association (IATA) standards allow for a validation mark to be included in the barcode on boarding passes to prevent the kind of tampering Butler warned about, but while the remain unencrypted there is nothing to stop passengers learning in advance that they will be subjected to lower .

Explore further: 'Halo' makers shed light on live-action series

Related Stories

Before Your Flight: A Fingerprint Scan at the Check-in Desk

Sep 30, 2005

Lufthansa has teamed up with Siemens to successfully test a biometric process for check-in and boarding at Frankfurt Airport. The tests proved the feasibility of identifying airline passengers from their fingerprints. The ...

Checking In Via Cell Phone

Feb 11, 2005

Airline passengers will soon be able to check in with their cell phones. Together with SITA, a leading provider of IT services to the airline industry, Siemens Business Services has developed a mobile solution that eliminates ...

Recommended for you

Watching others play video games is the new spectator sport

Aug 29, 2014

As the UK's largest gaming festival, Insomnia, wrapped up its latest event on August 25, I watched a short piece of BBC Breakfast news reporting from the festival. The reporter and some of the interviewees appeared baff ...

SHORE facial analysis spots emotions on Google Glass

Aug 28, 2014

One of the key concerns about facial recognition software has been over privacy. The very idea of having tracking mechanisms as part of an Internet-connected wearable would be likely to upset many privacy ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

kochevnik
Oct 26, 2012
This comment has been removed by a moderator.
gwrede
1 / 5 (3) Oct 26, 2012
PreCheck security level ... can be purchased ... once approved and ... if selected, they bypass ... security measures, are allowed to leave their toiletries and laptops in their carry-on bags, and do not have to remove shoes, jackets or belts as they are screened. They also avoid the controversial full-body scanners.
OMFG!!! And all this article does, is bemoans some barcodes.

The real security risk is this Security Level crap. Don't they know that security is only as strong as the weakest link? If I were the Terrorist Boss, all I now have to do is find three non-arab looking guys, and buy them PreCheck. Chances are (and the whole point of the system is) that at least two of them are not checked on a given flight.

Sheesh! And everybody is just crying over some bar code. Good grief!

I say, kill PreCheck bypass. Now!
axemaster
5 / 5 (2) Oct 26, 2012
The TSA issued a statement that its security systems include "measures both seen and unseen,"

This made me giggle a little...
kochevnik
3.2 / 5 (5) Oct 26, 2012
You are nine times more likely to be killed by a policeman than a terrorist in America. I doubt the police will upload and download barcodes before shooting.
Pkunk_
not rated yet Oct 27, 2012
You are nine times more likely to be killed by a policeman than a terrorist in America. I doubt the police will upload and download barcodes before shooting.

How about killed by muggers, drug addicts and other criminals ? Is it 9 times more likely then to be killed by police "brutality" as you try to point out?
What is your solution ? Ban the US police , or recruit Russian police instead ?