(Phys.org)—Boarding passes for travel on airlines in the US (and many other countries) now include barcodes, but an aviation security researcher has now learned that these barcodes can be read by readily available tools and are unencrypted. The barcodes include information on the level of security check the passenger will be required to satisfy when they pass through pre-boarding checks.
The fear that barcode information could potentially be of use to terrorists was first raised in an article in the Washington Post in July this year, but the fear was escalated last week by John Butler in his aviation blog, Puckinflight, when he reported that the barcode information was not encrypted.
Passengers can print their boarding passes before they leave home, and Butler said the barcodes can easily be read by online barcode readers or smartphone apps, and this would enable them to see in advance if they have been selected for the Transportation Security Administration's (TSA) PreCheck security level for the flight.
PreCheck security level is applied randomly to frequent fliers and can be purchased from US Customs, who carry out a background check on the applicant before approving the security level. Once approved and enrolled in the system, passengers are eligible to be selected for PreCheck on any flight. If selected, they bypass some of the pre-boarding security measures, are allowed to leave their toiletries and laptops in their carry-on bags, and do not have to remove shoes, jackets or belts as they are screened. They also avoid the controversial full-body scanners.
Butler suggested that the barcode could be altered to change the security level to PreCheck simply by reading the barcode, saving the information as a text file, and altering a single digit corresponding to the security level. The altered file could then be uploaded to another website to be re-encoded as a barcode, and this could easily be incorporated into the boarding pass using widely available photo-editing software.
Other information on the barcode could be altered in the same way, including the passenger name, and flight details, and as long as the security check level was changed to PreCheck, the passenger would avoid thorough security checking and be likely to get through.
The barcodes in US airports are read by machines operated by the TSA, but they are merely barcode readers and do not check the information. The TSA issued a statement that its security systems include "measures both seen and unseen," but it did not comment on the specifics of Butler's blog post.
In a later blog post Butler said the International Air Transport Association (IATA) standards allow for a validation mark to be included in the barcode on boarding passes to prevent the kind of tampering Butler warned about, but while the barcodes remain unencrypted there is nothing to stop passengers learning in advance that they will be subjected to lower security measures.
Explore further: Detecting and blocking leaky Android apps