01 November 2012

"Hacking TSA PreCheck"

Schneier on Security | Bruce Schneier | Hacking TSA PreCheck

I have a hard time getting worked up about this story:
I have X'd out any information that you could use to change my reservation. But it's all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.

What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don't check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.
What a dumb way to design the system. It would be easier — and far more secure — if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of PreCheck passengers to send through regular screening. Why go through the trouble of encoding it in the barcode and then reading it?

And — of course — this means that you can still print your own boarding pass.

On the other hand, I think the PreCheck level of airport screening is what everyone should get, and that the no-fly list and the photo ID check add nothing to security. So I don't feel any less safe because of this vulnerability.
This vulnerability does not actually make me less safe. Agreed. But it does (and should!) make me feel less safe. It is a signal of how poorly the TSA, and the rest of the Federal government, does their jobs, which does change my opinion about how safe I am.

(Or it would, if it was possible for my opinion of our security apparatchiks to drop any further.)

If something this blindingly foolish could be implemented (at staggering cost!) how many other bullshit mistakes have they made? If this passed muster until Some Random Blogger publicized it, what else has escaped government oversight? What other knuckle-headed systems have they implemented? Why do we continue giving these people more power if this is the quality of their actions?

I'll take this opportunity to once again say it's foolish to print "SSSS" on the boarding passes of people who have been selected for extra screening at the gate. If you see this on your boarding pass, just pass your carry ons to your wife. It always works for me. If you're a Bad Guy, either swap out any contraband into the bag of a fellow Baddie who doesn't have the "SSSS" brand, or upon getting your boarding pass, abort the mission and try again next month. The "SSSS" system does not protect anyone from terrorists; it just protects us from the monumentally stupid terrorists.

1 comment:

  1. You do admit that this is really just a theoretical exercise.

    It would be interesting to see if you could print one out from home and also a "real" one from the airport to see what happens when you try to scan it.

    I would think that they would have thought of something as simple as reverse engineering a string of characters in a barcode and put security measures in place to prevent potential hacking.

    TSA Precheck by Airport Intel