Schneier on Security
A blog covering security and security technology.
« The Risks of Trusting Experts |
| Friday Squid Blogging: Squid from the Power Ranger Universe »
October 26, 2012
Hacking TSA PreCheck
I have a hard time getting worked up about this story:
I have X'd out any information that you could use to change my reservation. But it's all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.
What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don't check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.
What a dumb way to design the system. It would be easier -- and far more secure -- if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of PreCheck passengers to send through regular screening. Why go through the trouble of encoding it in the barcode and then reading it?
And -- of course -- this means that you can still print your own boarding pass.
On the other hand, I think the PreCheck level of airport screening is what everyone should get, and that the no-fly list and the photo ID check add nothing to security. So I don't feel any less safe because of this vulnerability.
Still, I am surprised. Is this the same in other countries? Lots of countries scan my boarding pass before allowing me through security: France, the Netherlands, the UK, Japan, even Uruguay at Montevideo Airport when I flew out of there yesterday. I always assumed that those systems were connected to the airlines' reservation databases. Does anyone know?
Posted on October 26, 2012 at 6:46 AM
• 52 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
In the private world, a program such as PreCheck would be called a protection money racket. "Buy at least a certain amount each year from this company, or pay us $100 and have us do a thorough check on you, and we may not molest you as much as you pass through."
With the TSA, it's "risk-based security".
The reports have been making a few assumptions that we don't know are true:
1. It is assumed that the randomness is encoded in the boarding pass. The PreCheck flag on the boarding pass could simply mean the passenger is PreCheck-eligible, with the random full screening being decided on by the boarding pass scanner.
2. It is also assumed that some PreCheck boarding passes have no digital signatures on them. The TSA already checks DSA signatures on mobile boarding passes, so it seems straightforward to require a valid DSA signature on PreCheck-eligible boarding passes.
Unfortunately, the TSA isn't commenting on this at all, so it's hard to tell exactly what's going on. I would be interested in seeing 1) printed boarding passes from those who have gone through PreCheck screening, and 2) boarding passes from those who normally go though PreCheck, but were randomly selected for normal screening.
My experience with flights from Amsterdam is that the someone may look at your boarding pass before the security check, but it is only scanned afterwards just before you board the plane. As far as I know the security scanners have no connection to reservation systems here.
What a dumb way to design the system. It would be easier -- and far more secure -- if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of PreCheck passengers to send through regular screening. Why go through the trouble of encoding it in the barcode and then reading it?
I'm going to guess that someone in an early planning meeting said: "if the line gets backed up, can we trust our minimum wage employees to actually enforce the 10% rule or will they just start letting people through?" They might have thought that putting it on the ticket would provide some oversight and accountability to verify you are checking 10% and that it is done "randomly". Maybe they even planned to communicate this information back in realtime before deciding that would be too expensive. Currently the passenger takes the and later disposes of the only proof that they were ever screened, so even that is missing. For all we know the security in Nowheresville Montana turn off the xray machines and let the 3 passengers each day just walk through.
The bigger problem in my mind is that we can't trust in the professionalism of the security personnel enough to randomly pick one in ten passengers so we have to put it on the ticket. Why someone who cannot count to ten should be allowed to do security is beyond me.
Security generally does not require anything more than a glance at the fact that you have a boarding pass at all - and usually it's to make sure you're going through security in the right area. Many flights I've had out of the UK, no-one looked at my boarding pass before the gate.
I'm regularly making continental trips in Europe, and I have always assumed that the boarding pass scan is linked to the airline reservation system (which can of course be linked to other things), at least at the gate. The scan of the boarding pass activates a green or red light that indicates that whether you are allowed to board or not.
In Paris the pass is actually scanned three times: when entering the general departure area, again at the security checkpoint, and finally at the gate just before boarding.
Maybe that the first two scans (departure area entrance, security checkpoint) are about tracking the passenger's movements inside the airport, or to registering the moment a passenger passed the checkpoint (makes it easier to look things up in the security camera recording system?)
At the same time, in the german airports I've seen, there is only one scan at the gate. There's a security agent at the entrance of the departure area that takes a quick look at the boarding pass (but no scan), and there is no scan at the security checkpoint either.
In all cases, there is hardly any identity check at the various european airports; most of the time I don't have to show any id whatsoever; the boarding pass is all that is requested.
I have quite some experience flying from the Netherlands and indeed as Wichert Akkerman says there is someone checking manually the boarding passes just before the security check to make sure you are indeed departing from Amsterdam and in that date.
At the gate your boarding pass gets scanned and your ID is checked. The scanner machine shows the last name and the seat number to the person doing the boarding check and it shows a green or red light. The system is actually connected somehow to the reservation system (probably there is a local cache) as it has happened to me once that the machine did not allow me to board because my seat was changed (KLM upgraded us). A new boarding pass was issued on the spot and that one did work. I guess the same system is used for people that are denied boarding in the last moment.
A few weeks ago I was travelling with British Airways and they check again the boarding passes once you board the plane. My boarding pass was stored in the BA mobile app and the stewardess asked me to scroll down to check if it was legitimate and not a fake picture.
Dunno about other countries.
But this is the least of the inefficiencies on the US side. I wrote a short story about an assassin who befuddles the TSA & airport records in two separate ways:
1) The low-tech option: He needs an alibi, so he & another person buy tickets for separate locations. Once past security, they swap boarding passes. It requires more work to do it round-trip, and probably involves a triangle, but it's pretty easy. More fun, though, is:
2) The somewhat higher-tech option: he buys a ticket with someone else's identity. Prints out two boarding passes, using Photoshop. Goes through the security check with a boarding pass showing his real name, using his real ID. Copies any TSA scribbles onto a second boarding pass, the one purchased under a false identity. Boards plane. He was never there.
Anyway. Lots of room to play there. The story was "Not for Hire" in my "What Happens in September..." collection on Amazon, if anyone is interested.
You don't need a boarding pass to go though security in Australia. They use those for boarding...
In some Canadian airports, the level of screening was (is?) determined by stepping on a mat, which triggers the system to light up an arrow pointing right or left. It keeps human biases out of the random selection.
Let's see... in Frankfurt (FRA), they started to scan bording passes before the screening some time ago. The person over there will inform you about gate- or time- changes, so the scanner is definite on-line. Which of cause does not say whether the bording pass information is validated in any way.
I figure it is the same way in Cologne (CGN), though I don't remember getting gate directions there.
In Verona (VRN) a cop check my smartphone bording pass and passport by staring at it before allowing me to enter the screening area. Then another security person checked both again directly at the x-ray machine. Definitely off-line.
@SB - PreCheck does not have a fee. You're probably thinking of Global Entry, which automatically makes you PreCheck eligible. As a frequent flyer, my airline's program has made me PreCheck eligible free of cost.
@Bruce - They can't let the boarding pass scanner decide because, at least at IAD, the PreCheck check point is in a different physical location. So when you get the the front of the regular line and they tell you that you are PreCheck cleared for this flight, you actually leave the secure area and go back to the ticketing level of the airport where I can only assume you have to scan your boarding pass again. (I haven't used the PreCheck lane at IAD yet, but was eligible on my last flight.)
@Daniel: You missed my first part, where I said the first avenue to PreCheck was to purchase a certain threshold amount of services from a private company -- an airline.
In other words, if I fly 100,000 miles a year on Delta, I might be eligible. If I fly 20,000 miles a year apiece on United, Delta, American, USAirways and Alaska, I would have to pay the $100 for Global Entry.
With PreCheck, the government has declared that it will put more trust into citizens who have patronized certain private companies -- but not all: I could fly 100,000 miles a year on Southwest and not be eligible -- over other companies.
Perhaps if the mainstream media had not turned into a mouthpiece for the TSA, there would be more reporting on this outrage.
I've used Pre-Check a few times (in ORD and LAS). Once you're in the Pre-Check system, you can always go to the Pre-Check lines. It's there that they decide to do the full theater or not. If they do the full rigamarole they do it right there, you don't have to go to a different security entrance.
It seems to me that each airline should have a key pair and sign the ticket as valid. Then the TSA scanner need not verify with the reservation systems (which would likely be a nightmare of integration), it can just check the signature against the public key.
@SB - You're right, I missed that. My bad.
PreCheck is still in the deployment phase - I would expect that more airlines will get pulled in over time. I seriously doubt TSA is saying "Southwest flyers aren't trust worthy". More like "We haven't gotten to integrating with Southwest yet."
@Daniel: And what about the traveler who splits his flying among several airlines? Or the traveler whose home airport is one of the 300 or so where PreCheck is not set up? Or the traveler who "only" flies 20,000 miles a year, but has done so uneventfully for the past decade?
Of course, Bruce hit the nail on the head: "On the other hand, I think the PreCheck level of airport screening is what everyone should get, and that the no-fly list and the photo ID check add nothing to security."
On my last flight out Nürnberg (Germany) I had a home-printed boarding pass. So had my wife, but she got sick and had to stay home.
A flight attendant asked me, when I already was in the plane, where she is – they were actually paging her.
Thus, I conclude that the scanner at the security station isn't talking to the airline's system: they did not know whether she was in the security area.
All this fuss simply to travel. A boarding pass should be a bearer instrument entitling the bearer to passage from A to B. It dosn't matter who paid, when or how. An identity escrow in case the bearer passes away in transit is the only element of identity that matters. A conventional 80's style check before boarding would be adequate. The whole thing is weird and very, very bad.
In the UK they take a picture of you (LHR, LGW) before security while scanning the boarding pass. After that they scan you again at the gate to make sure your face matches your boarding pass and that you didn't switch flights. Plus you can see a list of people on the security people screen as you pass, it has to come from the airlines.
What was missing before at the gate (probably) was the confirmation that you (your boarding pass) had passed security - just in case boarding passes had been switched.
It's the BCBP format, which supports an entire security section, although it has a max length of 255 characters. Why not use digital signatures? Would still be standard compliant.
I agree with Bruce that this isn't really a "security vulnerability". But to answer the question:
Airports vary a lot in their operational practices and in the degree of data sharing between airlines, airport operators (especially in the case of shared-use check-in facilities and ground handling agents who work for multiple airlines). In some countries the ground handling agents who actually check you in work for a division of the airport, or for another government-owned entity.
Most airports and many airlines are government run, to some degree or other, and no clear distinction is maintained in many cases between governments, airports, and airlines.
With respect to what happens at European airports, you *should* be able to find out to which third parties (including government agencies) airline PNR or departure control system information is "shared", by making a subject access request to the airline. Jurisdiction goes with the place where the data is collected, so even a US-flag airline is subject to EU data protection law with respect to data collected or entered in the EU (such as data like bag check info entered at check-in at an airport in the EU).
However, there are two problems:
First, airlines don't comply with the law. I've asked Air France, KLM, and Lufthansa for their records and an accounting of all disclosures of them, including to third-party contractors. None have complied with their legal obligations or provided any list of data recipients:
If you are curious, the DCS and check-in data Lufthansa provided (which doesn't include any disclosure log) is on pp. 2-23 of this PDF:
If any lawyer is able and willing to litigate this issue pro bono in a European court, please contact me! Until that happens, we'll know only what airlines chose to tell us.
Second, "security" staff at an airport is a mix of actual government employees (some military or law enforcement, some like the TSA not), and contractors employed variously by the airport operator, airlines, ground handling agents for airlines, or various combinations thereof. It's rare for any of them to identify clearly which they are. They all expect you to defer to any "security" staff, without question.
Disclosure or sharing of passenger data with security contractors rather than the government may not be considered a third-party disclosure, and may not have to be logged or accounted for. There's some wiggle room in EU law on this, which *might* cover e.g. sharing of data with a security checkpoiunt boarding-pass-checker working for a contractor working for a local ground handling agent for the airline, i.e. a sub-sub-agent or sub-sub-contractor of the airline itself.
I build an early online boarding pass for a major European airlines. The 2D Barcodes which were used came from an IATA standard.
All of the documentation is online
So, if the pre-screening encoding is listed here or in some sort of 'additional area' it can certainly be changed.
The problem with the barcoding system is that it a simple text encoding. There is no checksum or private key encodings. This has the benefits of easy of use and no need to trade keys with every checkpoint. The trade-off is that it easily can be changed and re-encoded.
This goes for ANY portion of the boarding pass, if you wanted to change the name you could do that as well and have it match with the passport. (This doesn't get you onto the plane, but into Duty Free where you could buy all you wanted and leave).
With new applications like Apple's Passbook which removes the paper step from the process, you can easily generate 'official' looking boarding passes yourself. This will get you through security check, but not onto a plane. There is a master list being checked against at boarding, but not security.
All this does open the door to printing boarding passes to any flight, you can get through the security check point without every paying for a flight. You can then wander around, say good bye to follows at the boarding gate like you used too, or buy go shopping tax free.
> The bigger problem in my mind is that we can't trust in the professionalism of
> the security personnel enough to randomly pick one in ten passengers so we have to put it on the ticket.
> Why someone who cannot count to ten should be allowed to do security is beyond me.
I take exception to this statement because it is nearly impossible for a person to be random. Even your statement implies that you would just count off 10 people and screen the next one. A person doing the screening will be biased and will, for example, not select two or three people in a row.
The photo ID check makes a lot more sense if you assume it isn't aimed at protecting the airports themselves, but is a generic mechanism aimed at making life difficult for fugitives.
Just the latest serious flaw in a TSA system that Blogger Bob and company will ignore.
In Israel an brief interview with an a screener will get your passport and luggage a sticker with a bar code from one of several sheets which may flag you or your luggage for extra screening. The bar codes change and it would be tricky to come with a low risk sticker from home but you could try swapping stickers secretly with the nice old lady in line in front of you.
However If someone sees you swapping stickers it grantees you having a bad day.
Scary? I think not. What is scary is that we have allowed TSA to infringe on our liberties for the appearance of security.
I think the reason for the random selection component being coded into the barcode is actually quite simple, at least in the minds of the TSA. Pre-check is largely a self-preservation strategy on the part of the TSA: mollify the most frequent travelers by giving them a humane experience without molestation or nudie pics, and the TSA's most vocal combatants suddenly have little to complain about. Ma and Pa Kettle continue to take what comes because they don't know any better / don't care when traveling only once a year.
A quick way to infuriate frequent travelers in this process, though, would be to have them scan their BPs, see the light blink green as pre-check eligible, and then be sent to the molestation line on a random decision by the minimum-wage BP checker. Much easier if everyone involved can just point to the "black box" barcode system and say, "nothing I can do, sir."
The photo ID check makes a lot more sense if you recognize it as a way to protect airline pricing and eliminate the ticket resale market.
Using barcoding websites seems kind of amateur to me. With all the "cyber security" BS floating around these days I wouldn't be surprised if visiting a known barcode generating website after downloading your boarding pass would get you flagged. Easier to give government agencies new and expanded power than to fix a broken system. Plus it's more power for the government. So, better to use a utility already on your own computer than to risk generating traceable external records.
I recently flew out of Croatia, a country that's had quite a bit of experience with threats, war, and terrorism. The passenger ahead of me asked the security guy whether he had to take liquids out of his bag. The security person laughed and pointed at a sign that said that if you had firearms in your luggage you had to declare them. He also seemed relaxed about his work, and was joking with some of the passengers. These guys have the right approach to security.
It would be easier -- and far more secure -- if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of PreCheck passengers to send through regular screening.
But that would require the boarding pass checker to be something more than a minimum-wage GED-owning mouth-breather, which would cut into the TSA's plan to waste billions of dollars on backscatter X-ray machines.
I think the standard bureaucratic response to this would be "Well we need to ban those barcode-creating websites."
At LHR last weekend, I don't remember having the barcode of my boarding pass scanned at security.
me either... I've passed through LHR a couple of times in the past few months.
The boarding pass was certainly inspected at the transit and departure security stations, but it wasn't scanned.
Another data point:
At Stockholm Arlanda airport, they scan your barcode before you line up for the security checkpoint. In this line, I noticed that I had not put my pen knife into my checked baggage, so I left the security area to mail it home. When I returned to the checkpoint, their scanner told them that I had already entered the area. So there obviously is some kind of "online" system, although it does not need to be connected with the reservation system.
Peru's customs has a setup similar to what YYZ described for Canada's security. Once you're done with the first lady, who checks that all y'all idiots filled out the forms right, she directs you to a box with red light, green light, and a button. You press the button, and the light tells you where to go.
There's something very clever to it, if you ask me. Something about making you feel a little responsible for the result.
What? you came to Montevideo and didn't call me?
At LHR Terminal 5 the scan before queuing for security picked up that the person at the bag drop-off desk had not checked that I had a visa for my destination. So I had to go back and have my visa verified. (No Master Card jokes, thank you!)
Flying through Costa Rica and Panama, they did secondary screenings at the gate of carry-on, and also pat down and shoes in Panama. In Panama they started out taking everything out of carry-on's, which took a long time for each passenger. All that separated the re-screened and not-re-screened passengers was a rope. Think about it.
As it got closer to departure, they just opened and shut bags. They confiscated drinks bought in the terminal in Panama, and confiscated small tweezers as they were against the rules. Everyone was getting pretty upset at this ridiculousness. This was happening at each gate (entire gate waiting areas were roped off as the secondary screening area). If you needed to speak to a gate agent about something urgently, you were screwed since you would have to wait in the re-screen security line or go out of the 'secure area' to the front check-in.
After getting on the flight, I was given a nice metal fork and knife (in coach). It makes me cringe how little sense this all makes.
I took some nice regional flights in Costa Rica (14-19 passenger) where I was only asked my name, and hopped right on. Could tap the pilot on the shoulder and pass him a Mentos :) Guess there is a big difference, size of plane and not being international.
Here in Australia (at least for the last domestic flights I took) you can check in (and drop your checked bags) without ever talking to a human or showing any ID at all (on-line check-in with printed boarding pass, mobile phone check-in with mobile phone boarding pass or check-in at kiosks at airports).
Going through security, you dont have to show anything (you dont even have to be flying to pass through security)
Then when you board the airplane, they just put the boarding pass through a machine.
Last time I flew no-one ever checked my ID. The boarding pass was only used to verify that I was getting on the right airplane and sitting in the right seat.
Why bother with a bar-code generating web site?
You can easily find True-Type bar-code fonts online for free.
In your word processor, first enter the boarding pass number in your default font. Then, high-light that text string, and change the font to your bar-code font. In some bar-code fonts, you need to add asterisks before and after the text string you want to print out in the bar-code font.
From the example in the original article:
*WWXXX BUA 0E016 3*
The EU/EEC have standards that are the same throughout the countries (with some minor, local variables). Security checkpoints must have a 20% random pat-down rate, for example. However, all random steps in the process are machine determined - i.e. the metal detector portal chooses who gets the random pat-down, etc.
In many countries, it's possible (at least for domestic flights) to pass into the "red" area of the airport (past security) even if you're not a passenger, i.e. without boarding pass. This, of course, does not apply to internation flights terminals, or if those two categories are in the same terminal area. That sort of nulls the point of any boarding pass based "random" system...
@Stephen: They've already wasted millions on backscatter x-ray machines. Now they want to get rid of them and waste millions on millimeter wave machines. If we wait long enough they'll scrap those and waste millions on metal detectors.
I assumed the reason for the 'enhanced screening' flag on the ticket was so that high-risk passengers could be automatically flagged for extra screening every time. Kind of a 'no fly' lite list, for those too whit- I mean, innocent looking -- to be denied flying, but dangerous enough that they should be hassled each time they fly. You know, immigrants from Arab countries, Occupy Wall Street participants, ex-wives of TSA employees, the usual.
Just found this blog. A former TSA screener is telling all about TSA, some interesting information starting to come to light. He or she explains a lot of things from the inside: http://takingsenseaway.wordpress.com/
I heard some time ago that the most secure airport in the world was Tel-Aviv. The reason for this is that they hire ex military security people to do the screening. By the use of social profiling, they for the most part eliminate threats. Horror of horrors, in our land of freedom, you want to perfrom social profiling. WAKE UP!. The Isrealies have this one thinkg right. An old grandmother going to her grandson's Bar mitzvah is really not a security threat. Focus on those cultures who have a history for terrorism; social profiling. Yes, it is hard to tell who but these "professionals", can tell by body language, and a host of other markers who might be a terrorist.
Hmm, that's quite a modern approach however here in Hungary, automatization is far not as shopisticated as over ther. I hope we will have a similar, more convenient system in the near future as well.
re: Japan --
I can say with a high degree of certainty that QR scanners are connected to the reservation systems for at least domestic flights. For domestic flights, all that is needed is a barcode on a phone/tablet or piece of paper, and the code is generally available about two months in advance. The barcode is scanned at security, and a new slip of paper is printed with passenger details, flight information, and seat assignment. It is this new printout that security personnel look at.
Since the barcodes can be printed before seat assignments are made, but the printouts include seat assignments the readers must be connected to passenger information for at least this information. Scanning the barcode for my next flight in December with standard qr reader software, it only seemed to have a unique id made of my flight information and reservation number on it (unencrypted). It did not have any clear text indication of my name (and I haven't made my seat assignment yet). Even so, when I go to the airport I know the print out will have both seat assignment and my full name on it along with flight details.
It's interesting to note that on domestic flights there is no need to show identification at all in Japan. Even so, I've always felt much more secure by the simple fact that flight details are verified by what prints out after scanning the barcode rather than some print-at-home piece of paper.
EU airlines do seem to check the IDs at the gate quite consistently now (I've not flown through Paris, but I found it surprising somebody said you don't need ID there?).
I've noticed they're not very well trained though, which is a problem when your friend on a Chinese passport flips the red light, presumably because of said passport, and has to explain what a residency card is to someone who clearly does not have the required skills and should not be asking for this information in the first place. This happened in Spain, where I (on a european passport, but the same reservation) could walk right through.
Free movement of people my ass.
how to find travelport pnr number
how to hack travelport pnr number
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.