Boarding Pass App Worries Security Experts
October 26, 2012

Smartphone Apps Can Tip Off Passengers Selected For Additional TSA Screening

redOrbit Staff & Wire Reports - Your Universe Online

Readily available smartphone apps that scan airline boarding passes can alert passengers to whether or not they have been selected for additional screening by the Transportation Security Administration (TSA), security experts warn.

The barcodes contain information that reveals which security protocols a traveler will be subject to, the researchers said.

The vulnerability involves the TSA´s pre-screening system known as PreCheck, a program that allows some travelers to receive expedited screening.

PreCheck passengers are typically allowed to keep their shoes and belts on as they proceed through a checkpoint, and are not required to remove laptops and small containers of liquids from their bags.

By scanning their boarding pass barcode up to 24 hours before a flight, passengers can see whether they qualify for PreCheck's expedited screening, or if they will be subjected to more intrusive screening.

"If people can verify their PreCheck status at home 24 hours before the flight, the randomness is gone," said Chris Soghoian, a security analyst at the American Civil Liberties Union, in an interview with USAToday.

"The randomness needs to occur the moment you are in line, when it's too late to swap bags with your colleague or it's too late to throw something in the trash."

News of the security flaw has been circulating on aviation blogs for weeks, and is only the latest bump in the road for the TSA as it moves from a program of comprehensively screening all flyers to a more risk-based approach that focuses on travelers considered to pose the greatest threat.

In a statement, the TSA said that PreCheck is only one step in a series of airport security measures that monitor passengers based on the risks they represent.

All passengers go through a metal detector and a full-body scanner, with their bags going through an X-ray, the agency noted.

Other layers of security include intelligence gathering, explosives detection, teams of canines and behavior-detection officers who look for suspicious behavior in the airport. The agency also deploys federal air marshals who fly undercover on airplanes.

"TSA does not comment on specifics of the screening process, which contain measures both seen and unseen," the TSA said in its statement.

"In addition, TSA incorporates random and unpredictable security measures throughout the traveling process."

Travelers can signup for PreCheck through their frequent-flier programs at five participating airlines: Alaska, American, Delta, United and US Airways. Participants must then agree to undergo a $100 background check, the details of which the TSA does not disclose.

PreCheck has provided expedited screening for 3.5 million passengers since the program´s inception in October 2011. It has established separate screening lines at 29 airports, with six more expected in the next few months.

But even PreCheck passengers can, at times, be randomly selected for additional screening. This injects some degree of uncertainty for any would-be terrorist considering using the program to thwart security.

The newly-discovered flaw with airline boarding passes is that smartphone apps can read the encoded string of digits, which reveal a telltale “3” if the traveler qualifies for PreCheck, or a 1 if the person will face routine TSA screening.

Soghoian recommends the TSA keep random screenings confidential, rather than giving an early alert to PreCheck passengers.

If keeping laptops and small amounts of fluids in carry-on bags are not a threat, then everyone should receive expedited screening such as PreCheck, he said.

"Either bad people can go through PreCheck, and we're safe, in which case give it to everyone“¦or if bad people going PreCheck is a bad thing, then they need to institute confidential random screening of PreCheck passengers.”

But the TSA says that even PreCheck passengers are subject to a number of security measures aimed at preventing anyone on a government watch list from using a fake or fraudulent boarding pass.

"We continue to explore and implement additional mitigation measures to prevent the manipulation of boarding passes and are working with the airlines to enhance existing security systems, programs and methods to prevent illegal tampering," the TSA said in its statement.

Security firm Sophos called the boarding pass vulnerability "very worrying".

"No one should be able to tell in advance what level of security screening they will be receive before an air flight," the firm's senior technology consultant, Graham Cluley, told BBC News.

"The risk is that potential attackers could determine in advance which of them is going to be given the weakest screening - and get them to attempt to carry unauthorized item onboard.”

"Potential attackers should not be given advance warning of the security measures they will be facing."