Fake boarding passes can fool airport security

WASHINGTON — More than 11 years after the Sept. 11 terrorist attacks, it remains possible to use fake boarding passes to get through airport security checks, according to new evidence from security researchers and official documents.

The security vulnerabilities could allow terrorists or others on “no-fly” lists to pass through airport checkpoints with fraudulent passes and proceed through expedited screening. They could even allow them to board planes, security analysts warn.

The Washington Post was alerted to the vulnerabilities by concerned passengers and verified them through independent security experts. At the request of U.S. officials, The Post is withholding details that would make it easier for the vulnerabilities to be exploited.

The security gaps center on airline boarding passes, which can be issued up to 24 hours before a flight’s departure. According to security researchers, the bar codes on those passes can be manipulated with widely available technology to change the information they contain: passenger identification, flight data, and codes indicating whether a passenger has qualified for expedited screening.

Information about reading and altering boarding pass bar codes has circulated on online forums for several months, and has recently been picked up by security researchers. Many of them note that the potential for tampering with the passes has been exacerbated by the proliferation of smartphones that can read the bar codes and free software that can manipulate them.

Security guidelines set by the Transport Security Administration allow airlines to add an encrypted “digital signature” to prevent board passes from being altered. But some experts said they were surprised to learn that not all passes include authentication.

“It’s alarming – this basically negates the no-fly list,” said Chris Soghoian, a fellow at Indiana University’s Center for Applied Cybersecurity Research and principal technologist at the American Civil Liberties Union.

It remains difficult to establish the full extent of the vulnerabilities without information from the TSA, which does not comment on security procedures.

In response to written questions, John Pistole, the administrator of the TSA, said that the potential for tampering with printed boarding passes has existed since the inception of e-ticketing but that the agency has added protective measures “both seen and unseen.”

“We continue to explore and implement additional mitigation measures to prevent the manipulation of boarding passes and are working with the airlines to develop systems and methods to prevent illegal tampering,” Pistole said.

Under U.S. law, it is illegal to tamper with airline boarding passes. But security experts said individuals with limited technical expertise would be able to do so. At the very least, passengers would be able to modify their passes so they could proceed through the TSA’s “PreCheck” screening, a paid-for program in which passengers are allowed to keep laptop computers and approved containers of liquid in hand baggage. Security experts say it’s a program terrorists could possibly exploit.

The no-fly list was created after the Sept. 11, 2001, attacks, and includes the names of U.S. citizens and foreigners not permitted to fly into or out of the United States because of specific security concerns. The identity and exact number of people on the no-fly list is not public, but an FBI official told NPR last year that it includes about 10,000 people.

Thousands more are reported to be on a list requiring mandatory secondary screening, a requirement that would be noted on boarding passes for the affected passengers. Some passengers also receive these checks through random selection and other procedures.

One passenger who contacted The Post, Michael Williams, president of a small information technology firm, said his concern was that the security flaws could give someone on the no-fly list an opportunity to get onto a plane.

“Without forging any identification cards, someone on the no-fly list could easily use the current flaws to board an aircraft,” Williams said.

Williams said he has not attempted to tamper with boarding passes. A handful of others who contacted The Post after an earlier story on TSA security claimed they had tampered with their boarding passes and provided documentation as evidence. They spoke on the condition of anonymity.

Bruce Schneier, chief security technology officer at BT Managed Security Solutions and a long-term critic of U.S. aviation security, said the new evidence suggests it remains possible to evade the TSA’s security measures.

“The boarding pass checks have never been any good – they’ve always been fakeable,” he said. “You can fake a pass quite easily. In the past, I’ve done it. There’s software out there.”

Some security experts say the TSA could limit the potential for tampering with bar codes by requiring that all airlines include encrypted “digital signatures” on all boarding passes. Doing so would make it near impossible to tamper with the bar codes. Asked why only some boarding passes include such encryption, Pistole said the TSA “does not comment on specifics of the screening process and will always incorporate random and unpredictable security measures throughout the airport.”

Even if digital signatures were made mandatory, other security gaps remain, experts warn. Airlines cross-check passenger names against federal databases containing the names of passengers who are on the no-fly list or subject to additional screening. But the names are not cross-checked by TSA once passengers reach airport checkpoints with boarding passes in hand.

To do so, the TSA would need to have electronic scanners with networking capabilities to communicate with the federal databases. Technical documents issued by the agency confirm that its system does not have such capabilities and does not routinely check boarding passes against federal databases.

“The TSA has a real problem here,” said Matthew Green, assistant research professor at the Johns Hopkins Information Security Institute. “They need to convey information from a variety of airlines to a whole bunch of different scanners scattered throughout an airport, and they need to do it securely.”

Between January and August of this year, 375 million passengers passed through TSA security, a rate of 1.8 million passengers screened at U.S. airports each day.

Soghoian, the Indiana University fellow, said he is concerned that the system has not improved since 2006, when he sought to draw attention to airline security vulnerabilities by building a website that permitted travelers to produce fake boarding passes. The warnings from Soghoian and others led to changes in security rules, including the introduction of security features such as digital signatures.

Soghoian suggested it is the patchy implementation of new rules that has left the system vulnerable. He said he thinks the TSA could vastly improve the system by simply requiring digital signatures on boarding passes.

“This is not a technical problem,” he said. “This is a policy problem.”

More in Local News

It’s hard to find a parking spot at Wallace Falls State Park

There’s a study under way on how to tackle that issue and others.

At long last, a church of his own

After years of filling in elsewhere, Hallack Greider is the new pastor at Maplewood Presbyterian.

Judge: Lawmakers’ emails, texts subject to public disclosure

News organizations had sued to challenge the Legislature’s claim that members were exempt.

Herald photos of the week

A weekly collection of The Herald’s top images by staff photographers and… Continue reading

Outgoing councilwoman honored by Marysville Fire District

The Marysville Fire District in December honored outgoing City Councilwoman Donna Wright… Continue reading

Officials rule train-pedestrian death an accident

The 37-year-old man was trying to move off the tracks when the train hit him, police say.

Ex-Monroe cop re-arrested after losing sex crime case appeal

He was sentenced to 14 months in prison but was free while trying to get his conviction overturned.

Everett district relents on eminent domain moving expenses

Homeowners near Bothell still must be out by April to make way for a planned new high school.

Number of flu-related deaths in county continues to grow

Statewide, 86 people have died from the flu, most of whom were 65 or older.

Most Read