Deal Saver - brought to you by the Charlotte Observer

0 comments
  • Print
  • Order Reprints
  • Share Share

Experts: Fake passes could fool airports

Vulnerabilities could allow terrorists through security checkpoints

By James Ball
Washington Post
Posted: Saturday, Nov. 03, 2012

WASHINGTON More than 11 years after the Sept. 11 terrorist attacks, it remains possible to use fake boarding passes to get through airport security checks, according to new evidence from security researchers and official documents.

The security vulnerabilities could allow terrorists or others on “no-fly” lists to pass through airport checkpoints with fraudulent passes and proceed through expedited screening. They could even allow them to board planes, security analysts warn.

The Washington Post was alerted to the vulnerabilities by concerned passengers and verified them through independent security experts. At the request of U.S. officials, the Post is withholding details that would make it easier for the vulnerabilities to be exploited.

The security gaps center on airline boarding passes, which can be issued up to 24 hours before a flight’s departure. According to security researchers, the bar codes on those passes can be manipulated with widely available technology to change the information they contain: passenger identification, flight data, and codes indicating whether a passenger has qualified for expedited screening.

Information about reading and altering boarding pass bar codes has circulated on online forums for several months, and has recently been picked up by security researchers. Many of them note that the potential for tampering with the passes has been exacerbated by the proliferation of smartphones that can read the bar codes and free software that can manipulate them.

Security guidelines set by the Transport Security Administration allow airlines to add an encrypted “digital signature” to prevent boarding passes from being altered. But some experts said they were surprised to learn that not all passes include authentication.

“It’s alarming – this basically negates the no-fly list,” said Chris Soghoian, a fellow at Indiana University’s Center for Applied Cybersecurity Research and principal technologist at the American Civil Liberties Union.

The no-fly list was created after the Sept. 11, 2001, attacks, and includes the names of U.S. citizens and foreigners not permitted to fly into or out of the United States because of specific security concerns.

It remains difficult to establish the full extent of the vulnerabilities without information from the TSA, which does not comment on security procedures.

Under U.S. law, it is illegal to tamper with airline boarding passes. But security experts said individuals with limited technical expertise would be able to do so.


Hide Comments

This affects comments on all stories.

Cancel OK

The Charlotte Observer welcomes your comments on news of the day. The more voices engaged in conversation, the better for us all, but do keep it civil. Please refrain from profanity, obscenity, spam, name-calling or attacking others for their views.   Read more

Quick Job Search
Advanced Job Search | Search by Category
Salary Databases
City of Charlotte | Mecklenburg County
Charlotte-Mecklenburg Schools
Charlotte Observer Featured Jobs »

Recent Blogs

Lottery

Most Viewed