Source: Mashable
Author: Lorenzo Franceschi-Bicchierai

The Transportation Security Administration’s (TSA) new pre-screening system “pre-check,” may have a security flaw which allows passengers to know in advance whether they will be subject to the standard security check at the airport.

Aviation blogger John Butler warned about the vulnerability in a blog post on October 19.

Travelers who opt in to the system — usually already frequent fliers — are vetted by the TSA, and then are randomly chosen to undergo less intensive security screening at the airport. They don’t have to remove their shoes, laptops, or liquid items. TSA receives the passenger information from the airlines themselves, but the security agency makes the final determination on each passenger, and then encodes his or her security status in the barcode printed on the boarding pass.

According to the TSA website, the passenger is not allowed to know beforehand the result of the pre-check and whether he will go through the express and simplified check or not.

However, according to Butler, the boarding pass barcode is not encrypted, and can be read by anyone with a scanner or appropriate smartphone app. What’s more, a passenger could even modify that information and reprint the boarding pass, fooling the whole system.

When asked by Mashable, the TSA refused to comment about this vulnerability or whether they consulted a cryptography or security expert when they devised the system. Instead, they sent the following statement:
“TSA stays ahead of those with intentions to manipulate boarding passes by layering its protective measures in ways that are both seen and unseen.”

The organization refused to elaborate on what those measures are.

For security experts, the system is a disaster. “Letting passengers determine their Precheck/regular screening status at home, before they get to the checkpoint is a total security failure,” tweeted Chris Soghoian, a famous security researcher who in 2006 created a website that generated fake boarding passes to denounce the poor security of the passes and how easy it was to evade the no fly-list.

“If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,” Soghoian told the Washington Post.

Bruce Schneier, a cryptographer and computer security expert who has criticized airport security for a long time, went even farther. “The system is really badly implemented,” he tells Mashable. “But it’s a dumb idea in the first place.”

Schneier supports a more intelligence-oriented approach to security, including combating terrorism directly instead of increasing security measures in response to failed attacks.

“Airports security is the last line of defense and is not a very good one,” he says. Instead, he says the U.S. government should scale back the security to pre-9/11 levels and invest more in investigating passengers before they get to the airports.

The lack of encryption was also mentioned in a post on an frequent flyer forum in July. The TSA would not comment on whether they were aware of it before last week or if they’re working on a fix.