I know, I know, this blog is ostensibly about building a plane. The fact is, I fly a lot for my job. And my job involves security. Big-league security. Fortune 500 type security. It-makes-the-front-page-of-the-Wall-Street-Journal-if-it-fails security. Literally. So I think about airplanes a lot (for fun and because I spend a lot of time on them for work) and I think about security a lot (to put a roof over my family’s heads). And if you do security for a living, you realize what an enormous joke the TSA is. But let’s start at the beginning.
In the beginning was the boarding pass. You needed a boarding pass to get on an airplane. When you walked up to the gate, the gate agent would look at your pass and read you your seat number (just in case you couldn’t manage that for yourself). You didn’t need ID, and anyone willing to go through the metal detector could go to the gates. I still remember this from when I was a kid back in the 70s. There were two problems with this: too many people crowding around the gates who technically really didn’t need to be there, and the fact that you could fly with any valid boarding pass, regardless of whose name was on the front. The first problem was both a security problem and a nuisance. The second just pissed the airlines off because it cost them money. People could sell airline tickets they didn’t need or couldn’t use in the newspaper classifieds. It used to be quite common.
They fixed the first problem back in the 70s. They started requiring a boarding pass to go through security. Mom could no longer meet you at the gate when you walked off the plane at Christmas. Kind of annoying, but probably in everybody’s best interest. The second problem took almost twenty more years. I used to buy plane tickets in the want ads all the time, and fly as “Achim Mohammad”, or whatever name the ticket was issued in. The airlines hated it, but couldn’t do much to stop it. Some of the airlines would try to ask you for ID to match the ticket, but enough people threw a big stink that most of them quit doing this, and as long as your pass was valid, you could fly. I used to fly for work back in the early 90s (I was a network engineer for one of the very early commercial ISPs, and regularly had to visit customers for site surveys, working out equipment bugs, etc). Incidentally, I used to travel with a pretty big set of tools, including a Leatherman and a couple of substantial knives in my carry-on. Nobody cared. You just put them in the little tray and pass them around the metal detector. They were looking for guns, not knives.
Then 9/11 happened. And out of that, the airlines got their most longed-for wish: you had to show photo ID (well, technically you didn’t, but the hassle of not showing photo ID was extreme enough to rule it out for most people), and that photo ID had to match your boarding pass. After 9/11, you couldn’t be too careful, right? Check the names, boarding passes, and IDs of everyone flying, and match them up against a database of known bad people. Problem solved. Only not so much. The airlines were happy, though. Their problem was solved. Remember, their problem wasn’t security. Sure, nobody wants their plane blown up, it’s bad press. But it blows over pretty quick, because it’s airport security that gets the blame, not the individual airline. What the airlines were excited about was that all those unused seats could be sold a second time by the airline, rather than by the unlucky ticket holders. That meant a ton of cash in their pockets. But security was solved, too, right? After all, the names were being checked against a database of bad people. That should keep the bad people off planes, right?
No. Not even close. Why not? Let’s say for the sake of argument that I’m a very bad man, and I want to blow up a plane. My name is Mohammed Mohammed, and I’m on the “No Fly” list. I log onto BigAirline.com and buy a ticket. Wait, buy a ticket? But I’m a known bad guy. Well, that’s the first odd thing. Being on the No Fly list doesn’t mean you can’t buy a ticket, it means you can’t fly. Big difference. So I buy a ticket online, and drive my evil butt down to the airport to board my flight. I walk up to the TSA Tard and present him my boarding pass and my driver’s license (with my actual name, Mohammed Mohammed printed right there on the front of it). And what happens? The TSA Tard compares the name on my boarding pass with the name on my license. And do cops descend on me from the heavens? No. Why not? Because the names match. This guy’s job isn’t to compare my name with the “bad man” database. His job is to make sure the names on two documents match. If they do, then it’s off to the screeners for the x-ray or the groping. It’s the gate agent’s job to scan my boarding pass into her laser scanner hooked up to her computer, not the TSA screener’s. The gate is the point where my evil name will trigger the badges, the horns, the flashing red lights and the guns.
But wait. There’s a problem. The gate agent doesn’t ask me for ID. She doesn’t check my government issued ID against the name on my boarding pass. She just scans the boarding pass I hand her and tells me, “Welcome aboard, Mr. Mohammed”. See how the system works? The TSA Tard makes sure the names match, then the gate agent makes sure you actually have a seat (and don’t have an evil name). Here’s the problem: who says the boarding pass I show the TSA Tard is the same pass I show the gate agent? Why not buy two? Buy one ticket in my evil name and a second ticket as “John Smith” (because BigAirline.com doesn’t check your ID to make sure you really are John Smith, beyond validating your credit card). So now Mohammed Mohammed walks through the TSA as himself, then boards the plane as John Smith. And Mohammed Mohammed never makes his flight, and his seat gets filled with a standby passenger who missed his earlier flight, and the TSA guys don’t get to take down a bad guy. Only the government can come up with a plan this foolproof.
Technology made it even easier. Why not skip buying the first ticket, and just print your own? After all, the TSA Tards are used to seeing boarding passes printed on home PC printers. Just take a valid boarding pass, change the date to today’s date, and paste in the name you have printed on your driver’s license. No need to actually buy the first ticket, since it’s going in the trash, anyway. Then somebody made it easier. A guy in Indiana made a web page where you could type in your name, your fake flight details, and the date you wanted to “travel”, and it would generate a PDF you could print yourself and walk right through security. Now you didn’t even need the rudimentary computer knowledge that you needed to print one on your own.
In all fairness, the TSA isn’t entirely stupid. After six years, they caught on to this trick. And they published a document called the “Privacy Impact Assessment for the Boarding Pass Scanning System” in November, 2007 (find it here). Quick thinking, guys. In it, they discuss this problem, as well as their amazingly clever solution:
The vulnerabilities associated with fake boarding passes are well-known. In the fall of 2006 a doctoral student at Indiana University created a website that enabled individuals to create fake boarding passes. This website garnered significant media attention, as it demonstrated how a known terrorist who is on the Watch or No-Fly List could use a fake boarding pass to gain access to the sterile area of the airport. Once inside the sterile area, the terrorist could use a real boarding pass acquired under an alias to board the plane.
In order to eliminate this vulnerability, the Transportation Security Administration (TSA) has begun to pilot new technologies that can identify fake or tampered forms of identification. TSA also has begun to consider ways to encode boarding passes with a security code that could ensure their authenticity. The BPSS is a process and technology that validates the authenticity of the boarding pass at the TSA security checkpoint using 2-dimensional (2D) bar code readers and encryption techniques. The BPSS will be compatible with any 2D barcode and can be used with paper boarding passes printed on a home computer via online check-in procedures, paper boarding passes printed by the airlines, or a paperless boarding passes that are sent to passengers’ mobile devices such as cell phones, Blackberrys, or Personal Digital Assistants (PDA).
The overall objective of BPSS is to ensure that the barcoded data in boarding passes are not tampered with. This can be done simply and to a high degree of security using standard digital signature technology based on Public Key Infrastructure (PKI) standards. When generating the barcode data, the airline will create a hash1 of the barcode data and then encrypt the hash with the airline’s “Private Key”. The use of a hash function plus encryption will allow TSA to confirm that the barcode was issued by the airline and that none of the information in the barcode (such as the passenger’s name) has been tampered with.2 The encrypted hash is then appended to the end of the data before converting this to a barcode. This will add an additional 172 characters (bytes) to the barcode using a 1024 bit key. TSA will work within the International Air Transport Association’s (IATA) existing Resolution 792, which provides airlines with standards for use of 2D barcodes.
At the checkpoint the TSA barcode reader will use the airline’s “Public Key” to decrypt the hash. This allows TSA to verify the identity of the airline that created the barcode. At a second level, the decrypted hash will be compared against the rest of the barcode data. This will allow TSA to detect if the data has been tampered with. It would be extremely difficult to falsify a boarding pass if this approach is taken. A passenger would need to modify the barcode data, regenerate the hash, and then encrypt this with the airline’s private key. The only realistic way to achieve this is if the airline’s private key was compromised. However, this is mitigated by installing a process where the private key is changed on a regular and random basis.
If a boarding pass is determined by the BPSS to have been tampered with or not authentic, the passenger will be referred to local law enforcement officers and TSA will capture the details of the incident in its existing incident database using established forms and processes. The primary database for capturing incident information at TSA is the Performance And Results Information System (PARIS).
Ok, so they’re really really slow, but their proposed solution is actually reasonable. Not perfect, but reasonable. Using a public/private key encryption system, signing the data, and changing the key on a regular basis actually will go a long way towards preventing problems. In theory. But there’s more to it than specifying some neat technology. You’ve got to implement that technology. Let’s learn a little bit more about this bar code. First of all, have a look at the Wikipedia page for BCBP (bar-coded boarding pass) here. There’s a lot to read (if you click on all of the links at the bottom), but the important information is this. First, the bar code is typically in one of three standardized formats; PDF417, Aztec, or QRcode. All are well-known standards, and plenty of software is available to read and write both formats. Good for you guys for picking open standards. Second, the format of the data is well-documented (as it should be). The documentation on the format is available in the “BCBP Implementation Guide” (find it here), which is a guidebook of sorts for software and hardware developers to interoperate with the new standard. Cool! So now, boarding passes are digitally signed, and cannot be altered without knowing the private key. Which, in theory, is unknowable. Sweet! So now we just need equipment at the TSA screening stations to read the bar codes and validate them, and display the necessary information to the TSA Tards to compare with passports and driver’s licenses. Wait, before we cover that, let’s look at the CPBP Implementation Guide real quick. On page 52-53, we find the following:
The security field is optional and to be used only when required by the local security administration. This field contains a digital signature of variable length, the length of the field and a type of security data (that defines the algorithm used).
The digital signature is part of a public key infrastructure (PKI): the airlines own their private key, used to generate the digital signatures, and distribute their public keys to third parties who need to verify the signatures.
Each signature is unique to an airline and a boarding pass: if the bar code data are modified, they won’t match the signature any more. Moreover a signature cannot be generated without the private key. Consequently only an airline can generate a boarding pass with a digital signature and the bar code cannot be tampered with.
Furthermore, on page 53, they note:
The bar code data (mandatory, optional and individual airline use fields) remain unchanged and can be read regardless the digital signature. The security field is a separate field that enables a third party to verify that the bar code data were not tampered with.
So two important items to take away from this (one of which is more important later on in the discussion):
- The data is unencrypted. It’s in plain readable text (assuming you can read the barcode).
- The security data is optional, and varies per airline.
Wait a minute. Read number two again. The security data is optional, and varies per airline. Seriously? Are you kidding me? Let’s translate that into English: If you simply leave off the security data when you generate your own barcode on your fake boarding pass, by the rules of the standard used to implement boarding pass barcodes, your barcode is valid. So if you make up your own data (or modify what’s already there) and leave the security data, it will fail the test when the TSA Tard laser-scans your boarding pass. But if you simply leave that part off, you’re good to go. Holy crap! But it gets worse. Much worse. See number 1: the data is unencrypted. Well so what, you say. Who cares? The data in the barcode is exactly the same data that’s printed on the ticket, right? So who cares whether or not it’s encrypted? Um, well, no. Not so much. Remember that we’re dealing with the government here. Enter Pre.
Pre is cool for people who fly a lot. When you fly a certain amount with an airline, you get “status” on that airline. It’s the way the airline rewards you for loyalty. You get to change your tickets around without paying fees. You get first pick of the exit row and bulkhead seats. You get bumped up to empty seats in first class. You get to board early so you get overhead storage space. It works out nicely for everyone concerned, as the airlines make a ton of money on business travelers, and those same travelers are encouraged to stick with one airline and spend all their money in one place. Let me tell you, if you spend as much time on planes as I do, status is worth gold. But there’s more. The other nice perk is that there’s almost always a shorter line for TSA screening for passengers with status. Much shorter. Unbelievably shorter, mostly. You go almost to the front of the line, no matter how many of the unwashed masses are standing in line. While this does appear a little unfair, it also makes a certain amount of sense. If you fly often enough to get status, you’re probably very familiar with the litany of idiotic TSA rules and policies, and you pack with this in mind. You already have your toothpaste in a baggie, you wear your shoes with no laces, you wear pants that will stay up without a belt, and you generally grease through security with a lot less effort than people who fly once a year to go visit their grandkids. Why not move these people right on through the system? Besides, again, these people pay the bulk of BigAirline.com’s bills, and the airlines have some pull with the TSA.
It turns out, this isn’t enough. No matter how short the line to TSA screening is, it’s still the short line to stupidity. Take your shoes off? Seriously? Have you ever been through Ben Gurion Airport in Tel Aviv? I have. They have the best, most thorough, most careful screening in the world. And I don’t have to take my shoes off. The TSA puts on a pretty good show of security (now they even have shiny badges to flash around, enhancing the illusion that they’re law enforcement). The general public usually rates the TSA fairly well. What the USA Today articles don’t mention is that they have dismal ratings with frequent fliers. Why? Because we all know it’s bullshit. And we’re all very tired of being “randomly” singled out for groping. So the TSA finally caved and came up with a program called Pre. Pre sucks a lot less than the usual rigamarole. You have to get invited to be a Pre “user” by your airline, or else go through the PITA process of signing up through DHS, being interviewed in person at a DHS office, and paying all the fees out of your pocket. So most people don’t go that route. You also have to agree that all of your travel data will be shared with TSA (which is flat out retarded, since they already have it anyway).
Once you’re signed up, it works like this: You go up to the first TSA Tard (the one who matches the name on your boarding pass to the name on your ID), and he scans the barcode on your pass on his magical laser scanner. If it beeps once, you get the usual grope/porno scanner. If, on the other hand, you get the magical three beeps, you get shuttled off to the left, and go through the magical land of Pre. There’s no microwave oven scanner. You don’t take your belt off. Or your shoes. Or take your laptop out of it’s case. You go through just like pre-9/11 (other than no more pocket knives). Why this amazing new level of trust? Two things: first, they “know who you are”, because you’ve signed away your rights to travel privacy. Second, you never know if you’re going to get picked for Pre or not. And by not knowing, the theory is that you won’t pull any “funny stuff”, because you can’t get away with it. “Funny stuff”? Sure. You do know the scanners are complete theater, right? You know why you take your coat off? Because anything metal that’s not between your body and the scanner is invisible to the scanner. It’s like it’s not there. And coats generally hang away from the body, allowing you to put almost anything in a coat pocket and not have it seen by the scanner. Try it some time with cargo pants. Put something totally innocuous (like a metal mechanical pencil) in your cargo pocket (use something innocuous so you can play dumb in case they find it in a hand grope), then go through the scanner. Guess what? Works every time with the backscatter machines. 100%. Just wear baggy cargo pants and put the item in a thigh pocket. And if it works for a pencil, it’ll work for anything. Anyway, the theory is you won’t try stuff like that if there’s a good chance you’ll get picked for Pre and go through a normal metal detector. Or you won’t carry a carbon fiber knife with you if you know you might have to go through the microwave oven scanner. Not knowing means not being able to prepare.
But hang on, let’s go back to our document “BCBP Implementation Guide”. On page 49, you’ll see a breakdown of the data structure inside of the barcode. If you’ve been around computers long enough, you’ll recognize this as a fairly typical fixed-field form common back in the Olden Dayes of Mainframes. Which is exactly where most of the airlines systems come from (for fun, do a Google search on SABRE). Anyway, look through the list of fields until you find number 18, which is a field that contains one character, and is called “Selectee Indicator”. Now go back up to the two interesting conclusions we drew earlier, specifically number 1: “The data is unencrypted. It’s in plain readable text (assuming you can read the barcode)”. Well, we already know we can read the barcode. If it’s on paper, it’s probably PDF417. If it’s on your smartphone, it’s probably QRcode or Aztec. Do a quick scan of the App Store for either your Android or your iPhone, and you’ll quickly come up with a dozen barcode readers. My favorite is from Manatee Systems. It’ll read anything (including PDF417, which is relatively rare). It’s available for both platforms, and it’s free. Point it at your barcode and scan it. Read the results. They’re not easy to read, but you’ll be able to pick out some interesting tidbits, like your name, the originating and destination cities, your flight number, and your seat number. And lo and behold, the 103rd character in the string is either a 0 or a 3. It’s really not that hard to find, it’s usually the only single digit surrounded by empty space in the result. If it’s a zero, you’re getting the Grope. If it’s a three, you’re going through Pre. And now you know, before you even leave your house for the airport, whether or not you’re going to get “easy breazy” security, or the anal probe. Yet again, only government can come up with this stuff.
Could the standard be changed? Yeah, it could. But it would require changing the software on thousands (or more) of airline computers, as well as all those spiffy little laser scanner boxes at the TSA checkpoints. That takes years and millions of dollars. And speaking of those scanners, given that the TSA is finally aware that people are scamming them with fake boarding passes, it’s a great place to take that scanned data and validate it against the No Fly list, right? But they don’t. Those machines are hooked to nothing but the wall outlet. In fact, it’s guaranteed in the first document we looked at, the “Privacy Impact Assessment for the Boarding Pass Scanning System”. Oh well.
You didn’t really think you were any safer with the TSA in charge, did you? For what it’s worth, this article is not the result of days or weeks of research. It’s the result of 30 minutes of Googling while using airport WiFi waiting for a flight in Portland two weeks ago. 30 minutes. That’s all it took to turn up 100% of this information. It took longer to type it than to learn it. They’re trying to ban guns to make us safer. Next, they’ll try to ban information.
The TSA failed on every count. You can now generate your own boarding pass at home with whatever information you want on it. Just take an existing pass and change the text to whatever you like. Then scan the old barcode here (or with a smartphone app). Change the data for the barcode to match your made-up data, then generate a new barcode here. Paste that new barcode into your new boarding pass, print it, and you’re done. While you’re at it, change that 103rd character to a 3 so you can go through easy security (Not a member of Pre? No worries, they don’t check that. All they look for is 0 or 3). Oh, and that optional security stuff that’s part of the barcode? It’s optional. And you know what? Nobody uses it. I’ve scanned every boarding pass barcode I can get my hands on over the last two weeks, and not only is it not required for reading the barcodes on the machines, nobody bothers to include it in the original boarding passes in the first place. So now it’s doubly safe to ignore and leave off. Obviously, there are risks in actually doing this (if you get caught, I doubt it would be pleasant). On the other hand, unless you do are say something particularly stupid, there’s no reason you’d get called out.