An aviation enthusiast has detailed a potential security vulnerability involving the barcodes found on flight boarding passes. Currently, the barcodes are unencrypted, allowing anyone with a scanner to read the details of a given flight, such as passenger information and destination. The most troubling aspect is that those looking at the information are also able to determine whether they’ve been selected to pass through the controversial full body scanners.
In his blog post, John Butler describes how the final number on a scanned boarding pass indicates the eligibility for the TSA’s PreCheck program. One beep after a scan, for instance, means there’s no PreCheck and that the passenger will have to pass through a scanner, while three beeps confirms PreCheck status. Ultimately, it’s feasible that anyone armed with the information could alter the "one" to a "three" and modify the boarding pass accordingly, especially since the TSA barcode scanners don’t check against real time information.
The TSA declined to comment to The Washington Post on the specifics of the discovery, saying in a statement that the screening process contains "measures both seen and unseen," and that PreCheck "is only one part of our intelligence-driven, risk-based approach."