Ask Slashdot: Is TSA's PreCheck System Easy To Game? 157
OverTheGeicoE writes "TSA has had a preferred traveler program, PreCheck, for a while now. Frequent fliers and other individuals with prior approval from DHS can avoid some minor annoyances of airport security, like removing shoes and light jackets, but not all of the time. TSA likes to be random and unpredictable, so PreCheck participants don't always get the full benefits of PreCheck. Apparently the decision about PreCheck is made when the boarding pass is printed, and a traveler's PreCheck authorization is encoded, unencrypted, on the boarding pass barcode. In theory, one could use a barcode-reading Web site (like this one, perhaps) to translate a barcode into text to determine your screening level before a flight. One might even be able to modify the boarding pass using PhotoShop or the GIMP to, for example, get the screening level of your choice. I haven't been able to verify this information, but I bet Slashdot can. Is TSA's PreCheck system really that easy to game? If you have an old boarding pass lying around, can you read the barcode and verify that the information in TFA is correct?"
Probably, but watch out for the Audit. (Score:2, Interesting)
From what I've read, it would be fairly easy to re-encode your boarding pass to have pre-clearence approval on it. It is just changing a bit on the barcode. Remember, this is matched against your ID and logged. Sure you might get waved on the flight, but I would be shocked to find out anyone that tries this gets in serious trouble. Still doesn't stop the terrorist passenger but might catch people fast enough to honeypot dry runs.
Could be a honeypot (Score:5, Interesting)
Re:This was in the news last week. (Score:3, Interesting)
It was also on Slashdot last week. Good to see that the editorial standards are as high as ever; although Timothy is sadly departed (good night, sweet prince), his fine legacy continues...
looked into it (Score:2, Interesting)
I looked into it, but it turns out that modifying a boarding pass is a felony.
Why the hell would you even want to try? (Score:5, Interesting)
These people are lazy. They're annoying, and they're a blight to society. However, for the time being we're all stuck with them until the rest of the general population rises up and says "We've had enough, out you go!".
So I ask you this- even if the system is "easy to game", why the hell would you want to risk it? Maybe you get past their security once, twice, a dozen times, etc. Maybe it is easy to game. That's nice and all.
The question you should be asking yourself is: "What are the consequences of being caught?". These people will happily label you as a terrorist and put you on a no-fly list FOR THE REST OF YOUR LIFE. You think you have legal rights, that they can't do that? They have and they will. Have fun spending the next 5 years of your life debating the finer details of the law in court so you can continue to fly down to Hawaii with the family on occasion for vacation.
It doesn't matter that their system is broken, or that the whole thing is a security theatre and a complete and utter farce. It matters what they're going to do to you when they find out you've been tampering with the system. If you make them look like idiots, their reaction will be to label you as a nefarious terrorist or hacker who was out to get the TSA and thank god they eventually stopped you because who knows what you would have done if they hadn't.
So are you **really** willing to live with the consequences of tampering with the system? Or are you just talking big because someone said the TSA was hackable and now it's all cool and hip to point that out to other people and pretend like you're actually gonna go ahead and do it?
Re:Could be a honeypot (Score:4, Interesting)
If I were designing a security system for TSA, I would definitely consider printing a (possibly fake) screening status in the barcode in plain text. If you keep a database of what status you assigned to which boarding ticket, then you can more thoroughly screen (or arrest and jail indefinitely) anyone who changes the easily hackable obvious screening status on their boarding pass.
This is an interesting point, but what does any of this have to do with catching terrorists? Now TSA will detain people who mess with barcodes and claim them to be terrorists?
To extend your line of thought -- If _I_ were designing a security system for TSA (an organization that has never caught a terrorist on its own accord), I too would make up an easily game-able system so that TSA can actually arrest some people and then trump such arrests as success and therefore request more funding.
It would be a lot cheaper and just as efficient to go back to pre-9-11 security and invest in an "anti-terrorism rock" for contractors (if contractors must be funded by this).
Re:Why the hell would you even want to try? (Score:5, Interesting)
Which is probably about half an hour for most of the people who would likely be trying to game the system. And that is why it is the responsibility of security researchers and other folks to point out the flaws in the system and to make the TSA look like idiots at every possible opportunity. It is their civic duty, as they represent the only remaining hope that the TSA will either go away or become useful.
Boarding Passes with PDF417 barcodes (Score:4, Interesting)
My boarding passes seem to have PDF417 barcodes on them. I've tried several but haven't found an Android app that'll read them yet. The Android app from the airline displays a QR code boarding pass, but then I can't scan it with my phone. Anyone know an Android app that'll scan it? Or a program for Mac that'll scan a QR code from the camera? No, I'm not looking to change it, but finding out if I got the PreCheck lane would be nice in advance.
Re:Yes (Score:5, Interesting)
Way to get every /. member on the no fly list.
It's probably dangerous to even comment on this article. It's probably a Homeland SecurityTSA sting.
Re:Yes (Score:5, Interesting)
Well, they're semi-effective at catching TSA employees who steal iPads, laptops and expensive camera gear.
No, they're not. There are occasional busts, but most go unreported or unaddressed.
Fun fact: The TSA refuses to report such thefts to local authorities, as a matter of policy.
Re:Could be a honeypot (Score:5, Interesting)
Re:Yes (Score:1, Interesting)
Not entirely correct. The TSA checks at airports are only one part of the security system. There are other activities within the security system that are looking for new potential threats - the airport checks are not where that battle is being fought.
What would be your response if a liquid bomb threat was discovered and then the TSA did nothing to screen for it? Everyone would be screaming their heads off that the TSA should be checking for known threats. It is absurd to try to claim that the TSA airport checks are not security.
Do I think that the TSA has gone too far in terms of infringing on the rights of people who are not terrorists? Yes. I think they are too concerned with being accused of missing something and have therefore trampled on everyone's toes.
Do I think that the TSA is not helping in terms of deterring terrorist attacks on airplanes? No. You have to have airport checks, and those checks have to respond to threats that are detected by other parts of the security network.
Re:Begin at the beginning... (Score:5, Interesting)
You can always get a legit boarding pass with no extra screening, change it to extra screening, and see what happens. They can't say you tried to bypass any security measures that way :)
Re:Yes (Score:4, Interesting)
DING!
Some people see a monster and need to believe that someone (even someone hostile to them) is holding its leash.
The truth is somewhat scarier: that the continual growth of oppressive-yet-useless security apparatus like the TSA is an emergent property of power, fear, and greed.