TSA Bad At Security; Leaves Security Status Data On Boarding Passes Unencrypted

from the these-people-are-supposed-to-make-us-feel-safe dept

You would think, given that “Security” is literally the organization’s middle name, that the Transportation Security Administration (TSA) would actually have some sort of clue about the basics of security. Apparently not. This week, someone noticed a ridiculous security flaw in the TSA’s pre-screening process for “expedited” lines. This is the program where frequent travelers can pay extra to get them in special faster security lines, and where they can skip some of the worst aspects of airport screening: they don’t have to take their laptop out, or take off their shoes or belt, and they can bring more liquid than mere peons.

Of course, security experts long ago pointed out that any such system now becomes a target for terrorists, who can focus on getting into that special line and use that lesser security to cause trouble. One response to this is that, even for passengers who qualify for such a program, they’re still subject to “random” conventional screenings. However, aviation blogger John Butler realized that the bar code printing on your boarding pass reveals whether or not you’ll be “selected” for further scrutiny, and that it’s not difficult to check ahead of time to see if you’ll have to go through stricter security because the TSA has apparently never heard of encryption.

As Chris Soghoian pointed out, knowing this info ahead of time could allow plotters to plan accordingly:

“If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,” said Soghoian, now a senior policy analyst at the American Civil Liberties Union. “If you know who’s getting screened before you walk into the airport, you can make sure the right guy is carrying the right bags.

“The entire security system depends on the randomness,” he said. “If people can do these dry runs, the system is vulnerable.”

I guess, when you’ve always been in the business of “security theater” rather than actual security, it shouldn’t come as a surprise that you don’t know the first thing about basic security.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “TSA Bad At Security; Leaves Security Status Data On Boarding Passes Unencrypted”

Subscribe: RSS Leave a comment
26 Comments
Anonymous Coward says:

Wow.

They put it right there on the boarding pass bar code, unencrypted? I guess they figured people can’t read bar codes and would never be able to figure out their foolproof code of “0 = let through, 1 = screen”?

But seriously, why bother putting it on the boarding pass in the first place, even encrypted? It seems like it would be just as easy to decide who gets screened at the point of screening rather than the point of sale. All you need is a random number generator.

Mr. Applegate says:

Re: Re:

Random? Do you honestly think there is anything remotely random about the current TSA system? Do you think they want a random system?

Then they might have to securely screen someone ‘important’. And heaven forbid they have to do the extra screening on the ugly fat bitch.

I once was travelling and we had to transfer planes twice. I was not screened (beyond normal) at all. However, one of the people on the flight got selected for pat down before the first flight, and both time we transferred planes. When I got to my destination he had to transfer to another plane and had to pass through security again, and for a third time in less than 7 hours he was patted down. There is NO way there was anything random about it.

egghead (profile) says:

Re: Re: Re:2 And if they did encrypt it

Dark Helmet: What the hell am I looking at?! When does this happen in the movie?!
Colonel Sandurz: “Now”. You’re looking at “now”, sir. Everything that happens now is happening “now”.
DH: What happened to “then”?
CS: We passed “then”.
DH: When!?
CS: Just now. Were at “now,” now.
DH: Go back to “then”!
CS: When?
DH: Now!
CS: “Now?”
DH: Now!
CS: I can’t.
DH: Why!?
CS: We missed it.
DH: When!?
CS: Just now.
DH: … When will “then” be “now”?
CS: Soon.

Jim says:

Re: And if they did encrypt it

Actually yes. There is a special scanner my prosthetic has Been Examined with twice at MCO. The password 12345678. And the second time through (with over a year between trips), I thought the TSA agent was going to send me to Gitmo for pointing out their weak password was unchanged.

Not an Electronic Rodent says:

Re: Gov SOP Name means exact opposite of reality

The names governments give things mean the exact opposite of their reality.

Of course:
“Always get rid of the difficult bit in the title ? it does less harm there than in the text” – Sir Humphrey Appleby (Yes Minister – finest political documentary..uh, comedy.. ever)

The Real Michael says:

“This week, someone noticed a ridiculous security flaw in the TSA’s pre-screening process for ‘expedited’ lines. This is the program where frequent travelers can pay extra to get them in special faster security lines, and where they can skip some of the worst aspects of airport screening: they don’t have to take their laptop out, or take off their shoes or belt, and they can bring more liquid than mere peons.”

Giving preferential treatment to frequent fliers who pay extra is essentially another form of class warfare. If you can ‘bribe’ the TSA into faster processing, that immediately exposes them for the greed-driven theater they really are. It’s saying, “Hey, pay us extra for additional convenience.”

Jay (profile) says:

That proves it...

So Holder allows sharing of information in law enforcement, the NSA compiles the data and the TSA figures out where you are going and who is is in your circle of influence. Not only do these people want to know all sorts of information about you, they want to suppress those that would change the system.

The media doesn’t tell the story and we’re left with a government that ignores the 4th Amendment.

Meanwhile, if you have enough money, you can bypass security, but even then, we are moving closer to a police state. Now I know what the Robber Baron Era feels like…

Jay (profile) says:

Re: Re:

That’s just it… This is about gathering information on everyone in the guise of security.

I just recently heard about Canada having an issue in regards to sharing information through the airport stops. This started with America and has not stopped. The info is given to law enforcement to collect a profile of everyone.

The naked scanners are used to see how you look. They can then link up aol of the information about you through Stellar wind and the NSA. Meanwhile, we know nothing of their plans save to lock up everyone with the Espionage Act and the NDAA who speak out of turn.

It’s stunning to see so many dots that connect in such a manner…

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...