TSA Bad At Security; Leaves Security Status Data On Boarding Passes Unencrypted

from the these-people-are-supposed-to-make-us-feel-safe dept

You would think, given that "Security" is literally the organization's middle name, that the Transportation Security Administration (TSA) would actually have some sort of clue about the basics of security. Apparently not. This week, someone noticed a ridiculous security flaw in the TSA's pre-screening process for "expedited" lines. This is the program where frequent travelers can pay extra to get them in special faster security lines, and where they can skip some of the worst aspects of airport screening: they don't have to take their laptop out, or take off their shoes or belt, and they can bring more liquid than mere peons.

Of course, security experts long ago pointed out that any such system now becomes a target for terrorists, who can focus on getting into that special line and use that lesser security to cause trouble. One response to this is that, even for passengers who qualify for such a program, they're still subject to "random" conventional screenings. However, aviation blogger John Butler realized that the bar code printing on your boarding pass reveals whether or not you'll be "selected" for further scrutiny, and that it's not difficult to check ahead of time to see if you'll have to go through stricter security because the TSA has apparently never heard of encryption.

As Chris Soghoian pointed out, knowing this info ahead of time could allow plotters to plan accordingly:
“If you have a team of four people [planning an attack], the day before the operation when you print the boarding passes, whichever guy is going to have the least screening is going to be the one who’ll take potentially problematic items through security,” said Soghoian, now a senior policy analyst at the American Civil Liberties Union. “If you know who’s getting screened before you walk into the airport, you can make sure the right guy is carrying the right bags.

“The entire security system depends on the randomness,” he said. “If people can do these dry runs, the system is vulnerable."
I guess, when you've always been in the business of "security theater" rather than actual security, it shouldn't come as a surprise that you don't know the first thing about basic security.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 25 Oct 2012 @ 2:54pm

    Re: And if they did encrypt it

    No, it's "password"

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.