US Boarding Pass Flaw Exposes Valuable Data

Passenger security when travelling on American domestic airlines has been thrown into doubt after a serious vulnerability was discovered on US boarding passes.

The vulnerability was highlighted by aviation blogger John Butler last week.

Unencrypted barcode

The flaw stems from a barcode found on US domestic airline boarding passes. This barcode is only meant to be read by US Transportation Security Administration (TSA) technology. But according to Butler, most smartphones can decode the data because the data it contains is unencrypted.

The flaw is serious, because it could allow certain American passengers to bypass some security checks and bring unauthorised items aboard the aircraft. This is because the barcode on the boarding pass is unencrypted and the data shows what type of airport security checks the passenger will receive before they board their aircraft.

Most of us will be familiar with the fairly rigorous security screening and checks an airliner passenger currently faces. Passengers are often asked to remove their shoes and belts, empty their toiletries, and have their bags scanned. The US, however, operates a PreCheck system, which randomly decides which frequent fliers can skip part of this pre-boarding security process.

The barcodes could therefore be used to allow passengers to work out if they had been picked, and if they have not, for certain security checks. The fear is that they could use this data to potentially smuggle illegal items on board.

“The problem is, the passenger and flight information encoded in barcode is not encrypted in any way. Using a website I decoded my boarding pass for my upcoming trip,” wrote Butler.

Butler was able to reveal details on his own upcoming domestic flight in the United States. This included his seat assignment, flight number and name. “But what is interesting is the bolded three on the end,” explained Butler.

“This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.”

Photo editing

Butler is concerned because the flaw may allow terrorists to use a website to decode the barcode and get their hands on the info and then tamper with tickets.

They could then place this data in a text file, “change the 1 to a 3, then use another website to re-encode it into a barcode,” the researcher said. “Finally, using a commercial photo-editing program or any program that can edit graphics, replace the barcode in their boarding pass with the new one they created,” Butler warned.

“Even more scary is that people can do this to change names… So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID.

“The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.”

Butler said a simple solution could encode the information before putting it on the boarding pass. This would mean that passengers would need to break the encryption before accessing the data. The other solution is for the TSA to connect their scanners to the airline database and check the boarding pass against what the airline has.

Security remains a sensitive subject for the airline industry, which has to balance the security needs of the flight with the rights of passengers.

In the summer, it was revealed that British Airways was facing questions over potential privacy issues, because its staff were using the Internet to gather personal information about certain airline passengers.

Are you a security expert? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

US Widening AI Lead Over China, Finds Stanford Report

US widening lead over China on AI development, as UK places third in Stanford index…

5 hours ago

Amazon To Pump Another $4bn Into AI Start-Up Anthropic

Amazon to invest a further $4bn into AI start-up Anthropic, doubling its investment as it…

6 hours ago

The Cost of Tech Skills

The demand for tech skills is surging, driving economic growth but revealing challenges. Financial costs,…

6 hours ago

Supreme Court Says Meta Must Face Multibillion-Dollar Fraud Lawsuit

US Supreme Court tosses Meta's appeal over Cambridge Analytica-linked investor lawsuit, meaning case must proceed

6 hours ago

Uber Seeks $10m Stake In Pony AI Via IPO

Uber reportedly seeks $10m stake in Chinese autonomous driving firm Pony AI via US IPO,…

7 hours ago

Apple Developing ‘LLM Siri’ AI For 2026

iPhone maker reportedly developing next-generation AI large language model for Siri for spring 2026 as…

7 hours ago