WASHINGTON — More than 11 years after the Sept. 11 terrorist attacks, it remains possible to use fake boarding passes to get through airport security checks, according to new evidence from security researchers and official documents.
The security vulnerabilities could allow terrorists or others on “no-fly” lists to pass through airport checkpoints with fraudulent passes and proceed through expedited screening. They could even board planes, security analysts warn.
The Washington Post was alerted to the vulnerabilities by passengers and verified them through independent security experts. At the request of federal officials, The Post is withholding details that would make it easier to exploit the vulnerabilities.
The security gaps center on airline boarding passes. According to security researchers, the bar codes on those passes can be manipulated with widely available technology to change information they contain.
Information about reading and altering boarding pass bar codes has circulated on online forums for several months and has recently been picked up by security researchers. Many of them note that the potential for tampering with passes has been exacerbated by the proliferation of smartphones that can read the bar codes and free software that can manipulate them.
Security guidelines set by the Transport Security Administration allow airlines to add an encrypted “digital signature” to prevent board passes from being altered. Not all passes include authentication.
“It's alarming — this basically negates the no-fly list,” said Chris Soghoian, a fellow at Indiana University's Center for Applied Cybersecurity Research.
