One passenger who contacted The Post, Michael Williams, president of a small information technology firm, said his concern was that the security flaws could give someone on the no-fly list an opportunity to get onto a plane.
“Without forging any identification cards, someone on the no-fly list could easily use the current flaws to board an aircraft,” Williams said.
Williams said he has not attempted to tamper with boarding passes. A handful of others who contacted The Post after an earlier story on TSA security claimed they had tampered with their boarding passes and provided documentation as evidence. They spoke on the condition of anonymity.
Bruce Schneier, chief security technology officer at BT Managed Security Solutions and a long-term critic of U.S. aviation security, said the new evidence suggests it remains possible to evade the TSA’s security measures.
“The boarding pass checks have never been any good — they’ve always been fakeable,” he said. “You can fake a pass quite easily. [In the past] I’ve done it. There’s software out there.”
Some security experts say the TSA could limit the potential for tampering with bar codes by requiring that all airlines include encrypted “digital signatures” on all boarding passes. Doing so would make it nearly impossible to tamper with the bar codes. Asked why only some boarding passes include such encryption, Pistole said the TSA “does not comment on specifics of the screening process and will always incorporate random and unpredictable security measures throughout the airport.”
Even if digital signatures were made mandatory, other security gaps remain, experts warn. Airlines cross-check passenger names against federal databases containing the names of passengers who are on the no-fly list or subject to additional screening. But the names are not cross-checked by TSA once passengers reach airport checkpoints with boarding passes in hand.
To do so, the TSA would need to have electronic scanners with networking capabilities to communicate with the federal databases. Technical documents issued by the agency confirm that its system does not have such capabilities and does not routinely check boarding passes against federal databases.
“The TSA has a real problem here,” said Matthew Green, assistant research professor at the Johns Hopkins Information Security Institute. “They need to convey information from a variety of airlines to a whole bunch of different scanners scattered throughout an airport, and they need to do it securely.”
Between January and August of this year, 375 million passengers passed through TSA security, a rate of 1.8 million passengers screened at U.S. airports each day.
Soghoian, the Indiana University fellow, said he is concerned that the system has not improved since 2006, when he sought to draw attention to airline security vulnerabilities by building a Web site that permitted travelers to produce fake boarding passes. The warnings from Soghoian and others led to changes in security rules, including the introduction of security features such as digital signatures.
Soghoian suggested it is the patchy implementation of new rules that has left the system vulnerable. He said he thinks the TSA could vastly improve the system by simply requiring digital signatures on boarding passes.
“This is not a technical problem,” he said. “This is a policy problem.”