SlideShare a Scribd company logo

How to get good seats in the security theater

Download as PPTX, PDF
Przemek Jaroszewski
Przemek Jaroszewski

Hacking boarding passes for fun and profit

Technology
1 of 49
How to get good seats in the security theater? Hacking boarding passes for fun and profit Przemek Jaroszewski przemj+defcon24@gmail.com
$ whoami • head of the Polish national CSIRT (CERT Polska) • 10+ years of education in programming • Master’s degree in social psychology • 15 years of experience in IT security • aviation enthusiast, unrealized air traffic controller
Disclaimer • Research and opinions are my own, not my employer’s • Some of the stuff is grey area, and some is plain illegal
Up in the Air • FF miles are nice, but status in nicer
Except when improvements don’t work…
IATA Resolution 792 (2005) • Paper • PDF417 • Mobile • QR Code • Aztec • DataMatrix Bar-Coded Boarding Pass
M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G
M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G
M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666C009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G
Where did we get? • Free Fast Track for all travellers
M1COLUMBUS/CHRISTOPHERE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G
M1COLUMBUS/CHRISTOPHERE56YYYY WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G
Where did we get? • Free Fast Track for all travelers => Sterile area access for all
Wait, this is not news! • Bruce Schneier (2003): Flying On Someone Else’s Airplaine Ticket • shows how to work around no fly lists with print-at-home BPs • Andy Bowers (2005): Dangerous Loophole in Airport Security • Bruce Schneier (2006): The Boarding Pass Brouhaha • Christopher Soghoian (2007): Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists • Jeffrey Goldberg (2008): The Things He Carried • Charles C. Mann (2011): Smoke Screening • John Butler (2012): Security Flaws in the TSA Pre-Check System and the Boarding Pass Check System
No Fly List Bypass (in 2003) • Buy tickets under false name • Print your boarding pass at home • Create a copy of the boarding pass with your real name • Present the fake boarding pass and the real ID to TSA officers • Present the real boarding pass to gate agents • Fly
No Fly List Bypass (in 2016 Europe) • Buy tickets under false name • Print your boarding pass at home • Fly Impacting factors: • Particular airline’s business consciousness • Temporary security checks
Source: r/MapPorn
Source: IATA • NO integrity checks • NO authentication
Source: IATA
So… Where is passenger data stored? • Computer Reservation Systems (CRS) allow for storage and processing of Passenger Name Records (PNR) containing: • personal data (names, contact details) • reservations (airlines, hotels, cars, …) • issued tickets • special requests • loyalty programs data • Dozens of CRSs exist • GDS (eg. Sabre, Amadeus, Galileo, Worldspan, …) • proprietary ones • One reservation may result with multiple PNRs in different CRSs • Data access is limited not only across CRSs, but across different parties
Notice of advice • BCBP often contains more information than the printed version • PNR locator (aka: reservation/confirmation number, booking reference) • Ticket number • Full frequent flyer number • This information can be used to retrieve most and modify some data in your PNR, including ticket cancellation! • Sometimes with additional knowledge like e-mail address • Don’t post or share non-anonymized boarding passes!
… and then on to other systems • Departure Control System (DCS) – check-in info • Advance Passenger Information (API) – to border agencies • PNRGOV – to government agencies • Secure Flight
Paper is just a bit less fun… • MS Word is a great PDF-editing tool  • Most likely barcode will be scanned anyway, so it needs to reflect the printed information
Lounge access • Contract lounges • no way to verify eligibility • may require an invitation issued from the airline at check-in • Airline-operated lounges • may have access to passenger records … • … but only for own passengers! • automatic gates increasingly popular (eg. SAS lounges in CPH, OSL; Turkish lounge in IST)
Duty Free Goods • In many countries goods are sold directly to the passenger (liquors sealed in a plastic bag) • Eligibility is determined based on destination (eg. EU/Non-EU)
Where did we get? • Airport access (meet&greet, sightseeing, …) • Fast Track • Free lunch and booze • Duty free shopping
Source: IATA
Digital Signature • In 2009 IATA extended BCBP standard (ver. 3) with support for digital signatures based on PKI • Yet many airlines still use BCBP v.1 • The field is "optional and to be used only when required by the local security administration" • The field has variable length, with specific algorithm etc. determined by the authority • Private keys owned by airlines, public keys distributed to third parties • TSA enforced for US carriers (well, almost)
BCBP XML • In 2008 IATA proposed Passenger and Airport Data Interchange Standards (PADIS) XML to be used for exchange of BCBP data between airlines and third parties, such as lounges or security checkpoints • The terminal would send a message consisting of a header and full BCBP content • The airline would reply with a Yes/No, along with a reason and optional free text
Source: BCBP Working Group
Secure Flight • Program implemented by TSA in 2009 takeover watchlists monitoring from airlines • Pre-Check and Secondary Screening introduced in 2011 • Selectee indicator in BCBP field 18; 0=normal; 1=SSSS; 3=LLLL • In 2013 TSA started networking CAT/BPSS devices to pull passenger data from Secure Flight, including: • Passenger’s full name • Gender • Date of birth • Screening status • Reservation number • Flight itinerary (in order to determine which airports receive data)
Why is awesome? • Just when I thought I got my slides ready… I get this message from @supersat I noticed you are giving a talk on boarding passes at DEF CON. I managed to acquire [this] off of eBay, and was wondering if you'd like to play around with it at DEF CON or use it for a demo at your talk.
Where did we get? • Airport access (meet&greet, sightseeing, …) • Fast Track • Free lunch and booze • Duty free shopping • Pre-check??
Is it a vulnerability? • LOT Polish Airlines: - Please contact Warsaw Airport about this issue as they’re responsible for boarding pass scanning systems. • Warsaw Airport: - It’s a known issue, but not a problem. We’re compliant with all CAA guidelines. • Civil Aviation Authority for Poland: - Boarding pass forgery is a crime since they are documents. • Me: - Can you have a legally binding document without any form of authentication? • Civil Aviation Authority for Poland: - Oh, go f*** yourself!
Is it a vulnerability? • Turkish Airlines: - Please be inform that, we have already shared your contact details with our related unit, to get in touch with you as soon as possible. • SAS: - We appreciate that you have taken the time to send us your feedback, as this is crucial for us to improve our services. • TSA: awkward silence
Will it fly? •NO. •Seriously. Don’t try!
But you can have a nice souvenir  + =
Wrap up • Privacy and complexity of reservation systems prevent effective data exchange between airlines and BP scanning checkpoints • Several countermeasures have been introduced by IATA, but they’re expensive and complicated to implement • While US did a reasonably good job, other places have actually lowered the bar • Because of privacy restrictions access to PNR will likely by limited to governments making cross-dependencies between private entities inherently broken
Sources/Further reading • IATA: BCBP Implementation Guide http://www.iata.org/whatwedo/stb/bcbp/Documents/BCBP-Implementation-Guide.pdf • IATA: Bar-Coded Boarding Passes FAQ https://www.iata.org/whatwedo/stb/bcbp/Documents/bcbp-faqs.pdf • IATA: Passenger and Airport Data Interchange Standards (PADIS) Board http://www.iata.org/whatwedo/workgroups/Pages/padis.aspx • TSA: Privacy Impact Assessment for the Boarding Pass Scanning System https://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_bpss.pdf • TSA: Secure Flight http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_secureflight_update018(e).pdf https://www.tsa.gov/news/testimony/2014/09/18/tsa-secure-flight-program • BCBP Working Group: Business Requirements: BCBP Data Exchange http://www.aci.aero/media/aci/file/aci_priorities/it/doc0803_brd_bcbp_xmlfinal.pdf • Bruce Schneier: Flying On Someone Else’s Airplane Ticket https://www.schneier.com/crypto-gram/archives/2003/0815.html#6 • Bruce Schneier: The Boarding Pass Brouhaha https://www.schneier.com/essays/archives/2006/11/the_boarding_pass_br.html • Andy Bowers: A Dangerous Loophole in Airport Security http://www.slate.com/articles/news_and_politics/hey_wait_a_minute/2005/02/a_dangerous_loophole_in_airport_security.html • Christopher Sokhoian: Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1001675 • Jeffrey Goldberg: The Things He Carried (The Atlantic) http://www.theatlantic.com/magazine/archive/2008/11/the-things-he-carried/307057/ • Charles C. Mann: Smoke Screening (Vanity Fair) http://www.vanityfair.com/culture/2011/12/tsa-insanity-201112 • Brian Krebs: What’s in the Boarding Pass? A lot http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/ • John Butler: Security Flaws in the TSA Pre-Check System and the Boarding Pass Check System https://puckinflight.wordpress.com/2012/10/19/security-flaws-in-the-tsa-pre-check-system-and-the-boarding-pass-check-system/
Thank you! Questions/Comments: <przemj+defcon24@gmail.com>

Recommended

FAML 150 Final Exam Office Hour
FAML 150 Final Exam Office HourFAML 150 Final Exam Office Hour
FAML 150 Final Exam Office HourCassidy Mellor
 
Introduction to Research
Introduction to ResearchIntroduction to Research
Introduction to ResearchArToshiSharma
 
RDA: Resource Description and Access
RDA: Resource Description and AccessRDA: Resource Description and Access
RDA: Resource Description and AccessRieta Drinkwine
 
Literature review
Literature reviewLiterature review
Literature reviewDhasarathi Kumar
 
AACR2 to RDA: Using the RDA Toolkit
AACR2 to RDA: Using the RDA ToolkitAACR2 to RDA: Using the RDA Toolkit
AACR2 to RDA: Using the RDA ToolkitTroy Linker
 
Chicago style overview
Chicago style overviewChicago style overview
Chicago style overviewmisssamet
 
ETHICS IN RESEARCH
ETHICS IN RESEARCHETHICS IN RESEARCH
ETHICS IN RESEARCHDAPHNIE MONTEVERDE
 
Information retrieval system!
Information retrieval system!Information retrieval system!
Information retrieval system!Jane Garay
 

Recommended

FAML 150 Final Exam Office Hour
FAML 150 Final Exam Office HourFAML 150 Final Exam Office Hour
FAML 150 Final Exam Office HourCassidy Mellor
 
Introduction to Research
Introduction to ResearchIntroduction to Research
Introduction to ResearchArToshiSharma
 
RDA: Resource Description and Access
RDA: Resource Description and AccessRDA: Resource Description and Access
RDA: Resource Description and AccessRieta Drinkwine
 
Literature review
Literature reviewLiterature review
Literature reviewDhasarathi Kumar
 
AACR2 to RDA: Using the RDA Toolkit
AACR2 to RDA: Using the RDA ToolkitAACR2 to RDA: Using the RDA Toolkit
AACR2 to RDA: Using the RDA ToolkitTroy Linker
 
Chicago style overview
Chicago style overviewChicago style overview
Chicago style overviewmisssamet
 
ETHICS IN RESEARCH
ETHICS IN RESEARCHETHICS IN RESEARCH
ETHICS IN RESEARCHDAPHNIE MONTEVERDE
 
Information retrieval system!
Information retrieval system!Information retrieval system!
Information retrieval system!Jane Garay
 
Delivering service quality and satisfying library customers in a changing env...
Delivering service quality and satisfying library customers in a changing env...Delivering service quality and satisfying library customers in a changing env...
Delivering service quality and satisfying library customers in a changing env...Fe Angela Verzosa
 
Cross referencing using MLA style
Cross referencing using MLA styleCross referencing using MLA style
Cross referencing using MLA styleKhuram Shehzad
 
How to write (and publish) a literature review
How to write (and publish) a literature reviewHow to write (and publish) a literature review
How to write (and publish) a literature reviewMarcel Bogers
 
Subject analysis, structure and syntax of lcsh
Subject analysis, structure and syntax of lcshSubject analysis, structure and syntax of lcsh
Subject analysis, structure and syntax of lcshRichard.Sapon-White
 
Cataloging of computer software
Cataloging of computer softwareCataloging of computer software
Cataloging of computer softwareromhay23
 
Digital and Electronic Libraries
Digital and Electronic LibrariesDigital and Electronic Libraries
Digital and Electronic LibrariesShubhada Nagarkar
 
Referencing Styles
Referencing StylesReferencing Styles
Referencing StylesVasantha Raju N
 
Presentation search strategy
Presentation search strategyPresentation search strategy
Presentation search strategyjmunks
 
Electronic resources management presentation 2021
Electronic resources management presentation 2021Electronic resources management presentation 2021
Electronic resources management presentation 2021chrisokiki69
 
Network forensics
Network forensicsNetwork forensics
Network forensicsArthyR3
 
Cataloging maps
Cataloging mapsCataloging maps
Cataloging mapsIme Amor Mortel
 
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...Edutour
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 
Mobile NFC @ Airlines
Mobile NFC @ AirlinesMobile NFC @ Airlines
Mobile NFC @ AirlinesHatem Kameli
 
Passenger and Airport Collaboration through Technology (PACT)
Passenger and Airport Collaboration through Technology (PACT)Passenger and Airport Collaboration through Technology (PACT)
Passenger and Airport Collaboration through Technology (PACT)Human Recognition Systems
 
PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...
PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...
PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...PROIDEA
 
5 Steps for Creating an Easier Travel Experience for your Attendees
5 Steps for Creating an Easier Travel Experience for your Attendees5 Steps for Creating an Easier Travel Experience for your Attendees
5 Steps for Creating an Easier Travel Experience for your AttendeesDMAI's empowerMINT.com
 
Document authentication system powered by assuretec
Document authentication system powered by assuretecDocument authentication system powered by assuretec
Document authentication system powered by assuretecMurugan Ramasamy
 
Essence of Travel Technology
Essence of Travel TechnologyEssence of Travel Technology
Essence of Travel TechnologyKrishna Kanth (CSM,ITIL V3(F),Six Sigma-GB
 
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...Md Shaifullar Rabbi
 
7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...
7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...
7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...InteractiveNEC
 
Overview of airline booking process
Overview of airline booking processOverview of airline booking process
Overview of airline booking processJava and .NET Architect
 

More Related Content

What's hot

Delivering service quality and satisfying library customers in a changing env...
Delivering service quality and satisfying library customers in a changing env...Delivering service quality and satisfying library customers in a changing env...
Delivering service quality and satisfying library customers in a changing env...Fe Angela Verzosa
 
Cross referencing using MLA style
Cross referencing using MLA styleCross referencing using MLA style
Cross referencing using MLA styleKhuram Shehzad
 
How to write (and publish) a literature review
How to write (and publish) a literature reviewHow to write (and publish) a literature review
How to write (and publish) a literature reviewMarcel Bogers
 
Subject analysis, structure and syntax of lcsh
Subject analysis, structure and syntax of lcshSubject analysis, structure and syntax of lcsh
Subject analysis, structure and syntax of lcshRichard.Sapon-White
 
Cataloging of computer software
Cataloging of computer softwareCataloging of computer software
Cataloging of computer softwareromhay23
 
Digital and Electronic Libraries
Digital and Electronic LibrariesDigital and Electronic Libraries
Digital and Electronic LibrariesShubhada Nagarkar
 
Presentation search strategy
Presentation search strategyPresentation search strategy
Presentation search strategyjmunks
 
Electronic resources management presentation 2021
Electronic resources management presentation 2021Electronic resources management presentation 2021
Electronic resources management presentation 2021chrisokiki69
 
Network forensics
Network forensicsNetwork forensics
Network forensicsArthyR3
 

What's hot (11)

Delivering service quality and satisfying library customers in a changing env...
Delivering service quality and satisfying library customers in a changing env...Delivering service quality and satisfying library customers in a changing env...
Delivering service quality and satisfying library customers in a changing env...
 
Cross referencing using MLA style
Cross referencing using MLA styleCross referencing using MLA style
Cross referencing using MLA style
 
How to write (and publish) a literature review
How to write (and publish) a literature reviewHow to write (and publish) a literature review
How to write (and publish) a literature review
 
Subject analysis, structure and syntax of lcsh
Subject analysis, structure and syntax of lcshSubject analysis, structure and syntax of lcsh
Subject analysis, structure and syntax of lcsh
 
Cataloging of computer software
Cataloging of computer softwareCataloging of computer software
Cataloging of computer software
 
Digital and Electronic Libraries
Digital and Electronic LibrariesDigital and Electronic Libraries
Digital and Electronic Libraries
 
Referencing Styles
Referencing StylesReferencing Styles
Referencing Styles
 
Presentation search strategy
Presentation search strategyPresentation search strategy
Presentation search strategy
 
Electronic resources management presentation 2021
Electronic resources management presentation 2021Electronic resources management presentation 2021
Electronic resources management presentation 2021
 
Network forensics
Network forensicsNetwork forensics
Network forensics
 
Cataloging maps
Cataloging mapsCataloging maps
Cataloging maps
 

Similar to How to get good seats in the security theater

Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...Edutour
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 
Mobile NFC @ Airlines
Mobile NFC @ AirlinesMobile NFC @ Airlines
Mobile NFC @ AirlinesHatem Kameli
 
Passenger and Airport Collaboration through Technology (PACT)
Passenger and Airport Collaboration through Technology (PACT)Passenger and Airport Collaboration through Technology (PACT)
Passenger and Airport Collaboration through Technology (PACT)Human Recognition Systems
 
PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...
PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...
PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...PROIDEA
 
5 Steps for Creating an Easier Travel Experience for your Attendees
5 Steps for Creating an Easier Travel Experience for your Attendees5 Steps for Creating an Easier Travel Experience for your Attendees
5 Steps for Creating an Easier Travel Experience for your AttendeesDMAI's empowerMINT.com
 
Document authentication system powered by assuretec
Document authentication system powered by assuretecDocument authentication system powered by assuretec
Document authentication system powered by assuretecMurugan Ramasamy
 
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...Md Shaifullar Rabbi
 
7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...
7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...
7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...InteractiveNEC
 
How can airports get to know their passengers - and should they try?
How can airports get to know their passengers - and should they try?How can airports get to know their passengers - and should they try?
How can airports get to know their passengers - and should they try?Human Recognition Systems
 
Driving Efficiency with Splunk Cloud at Gatwick Airport
Driving Efficiency with Splunk Cloud at Gatwick AirportDriving Efficiency with Splunk Cloud at Gatwick Airport
Driving Efficiency with Splunk Cloud at Gatwick AirportSplunk
 
The Future of Customer Experience in Commercial Aviation
The Future of Customer Experience in Commercial Aviation The Future of Customer Experience in Commercial Aviation
The Future of Customer Experience in Commercial Aviation Jorge Fonseca
 
Machine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric PassportMachine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric PassportTariq Tauheed
 
Serving the Real-Time Data Needs of an Airport with Kafka Streams and KSQL
Serving the Real-Time Data Needs of an Airport with Kafka Streams and KSQLServing the Real-Time Data Needs of an Airport with Kafka Streams and KSQL
Serving the Real-Time Data Needs of an Airport with Kafka Streams and KSQLSönke Liebau
 
Using biometric technology to facilitate airport security - November 2015
Using biometric technology to facilitate airport security - November 2015Using biometric technology to facilitate airport security - November 2015
Using biometric technology to facilitate airport security - November 2015Rockwell Collins | ARINC airports
 
PATANG - GLOBAL VISIBILITY PLATFORM
PATANG - GLOBAL VISIBILITY PLATFORMPATANG - GLOBAL VISIBILITY PLATFORM
PATANG - GLOBAL VISIBILITY PLATFORMPatang
 
Using a modern data stack to explore and visualize the impact of a global pan...
Using a modern data stack to explore and visualize the impact of a global pan...Using a modern data stack to explore and visualize the impact of a global pan...
Using a modern data stack to explore and visualize the impact of a global pan...Data Con LA
 

Similar to How to get good seats in the security theater (20)

Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
Global Distribution Systems - Part 2 of 5: Past, present and yet to come: GDS...
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
 
Mobile NFC @ Airlines
Mobile NFC @ AirlinesMobile NFC @ Airlines
Mobile NFC @ Airlines
 
Passenger and Airport Collaboration through Technology (PACT)
Passenger and Airport Collaboration through Technology (PACT)Passenger and Airport Collaboration through Technology (PACT)
Passenger and Airport Collaboration through Technology (PACT)
 
PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...
PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...
PLNOG 13: Grzegorz Janoszka: Peering vs Tranzyt – Czy peering jest naprawdę s...
 
5 Steps for Creating an Easier Travel Experience for your Attendees
5 Steps for Creating an Easier Travel Experience for your Attendees5 Steps for Creating an Easier Travel Experience for your Attendees
5 Steps for Creating an Easier Travel Experience for your Attendees
 
Document authentication system powered by assuretec
Document authentication system powered by assuretecDocument authentication system powered by assuretec
Document authentication system powered by assuretec
 
Essence of Travel Technology
Essence of Travel TechnologyEssence of Travel Technology
Essence of Travel Technology
 
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
 
7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...
7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...
7 Ways Facial Recognition Can Unlock A Secure, Frictionless and Personalized ...
 
Overview of airline booking process
Overview of airline booking processOverview of airline booking process
Overview of airline booking process
 
How can airports get to know their passengers - and should they try?
How can airports get to know their passengers - and should they try?How can airports get to know their passengers - and should they try?
How can airports get to know their passengers - and should they try?
 
Driving Efficiency with Splunk Cloud at Gatwick Airport
Driving Efficiency with Splunk Cloud at Gatwick AirportDriving Efficiency with Splunk Cloud at Gatwick Airport
Driving Efficiency with Splunk Cloud at Gatwick Airport
 
The Future of Customer Experience in Commercial Aviation
The Future of Customer Experience in Commercial Aviation The Future of Customer Experience in Commercial Aviation
The Future of Customer Experience in Commercial Aviation
 
Machine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric PassportMachine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric Passport
 
Serving the Real-Time Data Needs of an Airport with Kafka Streams and KSQL
Serving the Real-Time Data Needs of an Airport with Kafka Streams and KSQLServing the Real-Time Data Needs of an Airport with Kafka Streams and KSQL
Serving the Real-Time Data Needs of an Airport with Kafka Streams and KSQL
 
Using biometric technology to facilitate airport security - November 2015
Using biometric technology to facilitate airport security - November 2015Using biometric technology to facilitate airport security - November 2015
Using biometric technology to facilitate airport security - November 2015
 
Portal apps (slt)
Portal apps (slt)Portal apps (slt)
Portal apps (slt)
 
PATANG - GLOBAL VISIBILITY PLATFORM
PATANG - GLOBAL VISIBILITY PLATFORMPATANG - GLOBAL VISIBILITY PLATFORM
PATANG - GLOBAL VISIBILITY PLATFORM
 
Using a modern data stack to explore and visualize the impact of a global pan...
Using a modern data stack to explore and visualize the impact of a global pan...Using a modern data stack to explore and visualize the impact of a global pan...
Using a modern data stack to explore and visualize the impact of a global pan...
 

Recently uploaded

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 

Recently uploaded (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

How to get good seats in the security theater

  • 1. How to get good seats in the security theater? Hacking boarding passes for fun and profit Przemek Jaroszewski przemj+defcon24@gmail.com
  • 2. $ whoami • head of the Polish national CSIRT (CERT Polska) • 10+ years of education in programming • Master’s degree in social psychology • 15 years of experience in IT security • aviation enthusiast, unrealized air traffic controller
  • 3. Disclaimer • Research and opinions are my own, not my employer’s • Some of the stuff is grey area, and some is plain illegal
  • 4. Up in the Air • FF miles are nice, but status in nicer
  • 5. Except when improvements don’t work…
  • 6. IATA Resolution 792 (2005) • Paper • PDF417 • Mobile • QR Code • Aztec • DataMatrix Bar-Coded Boarding Pass
  • 7.
  • 8. M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G
  • 9.
  • 10. M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G
  • 11. M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666C009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G
  • 12. Where did we get? • Free Fast Track for all travellers
  • 13. M1COLUMBUS/CHRISTOPHERE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G
  • 14. M1COLUMBUS/CHRISTOPHERE56YYYY WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G
  • 15. Where did we get? • Free Fast Track for all travelers => Sterile area access for all
  • 16. Wait, this is not news! • Bruce Schneier (2003): Flying On Someone Else’s Airplaine Ticket • shows how to work around no fly lists with print-at-home BPs • Andy Bowers (2005): Dangerous Loophole in Airport Security • Bruce Schneier (2006): The Boarding Pass Brouhaha • Christopher Soghoian (2007): Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists • Jeffrey Goldberg (2008): The Things He Carried • Charles C. Mann (2011): Smoke Screening • John Butler (2012): Security Flaws in the TSA Pre-Check System and the Boarding Pass Check System
  • 17. No Fly List Bypass (in 2003) • Buy tickets under false name • Print your boarding pass at home • Create a copy of the boarding pass with your real name • Present the fake boarding pass and the real ID to TSA officers • Present the real boarding pass to gate agents • Fly
  • 18.
  • 19. No Fly List Bypass (in 2016 Europe) • Buy tickets under false name • Print your boarding pass at home • Fly Impacting factors: • Particular airline’s business consciousness • Temporary security checks
  • 21. Source: IATA • NO integrity checks • NO authentication
  • 23. So… Where is passenger data stored? • Computer Reservation Systems (CRS) allow for storage and processing of Passenger Name Records (PNR) containing: • personal data (names, contact details) • reservations (airlines, hotels, cars, …) • issued tickets • special requests • loyalty programs data • Dozens of CRSs exist • GDS (eg. Sabre, Amadeus, Galileo, Worldspan, …) • proprietary ones • One reservation may result with multiple PNRs in different CRSs • Data access is limited not only across CRSs, but across different parties
  • 24. Notice of advice • BCBP often contains more information than the printed version • PNR locator (aka: reservation/confirmation number, booking reference) • Ticket number • Full frequent flyer number • This information can be used to retrieve most and modify some data in your PNR, including ticket cancellation! • Sometimes with additional knowledge like e-mail address • Don’t post or share non-anonymized boarding passes!
  • 25.
  • 26. … and then on to other systems • Departure Control System (DCS) – check-in info • Advance Passenger Information (API) – to border agencies • PNRGOV – to government agencies • Secure Flight
  • 27.
  • 28. Paper is just a bit less fun… • MS Word is a great PDF-editing tool  • Most likely barcode will be scanned anyway, so it needs to reflect the printed information
  • 29. Lounge access • Contract lounges • no way to verify eligibility • may require an invitation issued from the airline at check-in • Airline-operated lounges • may have access to passenger records … • … but only for own passengers! • automatic gates increasingly popular (eg. SAS lounges in CPH, OSL; Turkish lounge in IST)
  • 30.
  • 31.
  • 32. Duty Free Goods • In many countries goods are sold directly to the passenger (liquors sealed in a plastic bag) • Eligibility is determined based on destination (eg. EU/Non-EU)
  • 33. Where did we get? • Airport access (meet&greet, sightseeing, …) • Fast Track • Free lunch and booze • Duty free shopping
  • 35. Digital Signature • In 2009 IATA extended BCBP standard (ver. 3) with support for digital signatures based on PKI • Yet many airlines still use BCBP v.1 • The field is "optional and to be used only when required by the local security administration" • The field has variable length, with specific algorithm etc. determined by the authority • Private keys owned by airlines, public keys distributed to third parties • TSA enforced for US carriers (well, almost)
  • 36. BCBP XML • In 2008 IATA proposed Passenger and Airport Data Interchange Standards (PADIS) XML to be used for exchange of BCBP data between airlines and third parties, such as lounges or security checkpoints • The terminal would send a message consisting of a header and full BCBP content • The airline would reply with a Yes/No, along with a reason and optional free text
  • 38. Secure Flight • Program implemented by TSA in 2009 takeover watchlists monitoring from airlines • Pre-Check and Secondary Screening introduced in 2011 • Selectee indicator in BCBP field 18; 0=normal; 1=SSSS; 3=LLLL • In 2013 TSA started networking CAT/BPSS devices to pull passenger data from Secure Flight, including: • Passenger’s full name • Gender • Date of birth • Screening status • Reservation number • Flight itinerary (in order to determine which airports receive data)
  • 39. Why is awesome? • Just when I thought I got my slides ready… I get this message from @supersat I noticed you are giving a talk on boarding passes at DEF CON. I managed to acquire [this] off of eBay, and was wondering if you'd like to play around with it at DEF CON or use it for a demo at your talk.
  • 40.
  • 41.
  • 42. Where did we get? • Airport access (meet&greet, sightseeing, …) • Fast Track • Free lunch and booze • Duty free shopping • Pre-check??
  • 43. Is it a vulnerability? • LOT Polish Airlines: - Please contact Warsaw Airport about this issue as they’re responsible for boarding pass scanning systems. • Warsaw Airport: - It’s a known issue, but not a problem. We’re compliant with all CAA guidelines. • Civil Aviation Authority for Poland: - Boarding pass forgery is a crime since they are documents. • Me: - Can you have a legally binding document without any form of authentication? • Civil Aviation Authority for Poland: - Oh, go f*** yourself!
  • 44. Is it a vulnerability? • Turkish Airlines: - Please be inform that, we have already shared your contact details with our related unit, to get in touch with you as soon as possible. • SAS: - We appreciate that you have taken the time to send us your feedback, as this is crucial for us to improve our services. • TSA: awkward silence
  • 46. But you can have a nice souvenir  + =
  • 47. Wrap up • Privacy and complexity of reservation systems prevent effective data exchange between airlines and BP scanning checkpoints • Several countermeasures have been introduced by IATA, but they’re expensive and complicated to implement • While US did a reasonably good job, other places have actually lowered the bar • Because of privacy restrictions access to PNR will likely by limited to governments making cross-dependencies between private entities inherently broken
  • 48. Sources/Further reading • IATA: BCBP Implementation Guide http://www.iata.org/whatwedo/stb/bcbp/Documents/BCBP-Implementation-Guide.pdf • IATA: Bar-Coded Boarding Passes FAQ https://www.iata.org/whatwedo/stb/bcbp/Documents/bcbp-faqs.pdf • IATA: Passenger and Airport Data Interchange Standards (PADIS) Board http://www.iata.org/whatwedo/workgroups/Pages/padis.aspx • TSA: Privacy Impact Assessment for the Boarding Pass Scanning System https://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_bpss.pdf • TSA: Secure Flight http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_secureflight_update018(e).pdf https://www.tsa.gov/news/testimony/2014/09/18/tsa-secure-flight-program • BCBP Working Group: Business Requirements: BCBP Data Exchange http://www.aci.aero/media/aci/file/aci_priorities/it/doc0803_brd_bcbp_xmlfinal.pdf • Bruce Schneier: Flying On Someone Else’s Airplane Ticket https://www.schneier.com/crypto-gram/archives/2003/0815.html#6 • Bruce Schneier: The Boarding Pass Brouhaha https://www.schneier.com/essays/archives/2006/11/the_boarding_pass_br.html • Andy Bowers: A Dangerous Loophole in Airport Security http://www.slate.com/articles/news_and_politics/hey_wait_a_minute/2005/02/a_dangerous_loophole_in_airport_security.html • Christopher Sokhoian: Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1001675 • Jeffrey Goldberg: The Things He Carried (The Atlantic) http://www.theatlantic.com/magazine/archive/2008/11/the-things-he-carried/307057/ • Charles C. Mann: Smoke Screening (Vanity Fair) http://www.vanityfair.com/culture/2011/12/tsa-insanity-201112 • Brian Krebs: What’s in the Boarding Pass? A lot http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/ • John Butler: Security Flaws in the TSA Pre-Check System and the Boarding Pass Check System https://puckinflight.wordpress.com/2012/10/19/security-flaws-in-the-tsa-pre-check-system-and-the-boarding-pass-check-system/