Limits of boarding pass generators

| Comments (3) |
There's been a lot of fuss over Chris Soghoian's fake boarding pass generator (since taken down, link goes to Boing Boing coverage). What this appears to be is a demonstration of a vulnerability I pointed out back in October of 2003 (Schneier made the same point in August of 2003.) Most of the coverage here is of how the FBI is torturing 1 Soghian, which, frankly, is pretty silly but is of course what happens when you show that someone important's security system doesn't work, so it's not exactly unexpected. What I'm interested in, though, is the security aspects.

When the generator first came out, there were claims that you could use it for three purposes:

Use this handy boarding-pass generator to: 1) get through airport security without a ticket, 2) bypass the "extra screening" if you have "SSSS" printed on your ticket, or 3) -- and this is harder -- snag yourself a Business Class seat with a Coach ticket.

It's clear how the first two work. All the processes used by the TSA types are paper-based without any checks to a back-end database, so all you have to do is edit whatever boarding pass HTML/image/whatever they give you for print-at-home and you can have it show whatever you want for the TSA guys. And since the only thing that the gate scanners read is the bar code you're good to go.

I'm not so sure about the third one. Obviously, you can change the seat letters on your boarding pass, but business tends to be full, so you're likely going to be in someone's seat and they'll notice. Moreover, if you've ever flown in business, you know that the FAs know your name without looking at your boarding pass2. That's because they have a list of who is suppposed to sit where. So, if you get lucky and business is empty and you decide to give yourself an upgrade, what ordinarily happens when you're in business and you shouldn't be is that they notice and ask to see your boarding pass and then ship you back to your rightful seat. If you've modified your boarding pass, they'll know it doesn't match their list and probably investigate the problem at which point you can look forward to being thrown off the plane (at best) or more likely arrested.

As a side note, Soghoian doesn't seem to have claimed you could make a totally fake boarding pass that would pass the gate scanners. I suspect that's pretty hard. I haven't studied the bar codes on those passes, but I suspect they contain the ticket number which is used to look up your PNR in the database, in which case it's pretty hard to forge one. You could, design the system so that the tickets were self-contained, in which case forgeries would maybe be possible (unless they were cryptographically protected) but I don't think that's how it actually works.

1. It used to be you could say they were torturing him it would just be idiomatic for "giving him a really hard time", but now I have to put in clarifying notes like this so you don't think that I'm saying the USG is waterboarding the guy. Thanks, Congress!
2.They also know your elite level, which is how they know what order to take meal preferences in and how much to suck up to you.


A lot of how automated this all is depends on the airport. In small airports, the ticket is taken at the gate, but entered by the gate agent back at the same station at which you checked in. This is why lots of print-at-home boarding passes are doubled--so they can take one if they need to. This is also what happens when the gate's systems are down--they take boarding pass, do a manual count and compare that against the manifest of passengers who checked in.

No matter which way they do this check, an extra person with a boarding pass who isn't accounted for on the manifest is going to raise a flag. You might, starting from a small airport or having the luck that the gate system is down, but it depends on the agents also so being so rushed that they either did not do the ticket counts and match them against the manifest or couldn't find the problem when the issue arose and decided to let it pass. Both are darned unlikely.

So we're back to the case where this gets you past security but does not get you onto a plane. There are some extra threats here (people are less careful of their boarding passes inside security, at least in my experience), but they all turn you up pretty quickly if you actually fly on stolen the boarding pass. So the threat seems to be that you can use it to get into the secure area and use that entry to tamper with someone else's luggage or get access to a secure area.

Frankly, that seems pretty unlikely. Someone really bent on harm seems so much more likely to simply buy a ticket to somewhere else, do their tampering, and then hop on their plane. Faking may be cheaper, but it seems likely to increase the risk of being caught.

By the way, on your footnote two, American does First/Business by going from the front eastbound and from the back westbound. If you are too-frequent flier you can use that knowledge to plan your seats such that you get first choice, but they don't ask in the order of elite priority (or paid vs. upgrade, as some others do).

Note on footnote 1: "waterboarding" is not torture, says the Vice President, so you really don't need that clarifying footnote :)

I'm not sure how much the gate scanners really do - I point out that they read your ticket and even if you are getting on the wrong flight, they still let you on. People end up on the wrong flight all the time - luckily if the flight is fairly full they have a good chance of having a seat conflict which provides a check :-)

Leave a comment