Fake boarding passes can fool airport security checks

WASHINGTON — More than 11 years after the Sept. 11 terrorist attacks, it remains possible to use fake boarding passes to get through airport security checks, according to new evidence from security researchers and official documents.

The security vulnerabilities could allow terrorists or others on ‘‘no-fly’’ lists to pass through airport checkpoints with fraudulent passes and proceed through expedited screening. They could even allow them to board planes, security analysts warn.

The Washington Post was alerted to the vulnerabilities by concerned passengers and verified them through independent security experts. At the request of US officials, the Post is withholding details that would make it easier for the vulnerabilities to be exploited.


The security gaps center on airline boarding passes, which can be issued up to 24 hours before a flight’s departure.

Get Ground Game in your inbox:
Daily updates and analysis on national politics from James Pindell.
Thank you for signing up! Sign up for more newsletters here

According to security researchers, the bar codes on those passes can be manipulated with widely available technology to change the information they contain: passenger identification, flight data, and codes indicating whether a passenger has qualified for expedited screening.

Information about reading and altering boarding pass bar codes has circulated on online forums for several months, and has recently been picked up by security researchers. Many of them note that the potential for tampering with the passes has been exacerbated by the proliferation of smartphones that can read the bar codes and free software that can manipulate them.

Security guidelines set by the Transport Security Administration allow airlines to add an encrypted ‘‘digital signature’’ to prevent board passes from being altered. But some researchers said they were surprised to learn that not all passes include authentication.

‘‘It’s alarming — this basically negates the no-fly list,’’ said Chris Soghoian, a fellow at Indiana University’s Center for Applied Cybersecurity Research and principal technologist at the American Civil Liberties Union.


It remains difficult to establish the full extent of the vulnerabilities without information from the TSA, which does not comment on security procedures. In response to written questions, John S. Pistole, the administrator of the TSA, said the potential for tampering with printed boarding passes has existed since the inception of e-ticketing, but that the agency has added protective measures ‘‘both seen and unseen.’’

‘‘We continue to explore and implement additional mitigation measures to prevent the manipulation of boarding passes and are working with the airlines to develop systems and methods to prevent illegal tampering,’’ Pistole said.

It is illegal to tamper with airline boarding passes. But security experts said individuals with limited technical expertise would be able to do so.

At the very least, passengers would be able to modify their passes so they could proceed through the TSA’s ‘‘PreCheck’’ screening, a paid-for program in which passengers are allowed to keep laptop computers and approved containers of liquid in hand baggage. Security experts say it is a program terrorists could possibly exploit.

The no-fly list was created after the Sept. 11, 2001, attacks, and includes the names of US citizens and foreigners not permitted to fly into or out of the United States because of specific security concerns. The identity and exact number of people on the no-fly list is not public, but an FBI official told NPR last year that it includes about 10,000 people.