Airport security has advanced rapidly in the last decade, but according to the findings of a security researcher, the guardians of the airport, using some of the most advanced monitoring machines (luggage x-rays, backscatter machines, trace scanning detectors, explosive-sniffing computers, etc.), have a security issue of their own to worry about.
At the Black Hat 2014 conference in Las Vegas, director of vulnerability research at Qualys Security Billy Rios informed that he purchased some of the software and hardware used by TSA (Transportation Security Administration) from eBay. On his own time, he noted that technician accounts and the associated passwords provided a way for would-be hackers to gain access to the equipment.
The backdoors, Rios claims, are hardwired into the software, and passwords used to access these accounts can’t be modified without disrupting the business processes, external software, applications and training programs dependent upon them.
The vulnerabilities were most notable in the device responsible for detecting trace levels of explosives and drugs. The equipment, the Morpho Itemiser 3, is set up in a way that technician level passwords are hardcoded in. It’s a usual practice for a range of devices, those aimed at making it easy for technicians to get in for maintenance purposes, but it’s become taboo in the security industry because it also makes it easier for hackers to attack machines.
Rios stated that the weakness allows hackers to reverse-engineer the machine, so they can log in easily and wreak havoc:
“If you’re a super user you can do whatever you want,” said Rios.
The device is set up to detect explosive devices or certain drugs. Rios said that one strategy hackers could adopt is remove a couple of items from the list, so those particular items could pass through security.
A route to the machine might be through the Internet-connected payroll system of the organization, according to Rios. If any other devices are left online, they could be utilized as a bridge to the internal TSA network, potentially enabling adversaries to disrupt the system from any location in the world.
“When we have backdoor passwords, and you introduce the concept of networking, it gets really bad,” noted Rios.
Morpho, the manufacturer of the Itemiser 3, sent a representative to the session to defend the product. The representative cited the company as saying it will release an update by the end of the year to patch the new vulnerability.
“Morpho Detection takes the security of its products and its customers very seriously,” the statement read.
Rios also found two backdoors through hardcoded passwords and usernames in the time-tracking system, manufactured by Kronos, used to track the work of TSA employees. Rios discovered that 6,000 of the devices connected to the web, which include one at San Francisco International Airport – which Rios informs he got taken offline after working with the Department of Homeland Security.
Hackers could have easily accessed and controlled those systems with technicians’ credentials and from there get into the networks that the devices connect to. Rios said if the Kronos was being used to access control, hackers would also be able to manipulate or subvert that.
“The most important thing for people to take away is if the device is connected to the Internet and to another network, which is extremely common, you basically have a bridge,” he said. “For non-airports, the risk is still the same. If you have a Kronos connected to the Internet and also to your corporate network, well, now you’ve given someone access to your corporate network.”
Kronos, however, said that it does not comment of specific customer use of its devices. The company’s email statement informed:
“We have not seen the Qualys research, but the issue as described appears to be one that was identified years ago, which we have since remediated and for which we have made a patch available.”
The bottom line, according to Rios, is that TSA may not fully understand the security risks in the devices it’s using.
“I hope they start upping their cybersecurity standards,” Rios informed, pushing vendors to get rid of flaws such as hardcoded credentials. “TSA does have enough clout to start moving the ball in the right direction, and they have a responsibility to do so, as well.”
TSA’s spokesman Ross Feinstein reveals the agency has a rigorous accreditation and certification process for technology:
“This process ensures information technology security risks are identified and mitigation plans put in place, as necessary. A majority of the equipment we utilize is not available for sale commercially or to any other entity.”
Rios, however, said that TSA has utilized the version he hacked in the past, and the current machines might have similar vulnerabilities. His findings show that TSA is not vetting the products it uses for security properly.