Black Hat: Airport security equipment at risk

Share this article:
Black Hat: Airport security equipment at risk
Bugs in trace detection scanners, x-ray machines and time and attendance clocks could make them vulnerable to attack, according to experts.

While the Transportation Safety Administration and the Department of Homeland Security are very exacting in the specifications for airport security equipment must meet,  x-ray machines, trace detection scanners, time and attendance clocks and the like all have backdoors and other vulnerabilities that can be exploited.

Speaking at Black Hat 2014 in Las Vegas, Billy Rios, director of vulnerability research at Qualys, noted that technician accounts and their passwords can provide a potential way for would-be attackers to gain access and control over the equipment. These "backdoors" are often hardwired into the software. And the passwords that access these accounts cannot be changed without disrupting the applications, business processes, external software and training programs that depend on them.

“Once someone else discovers the technician's password, that's dangerous,” Rios said.

He pointed out flaws in older Rapiscan x-ray machines still used at some airports, as well as those in trace detection scanners and even time and attendance clocks. 

Also troubling is the software program TSA uses to test its screeners. 

The program “injects a threat into a passenger's luggage,” in other words simulating a weapon in the luggage on the screener's monitor. “That might be why you get randomly screened at an airport,” he said, noting that, of course, nothing is found on further inspection of the luggage because the "weapon" was only introduced on the screen as a way to test the screener's detection skills.

“So that really crappy software allows you to modify the screen and lets you in,” he noted, explaining if the screen can be changed via the testing software, then it can be changed by those with malicious intent.

In addition, flaws in the time and attendance clocks, like the Kronos clocks used at many airports, could be used to compromise security. 

Rios said the DHS ICS-CERT recently issued an advisory regarding hard-coded credentials found in the Morpho Itemiser 3 v 8.17 trace detection scanner that it said “could be exploited remotely.”

“Once access is gained, the attacker can read and write to the file system and reconfigure the device,” the DHS ICS-CERT advisory said. “Attackers may also have access to other devices that are attached to this product.”

The advisory recommended “that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”

Morpho initially said it wouldn't patch the vulnerability but later relented, Rios said, after discovering the flaw would be discussed at Black Hat.

While the temptation may be to lay blame for vulnerabilities in airport security equipment at the feet of the vendors, Rios said responsibility lies with the TSA, which must be more vigilant. He noted that TSA depends on the equipment to do its job and that its workers “do not have the expertise to detect exploited devices.”

The TSA also can't conduct “adequate threat models” and have not audited the devices. He also noted that vendors deliver devices to meet TSA requirements and TSA certifies them.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

U.S. under cyber attack, losing ground to adversaries

In testimony to a Senate committee, cyber experts said the U.S. has fielded 600,000 attacks this year.

Researchers in China work on facial recognition payment app

The app is expected to be launched next year.

Mobile app study reveals privacy concerns

Mobile app study reveals privacy concerns

Of the more than 1,200 mobile apps that were assessed in a recent study, 75 percent requested one or more permissions.