While the Transportation Safety Administration and the Department of Homeland Security are very exacting in the specifications for airport security equipment must meet, x-ray machines, trace detection scanners, time and attendance clocks and the like all have backdoors and other vulnerabilities that can be exploited.
Speaking at Black Hat 2014 in Las Vegas, Billy Rios, director of vulnerability research at Qualys, noted that technician accounts and their passwords can provide a potential way for would-be attackers to gain access and control over the equipment. These "backdoors" are often hardwired into the software. And the passwords that access these accounts cannot be changed without disrupting the applications, business processes, external software and training programs that depend on them.
“Once someone else discovers the technician's password, that's dangerous,” Rios said.
He pointed out flaws in older Rapiscan x-ray machines still used at some airports, as well as those in trace detection scanners and even time and attendance clocks.
Also troubling is the software program TSA uses to test its screeners.
The program “injects a threat into a passenger's luggage,” in other words simulating a weapon in the luggage on the screener's monitor. “That might be why you get randomly screened at an airport,” he said, noting that, of course, nothing is found on further inspection of the luggage because the "weapon" was only introduced on the screen as a way to test the screener's detection skills.
“So that really crappy software allows you to modify the screen and lets you in,” he noted, explaining if the screen can be changed via the testing software, then it can be changed by those with malicious intent.
In addition, flaws in the time and attendance clocks, like the Kronos clocks used at many airports, could be used to compromise security.
Rios said the DHS ICS-CERT recently issued an advisory regarding hard-coded credentials found in the Morpho Itemiser 3 v 8.17 trace detection scanner that it said “could be exploited remotely.”
“Once access is gained, the attacker can read and write to the file system and reconfigure the device,” the DHS ICS-CERT advisory said. “Attackers may also have access to other devices that are attached to this product.”
The advisory recommended “that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”
Morpho initially said it wouldn't patch the vulnerability but later relented, Rios said, after discovering the flaw would be discussed at Black Hat.
While the temptation may be to lay blame for vulnerabilities in airport security equipment at the feet of the vendors, Rios said responsibility lies with the TSA, which must be more vigilant. He noted that TSA depends on the equipment to do its job and that its workers “do not have the expertise to detect exploited devices.”
The TSA also can't conduct “adequate threat models” and have not audited the devices. He also noted that vendors deliver devices to meet TSA requirements and TSA certifies them.