The Transportation Security Administration, that guardian of airports for whom we have all shed shoes, jackets, and loose change, has a worrisome safety issue of its own, according to a cyber researcher for Qualys.
Two devices that may be used at airport and other security checkpoints have “backdoors”—usernames and passwords hard-coded into the equipment that a hacker could use to get into the machines, says Billy Rios, in findings he discussed yesterday at the Black Hat security conference in Las Vegas.
Why would a manufacturer create that kind of risk? It’s actually quite common—usually for ease of maintenance, so technicians can get in and service the machine.
Rios, director of threat intelligence at Qualys (QLYS), which provides cybersecurity services, bought the two different devices on eBay: a time-clock system used to track TSA employees’ work for about $200, and and a narcotics and explosives detection system called an Itemiser for about $800.
The time-tracking system, made by Kronos, had two back doors via hardcoded usernames and passwords. Worse, Rios found about 6,000 of the devices connected to the Internet, including one at San Francisco International Airport—which Rios says he worked with the Department of Homeland Security to get taken offline.
He, or a hacker, could have logged into and controlled those machines using the technician credentials and from there get into whatever networks the devices connect to. If the Kronos was being used for access control, for example, you’d also able to subvert or manipulate that, says Rios.
“The most important thing for people to take away is if the device is connected to the Internet and to another network, which is extremely common, you basically have a bridge,” he says. “For non-airports, the risk is still the same. If you have a Kronos connected to the Internet and also to your corporate network, well, now you’ve given someone access to your corporate network.”
Kronos sent an e-mailed statement saying the company does not comment on specific customer use of its devices: “We have not seen the Qualys research, but the issue as described appears to be one that was identified years ago, which we have since remediated and for which we have made a patch available.”
The second piece of equipment, Morpho Detection’s Itemiser 3, is a machine that can find traces of narcotics or explosives after a security officer has wiped a swab on your hands or bag. Rios bought one online that had a tag from a Federal prison, he says.
Rios wasn’t able to buy the version that TSA uses—a newer model called Itemiser DX—or to see how many of those devices are connected to the Internet. But he says the same concern, that a hardcoded username and password could give a hacker access, still applies.
Morpho Detection discontinued production of the Itemiser 3 in 2010, and the TSA doesn’t own or operate any, according to an e-mailed statement from Karen Bomba, the company’s president and chief executive officer, and it is planning to remove the vulnerability in the Itemiser 3 before the end of the year.
Rios, meanwhile, submitted his analysis to the Department of Homeland Security, which issued an advisory in July that assigned the Itemiser vulnerability the highest possible severity rating.
The point, says Rios, is that TSA may not have a good understanding of the cybersecurity risks in the devices it’s buying.
“I hope they start upping their cybersecurity standards,” he says, pushing vendors to get rid of flaws such as hardcoded credentials. “TSA does have enough clout to start moving the ball in the right direction, and they have a responsibility to do so, as well.”
Ross Feinstein, a spokesman for TSA, says the agency has a rigorous certification and accreditation process for technology: “This process ensures information technology security risks are identified and mitigation plans put in place, as necessary. A majority of the equipment we utilize is not available for sale commercially or to any other entity.”