LAS VEGAS—The security of a number of devices used by the U.S. Transportation Security Administration (TSA) is being called into question by a researcher at the Black Hat USA conference here. Billy Rios, director of Vulnerability Research at Qualys, looked at three different devices used by the TSA in airports in the United States and found security issues in all of them.
In an interview with eWEEK, Rios emphasized that all of the issues he found have been responsibly disclosed via ICS-CERT to help minimize any risk to travelers.
One of the devices that Rios examined is an X-ray scanner used in airports to screen passengers' carry-on luggage. Rios was able to identify a number of security vulnerabilities in the software, including an authentication bypass issue.
"Even if you don't know the right password, you can still gain access to the device," he said. "Once you gain access to the device, you'll be able to get any other user's password."
Rios also examined the TSA's Kronos 4500 employee time-tracking system, which is used by TSA employees to check in and out of work at airports in the United States. One of the issues he found with the time-tracking system has to do with place of manufacture. Rios noted that the TSA has actually canceled procurement of an X-ray machine because it included a foreign-made part—a Chinese-made light bulb.
With the time tracker unit, Rios opened the device and found that the mainboard is made in China. Adding further insult to injury, on the time tracker software Rios found two different backdoor passwords.
"Backdoor passwords are pretty common in embedded devices," Rios said. "Manufacturers will hard-code the passwords for technical service and support."
The problem with that scenario is that if anyone else discovers the password, they also can gain access. From a user perspective, since the password is hard-coded into the software, it's not something that can be easily changed.