Airport Security Not Secure Enough, Researcher Reveals at Black Hat

 
 
By Sean Michael Kerner  |  Posted 2014-08-06 Email Print this article Print
 
 
 
 
 
 
 
Black Hat USA conference

A security researcher looks at airport scanners and other security devices used in airports and finds some serious vulnerabilities.

LAS VEGAS—The security of a number of devices used by the U.S. Transportation Security Administration (TSA) is being called into question by a researcher at the Black Hat USA conference here. Billy Rios, director of Vulnerability Research at Qualys, looked at three different devices used by the TSA in airports in the United States and found security issues in all of them.

In an interview with eWEEK, Rios emphasized that all of the issues he found have been responsibly disclosed via ICS-CERT to help minimize any risk to travelers.

X-ray Scanner

One of the devices that Rios examined is an X-ray scanner used in airports to screen passengers' carry-on luggage. Rios was able to identify a number of security vulnerabilities in the software, including an authentication bypass issue.

"Even if you don't know the right password, you can still gain access to the device," he said. "Once you gain access to the device, you'll be able to get any other user's password."

Time-Tracking System

Rios also examined the TSA's Kronos 4500 employee time-tracking system, which is used by TSA employees to check in and out of work at airports in the United States. One of the issues he found with the time-tracking system has to do with place of manufacture. Rios noted that the TSA has actually canceled procurement of an X-ray machine because it included a foreign-made part—a Chinese-made light bulb.

With the time tracker unit, Rios opened the device and found that the mainboard is made in China. Adding further insult to injury, on the time tracker software Rios found two different backdoor passwords.

"Backdoor passwords are pretty common in embedded devices," Rios said. "Manufacturers will hard-code the passwords for technical service and support."

The problem with that scenario is that if anyone else discovers the password, they also can gain access. From a user perspective, since the password is hard-coded into the software, it's not something that can be easily changed.



 
 
 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel