Vulnerabilities / Threats //

Advanced Threats

8/6/2014
03:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

TSA Checkpoint Systems Found Exposed On The Net

Researcher Billy Rios exposes new threats to airport security systems.

LAS VEGAS — Black Hat USA — A Transportation Safety Administration (TSA) system at airport security checkpoints contains default backdoor passwords, and one of the devices running at the San Francisco Airport was sitting on the public Internet.

Renowned security researcher Billy Rios, who is director of threat intelligence at Qualys, Wednesday here at Black Hat USA gave details on security weaknesses he discovered in both the Morpho Detection Itemiser 3 trace-explosives and residue detection system, and the Kronos 4500 time clock system used by TSA agents to clock in and out with their fingerprints, which could allow an attacker to easily gain user access to the devices.

Device vendors embed hardcoded passwords for their own maintenance or other technical support.

Rios found some 6,000 Kronos time clock systems open on the public Internet, two of which belonged to US airports. The time clock system at San Francisco International Airport has since be taken offline from the Internet, he says. Rios declined to identify the location of the other one, which he says remains online.

Why would the internal time clock system for the TSA or other organizations be connected to the Internet? "Is it online by default? I don't know. Kronos can be connected to multiple networks," Rios told Dark Reading in an interview last week.

Rios has been investigating TSA systems over the past few months. In February, he and fellow researcher Terry McCorkle revealed that a widely deployed carry-on baggage scanner used in most airports could be easily manipulated by a malicious TSA inside or outside attacker to sneak weapons or other banned items past the TSA checkpoint. The Rapiscan 422 B X-ray system running at many airports was found to have several blatant security holes, including storing user credentials in plain text and a feature that could easily be abused to project phony images on the X-ray display.

Rapiscan's baggage scanners remain in most airports, although its contract with TSA is now defunct after TSA learned that the X-ray machines contain a light bulb that was manufactured by a Chinese company. TSA systems cannot include foreign-made parts.

[Researchers reveal weak security that could allow malicious insiders or attackers to spoof the contents of carry-on baggage. Read TSA Carry-On Baggage Scanners Easy To Hack.]

Meanwhile, the Kronos time clock system sitting on the public Internet could give an attacker access to the airports' local TSA network, Rios says. The Kronos system contained two different hardcoded backdoor passwords that cannot be changed by the user, only by the vendor.

Rios says the Itemiser he tested also came with a backdoor password. Exploiting that, he was able to alter the configuration of the Itemiser system, which could allow an attacker to prevent the system from detecting explosive residue, for example.

"Once you have access to the software, it's game over," he says.

But a spokesman for Morpho Detection, a Safran company, at a press briefing here today said the TSA does not run the vulnerable Itemiser 3 that Rios tested, but rather the newer Itemiser DX, which it says is not vulnerable to the authentication flaw. In a statement, Morpho president and CEO at Morpho Detection said the company plans to release a software update to the Itemiser 3 -- which has was actually discontinued in 2010 -- by the end of the year.

Rios maintains that the Morpho devices still could be compromised because they appear to have "rolling password" features that would allow a backdoor password scenario. 

The ICS-CERT issued an advisory about the Itemiser flaw on July 24. 

Default or hardcoded passwords are a systemic problem in many so-called embedded devices, Rios says. "All it takes is one person to figure it [the password] out, and the entire device is compromised."

The big problem with such devices is there's little visibility into them, so an organization whose device gets compromised may not even know or realize it, Rios says. "They may not even know, because they don't have the tools or expertise to understand it."

In addition, hacking one of these devices is fairly simple, especially when the devices contain backdoor, hardcoded passwords. "There's a low bar required for compromising them. Anyone who kind of understands embedded devices can" compromise them.

But it's not all doom and gloom: Rios says there are ways to prevent exposing critical operations like the TSA's checkpoint from being vulnerable to cyber attack. "I see hospitals now building in security requirements into their acquisition process. That's what I would like to see TSA do. Look before you accept a product, and look for a backdoor password without relying on the goodwill of vendors" to change the password. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/10/2014 | 10:04:14 AM
Other Airport
I think the other aiprort should have some explaining to do as to why they are leaving online after being told it was accessible.  

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/7/2014 | 7:41:34 AM
More from Billy Rios on Dark Reading Radio
Fascinating interview with Curt Franklin on Dark Reading Radio Wednesday. Here's the link to the broadcast. Don't miss it!
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3829
PUBLISHED: 2018-09-19
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to ga...
CVE-2018-3830
PUBLISHED: 2018-09-19
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
CVE-2018-3831
PUBLISHED: 2018-09-19
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This c...
CVE-2018-3823
PUBLISHED: 2018-09-19
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructiv...
CVE-2018-3824
PUBLISHED: 2018-09-19
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive inf...