Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

8/6/2014
03:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

TSA Checkpoint Systems Found Exposed On The Net

Researcher Billy Rios exposes new threats to airport security systems.

LAS VEGAS — Black Hat USA — A Transportation Safety Administration (TSA) system at airport security checkpoints contains default backdoor passwords, and one of the devices running at the San Francisco Airport was sitting on the public Internet.

Renowned security researcher Billy Rios, who is director of threat intelligence at Qualys, Wednesday here at Black Hat USA gave details on security weaknesses he discovered in both the Morpho Detection Itemiser 3 trace-explosives and residue detection system, and the Kronos 4500 time clock system used by TSA agents to clock in and out with their fingerprints, which could allow an attacker to easily gain user access to the devices.

Device vendors embed hardcoded passwords for their own maintenance or other technical support.

Rios found some 6,000 Kronos time clock systems open on the public Internet, two of which belonged to US airports. The time clock system at San Francisco International Airport has since be taken offline from the Internet, he says. Rios declined to identify the location of the other one, which he says remains online.

Why would the internal time clock system for the TSA or other organizations be connected to the Internet? "Is it online by default? I don't know. Kronos can be connected to multiple networks," Rios told Dark Reading in an interview last week.

Rios has been investigating TSA systems over the past few months. In February, he and fellow researcher Terry McCorkle revealed that a widely deployed carry-on baggage scanner used in most airports could be easily manipulated by a malicious TSA inside or outside attacker to sneak weapons or other banned items past the TSA checkpoint. The Rapiscan 422 B X-ray system running at many airports was found to have several blatant security holes, including storing user credentials in plain text and a feature that could easily be abused to project phony images on the X-ray display.

Rapiscan's baggage scanners remain in most airports, although its contract with TSA is now defunct after TSA learned that the X-ray machines contain a light bulb that was manufactured by a Chinese company. TSA systems cannot include foreign-made parts.

[Researchers reveal weak security that could allow malicious insiders or attackers to spoof the contents of carry-on baggage. Read TSA Carry-On Baggage Scanners Easy To Hack.]

Meanwhile, the Kronos time clock system sitting on the public Internet could give an attacker access to the airports' local TSA network, Rios says. The Kronos system contained two different hardcoded backdoor passwords that cannot be changed by the user, only by the vendor.

Rios says the Itemiser he tested also came with a backdoor password. Exploiting that, he was able to alter the configuration of the Itemiser system, which could allow an attacker to prevent the system from detecting explosive residue, for example.

"Once you have access to the software, it's game over," he says.

But a spokesman for Morpho Detection, a Safran company, at a press briefing here today said the TSA does not run the vulnerable Itemiser 3 that Rios tested, but rather the newer Itemiser DX, which it says is not vulnerable to the authentication flaw. In a statement, Morpho president and CEO at Morpho Detection said the company plans to release a software update to the Itemiser 3 -- which has was actually discontinued in 2010 -- by the end of the year.

Rios maintains that the Morpho devices still could be compromised because they appear to have "rolling password" features that would allow a backdoor password scenario. 

The ICS-CERT issued an advisory about the Itemiser flaw on July 24. 

Default or hardcoded passwords are a systemic problem in many so-called embedded devices, Rios says. "All it takes is one person to figure it [the password] out, and the entire device is compromised."

The big problem with such devices is there's little visibility into them, so an organization whose device gets compromised may not even know or realize it, Rios says. "They may not even know, because they don't have the tools or expertise to understand it."

In addition, hacking one of these devices is fairly simple, especially when the devices contain backdoor, hardcoded passwords. "There's a low bar required for compromising them. Anyone who kind of understands embedded devices can" compromise them.

But it's not all doom and gloom: Rios says there are ways to prevent exposing critical operations like the TSA's checkpoint from being vulnerable to cyber attack. "I see hospitals now building in security requirements into their acquisition process. That's what I would like to see TSA do. Look before you accept a product, and look for a backdoor password without relying on the goodwill of vendors" to change the password. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/10/2014 | 10:04:14 AM
Other Airport
I think the other aiprort should have some explaining to do as to why they are leaving online after being told it was accessible.  

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/7/2014 | 7:41:34 AM
More from Billy Rios on Dark Reading Radio
Fascinating interview with Curt Franklin on Dark Reading Radio Wednesday. Here's the link to the broadcast. Don't miss it!
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2002-0390
PUBLISHED: 2019-07-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.