Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

8/6/2014
03:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

TSA Checkpoint Systems Found Exposed On The Net

Researcher Billy Rios exposes new threats to airport security systems.

LAS VEGAS — Black Hat USA — A Transportation Safety Administration (TSA) system at airport security checkpoints contains default backdoor passwords, and one of the devices running at the San Francisco Airport was sitting on the public Internet.

Renowned security researcher Billy Rios, who is director of threat intelligence at Qualys, Wednesday here at Black Hat USA gave details on security weaknesses he discovered in both the Morpho Detection Itemiser 3 trace-explosives and residue detection system, and the Kronos 4500 time clock system used by TSA agents to clock in and out with their fingerprints, which could allow an attacker to easily gain user access to the devices.

Device vendors embed hardcoded passwords for their own maintenance or other technical support.

Rios found some 6,000 Kronos time clock systems open on the public Internet, two of which belonged to US airports. The time clock system at San Francisco International Airport has since be taken offline from the Internet, he says. Rios declined to identify the location of the other one, which he says remains online.

Why would the internal time clock system for the TSA or other organizations be connected to the Internet? "Is it online by default? I don't know. Kronos can be connected to multiple networks," Rios told Dark Reading in an interview last week.

Rios has been investigating TSA systems over the past few months. In February, he and fellow researcher Terry McCorkle revealed that a widely deployed carry-on baggage scanner used in most airports could be easily manipulated by a malicious TSA inside or outside attacker to sneak weapons or other banned items past the TSA checkpoint. The Rapiscan 422 B X-ray system running at many airports was found to have several blatant security holes, including storing user credentials in plain text and a feature that could easily be abused to project phony images on the X-ray display.

Rapiscan's baggage scanners remain in most airports, although its contract with TSA is now defunct after TSA learned that the X-ray machines contain a light bulb that was manufactured by a Chinese company. TSA systems cannot include foreign-made parts.

[Researchers reveal weak security that could allow malicious insiders or attackers to spoof the contents of carry-on baggage. Read TSA Carry-On Baggage Scanners Easy To Hack.]

Meanwhile, the Kronos time clock system sitting on the public Internet could give an attacker access to the airports' local TSA network, Rios says. The Kronos system contained two different hardcoded backdoor passwords that cannot be changed by the user, only by the vendor.

Rios says the Itemiser he tested also came with a backdoor password. Exploiting that, he was able to alter the configuration of the Itemiser system, which could allow an attacker to prevent the system from detecting explosive residue, for example.

"Once you have access to the software, it's game over," he says.

But a spokesman for Morpho Detection, a Safran company, at a press briefing here today said the TSA does not run the vulnerable Itemiser 3 that Rios tested, but rather the newer Itemiser DX, which it says is not vulnerable to the authentication flaw. In a statement, Morpho president and CEO at Morpho Detection said the company plans to release a software update to the Itemiser 3 -- which has was actually discontinued in 2010 -- by the end of the year.

Rios maintains that the Morpho devices still could be compromised because they appear to have "rolling password" features that would allow a backdoor password scenario. 

The ICS-CERT issued an advisory about the Itemiser flaw on July 24. 

Default or hardcoded passwords are a systemic problem in many so-called embedded devices, Rios says. "All it takes is one person to figure it [the password] out, and the entire device is compromised."

The big problem with such devices is there's little visibility into them, so an organization whose device gets compromised may not even know or realize it, Rios says. "They may not even know, because they don't have the tools or expertise to understand it."

In addition, hacking one of these devices is fairly simple, especially when the devices contain backdoor, hardcoded passwords. "There's a low bar required for compromising them. Anyone who kind of understands embedded devices can" compromise them.

But it's not all doom and gloom: Rios says there are ways to prevent exposing critical operations like the TSA's checkpoint from being vulnerable to cyber attack. "I see hospitals now building in security requirements into their acquisition process. That's what I would like to see TSA do. Look before you accept a product, and look for a backdoor password without relying on the goodwill of vendors" to change the password. 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/7/2014 | 7:41:34 AM
More from Billy Rios on Dark Reading Radio
Fascinating interview with Curt Franklin on Dark Reading Radio Wednesday. Here's the link to the broadcast. Don't miss it!
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/10/2014 | 10:04:14 AM
Other Airport
I think the other aiprort should have some explaining to do as to why they are leaving online after being told it was accessible.  

BP
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32053
PUBLISHED: 2021-05-10
JPA Server in HAPI FHIR before 5.4.0 allows a user to deny service (e.g., disable access to the database after the attack stops) via history requests. This occurs because of a SELECT COUNT statement that requires a full index scan, with an accompanying large amount of server resources if there are m...
CVE-2020-18102
PUBLISHED: 2021-05-10
Cross Site Scripting (XSS) in Hotels_Server v1.0 allows remote attackers to execute arbitrary code by injecting crafted commands the data fields in the component "/controller/publishHotel.php".
CVE-2020-27232
PUBLISHED: 2021-05-10
An exploitable SQL injection vulnerability exists in ‘manageServiceStocks.jsp’ page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-28600
PUBLISHED: 2021-05-10
An out-of-bounds write vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2021-21430
PUBLISHED: 2021-05-10
OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system data vu...