Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

8/6/2014
03:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

TSA Checkpoint Systems Found Exposed On The Net

Researcher Billy Rios exposes new threats to airport security systems.

LAS VEGAS — Black Hat USA — A Transportation Safety Administration (TSA) system at airport security checkpoints contains default backdoor passwords, and one of the devices running at the San Francisco Airport was sitting on the public Internet.

Renowned security researcher Billy Rios, who is director of threat intelligence at Qualys, Wednesday here at Black Hat USA gave details on security weaknesses he discovered in both the Morpho Detection Itemiser 3 trace-explosives and residue detection system, and the Kronos 4500 time clock system used by TSA agents to clock in and out with their fingerprints, which could allow an attacker to easily gain user access to the devices.

Device vendors embed hardcoded passwords for their own maintenance or other technical support.

Rios found some 6,000 Kronos time clock systems open on the public Internet, two of which belonged to US airports. The time clock system at San Francisco International Airport has since be taken offline from the Internet, he says. Rios declined to identify the location of the other one, which he says remains online.

Why would the internal time clock system for the TSA or other organizations be connected to the Internet? "Is it online by default? I don't know. Kronos can be connected to multiple networks," Rios told Dark Reading in an interview last week.

Rios has been investigating TSA systems over the past few months. In February, he and fellow researcher Terry McCorkle revealed that a widely deployed carry-on baggage scanner used in most airports could be easily manipulated by a malicious TSA inside or outside attacker to sneak weapons or other banned items past the TSA checkpoint. The Rapiscan 422 B X-ray system running at many airports was found to have several blatant security holes, including storing user credentials in plain text and a feature that could easily be abused to project phony images on the X-ray display.

Rapiscan's baggage scanners remain in most airports, although its contract with TSA is now defunct after TSA learned that the X-ray machines contain a light bulb that was manufactured by a Chinese company. TSA systems cannot include foreign-made parts.

[Researchers reveal weak security that could allow malicious insiders or attackers to spoof the contents of carry-on baggage. Read TSA Carry-On Baggage Scanners Easy To Hack.]

Meanwhile, the Kronos time clock system sitting on the public Internet could give an attacker access to the airports' local TSA network, Rios says. The Kronos system contained two different hardcoded backdoor passwords that cannot be changed by the user, only by the vendor.

Rios says the Itemiser he tested also came with a backdoor password. Exploiting that, he was able to alter the configuration of the Itemiser system, which could allow an attacker to prevent the system from detecting explosive residue, for example.

"Once you have access to the software, it's game over," he says.

But a spokesman for Morpho Detection, a Safran company, at a press briefing here today said the TSA does not run the vulnerable Itemiser 3 that Rios tested, but rather the newer Itemiser DX, which it says is not vulnerable to the authentication flaw. In a statement, Morpho president and CEO at Morpho Detection said the company plans to release a software update to the Itemiser 3 -- which has was actually discontinued in 2010 -- by the end of the year.

Rios maintains that the Morpho devices still could be compromised because they appear to have "rolling password" features that would allow a backdoor password scenario. 

The ICS-CERT issued an advisory about the Itemiser flaw on July 24. 

Default or hardcoded passwords are a systemic problem in many so-called embedded devices, Rios says. "All it takes is one person to figure it [the password] out, and the entire device is compromised."

The big problem with such devices is there's little visibility into them, so an organization whose device gets compromised may not even know or realize it, Rios says. "They may not even know, because they don't have the tools or expertise to understand it."

In addition, hacking one of these devices is fairly simple, especially when the devices contain backdoor, hardcoded passwords. "There's a low bar required for compromising them. Anyone who kind of understands embedded devices can" compromise them.

But it's not all doom and gloom: Rios says there are ways to prevent exposing critical operations like the TSA's checkpoint from being vulnerable to cyber attack. "I see hospitals now building in security requirements into their acquisition process. That's what I would like to see TSA do. Look before you accept a product, and look for a backdoor password without relying on the goodwill of vendors" to change the password. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/10/2014 | 10:04:14 AM
Other Airport
I think the other aiprort should have some explaining to do as to why they are leaving online after being told it was accessible.  

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/7/2014 | 7:41:34 AM
More from Billy Rios on Dark Reading Radio
Fascinating interview with Curt Franklin on Dark Reading Radio Wednesday. Here's the link to the broadcast. Don't miss it!
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-9561
PUBLISHED: 2019-06-19
In llcp_util_parse_connect of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7...
CVE-2018-9563
PUBLISHED: 2019-06-19
In llcp_util_parse_cc of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 ...
CVE-2018-9564
PUBLISHED: 2019-06-19
In llcp_util_parse_link_params of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Andro...
CVE-2019-2003
PUBLISHED: 2019-06-19
In addLinks of Linkify.java, there is a possible phishing vector due to an unusual root cause. This could lead to remote code execution or misdirection of clicks with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-...
CVE-2019-2017
PUBLISHED: 2019-06-19
In rw_t2t_handle_tlv_detect_rsp of rw_t2t_ndef.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 ...