The scanners used by many airports in the United States are riddled with security flaws, a security researcher told attendees at the Black Hat conference in Las Vegas Wednesday.
The machines deployed at airport security checkpoints contain embedded accounts with default passwordsBilly Rios, Qualys
They are both used by the Transportation and Security Agency, Rios said. More importantly, TSA accepted the Itemiser 3 was accepted into its testing lab, but it was never qualified for use in the field, Rios said.
Rios found about 6000 Kronos time clock systems on the Internet, but only two belonged to airports. The system in the San Francisco International Airport has been removed, but Rios declined to mention the location of the second unit as it is still available online. The Itemiser, while not directly connected to the Web, could be accessed the the internal network. Some TSA equipment also has the universal-password-fail.
One of the default passwords is hardcoded in the Itemiser's 3 firmware. The newer models don't use the same firmware, so it would be highly unlikely for the scanner to have the same flaw. The fact there were backdoor accounts shouldn't be a surprise, since device manufacturers like to create embedded accounts with hardcoded passwords to make it easier to remotely maintain and support these systems.
Rios said security could become even more entertiwined with technology, and certain critical operations should just be taken off the networ, Roios said. "I see hospitals now building in security requirements into their acquisition process. That's what I would like to see TSA do. Look before you accept a product, and look for a backdoor password without relying on the goodwill of vendors" to change the password.
Rios has been looking at these airport security systems for several months now. In February, he showed vulnerabiliies in the Rapiscan 422 B x-ray system deployed at many airports around the country to scan baggage. Issues included storing user credentials in plaintext, Rios said. The time clock system, especially because it is available from the Internet, could give attackers access to the airport's entire RSA network infrastructure, Rios said. The Kronos system used two different hardcoded backdoor passwords that users are not able to change or delete. The Department of Holemand Security's ICS-CERT released an advisory about the Itemiser flaw on July 24.