Sign in with
Sign up | Sign in

Airport X-Ray Scanners Are Vulnerable to Hackers

By - Source: Tom's Guide US | B 2 comments
Tags :

The Rapiscan 522B, used by the TSA at US airports.The Rapiscan 522B, used by the TSA at US airports.

LAS VEGAS — The Transportation Security Administration (TSA) is quick to assure people that its long lines, patdowns and strict rules are necessary for travelers' security. But who's looking out for the TSA's security — especially when it comes to its computers?

Security expert Billy Rios examined the hardware and software the TSA uses at airports. He found a number of security problems ranging from default passwords to hard-coded backdoors.

Presenting his findings at the BlackHat security conference here last week, Rios said the TSA may have purchased its hardware without any evaluation of its cybersecurity, and that fixing those problems now will likely cost taxpayers hundreds of millions of dollars.

MORE: 7 Scariest Security Threats Headed Your Way

Rios is currently director of vulnerability research and threat intelligence at Redwood Shores, Calif.-based Qualys. He undertook his examination of the TSA's security independently, buying hardware off eBay and using his own tools and time to take the machines apart and find out how they worked.

First, the good news: TSA devices run on a closed network called TSANET that, from cursory looks, appears to be secure. (Rios didn't try to hack into it, as that would be a criminal offense.) Rios showed pictures of the network cables that attach to TSA machines, all of which are visible while going through an airport checkpoint. So far, so good.

Then Rios took a closer look at the Rapiscan 522B, the device that scans passengers' carry-on luggage at TSA checkpoints. Until recently, the devices were running on the very outdated Windows 98 operating system, but they recently were upgraded — to the also outdated Windows XP Professional.

Each Rapiscan 522B's code contains a file of all the IDs and passwords of its certified users. If you enter an incorrect password, no problem — the scanners will log you in anyway.

The Rapiscan 522B has another security issue, this one intentional. If you fly often enough, it's likely a TSA officer has looked into your luggage via the scanner and seen a gun nestled among your clothes and toiletries.

The scanners are designed to "test" employees by regularly overlaying images of dangerous items on top of random passengers' bags. TSA agents are expected to flag the items as if they were real weapons; if they fail to do so, they will be reprimanded.

That may sound like a good way to make sure TSA employees are on their toes, but Rios says it also means there's a serious problem with the scanners. The software permits other programs to modify the screen, making it possible for an attacker to cause other things to display on Rapiscan 522B screens. 

Rios also found hard-coded usernames and passwords on a device called the Kronos 4500 that the TSA uses to manage employee check-ins. Six thousand Kronos 4500 units were connected to the Internet and could be remotely accessed via backdoors — hidden methods of bypassing normal security — built into the system.

The Kronos 4500 is made in China, Rios noted. The TSA had previously refused to buy a scanner because its light bulb was Chinese-made, but those concerns apparently didn't extend to employee-tracking software, he observed. 

Finally, Rios discussed the Itemizer, which looks for traces of hazardous materials on passengers or luggage. The Itemizer also contains backdoor accounts, plus lists of usernames and passwords contained in an easy-to-modify file called config.bin. If config.bin is deleted, all passwords revert to the default.

Rios says he told the TSA six months ago about all the vulnerabilities he'd found, but to his knowledge, the agency hasn't addressed them yet. Instead, he said, the TSA told him its software "cannot be hacked or fooled" and that it "add[s] [its] own software and protections."

The slides of Rios' presentation, entitled "Pulling Back the Curtain on Airport Security: Can a Weapon Get Past the TSA?," are available on the BlackHat website.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 3 Hide
    Darkk , August 12, 2014 12:07 PM
    Wouldn't be surprised if TSA told him to "Forget what you saw and don't worry about it since it's totally secure."
  • 0 Hide
    Simon Mackay , August 12, 2014 10:50 PM
    A problem we are seeing a lot of is less interest in keeping the software up-to-date on "dedicated-purpose" machines like the Rapiscan or the Kronos devices. This is although the organisations like the TSA buy or lease them for a princely sum per unit, run them for years on end and rely on them to perform the organisation's essential duties.
    Personally I would encourage a different culture with software maintenance for these devices such as a "secure by design, always updated" approach like with most computer operating systems.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS