The Rapiscan 522B, used by the TSA at US airports.
LAS VEGAS — The Transportation Security Administration (TSA) is quick to assure people that its long lines, patdowns and strict rules are necessary for travelers' security. But who's looking out for the TSA's security — especially when it comes to its computers?
Security expert Billy Rios examined the hardware and software the TSA uses at airports. He found a number of security problems ranging from default passwords to hard-coded backdoors.
Presenting his findings at the BlackHat security conference here last week, Rios said the TSA may have purchased its hardware without any evaluation of its cybersecurity, and that fixing those problems now will likely cost taxpayers hundreds of millions of dollars.
Rios is currently director of vulnerability research and threat intelligence at Redwood Shores, Calif.-based Qualys. He undertook his examination of the TSA's security independently, buying hardware off eBay and using his own tools and time to take the machines apart and find out how they worked.
First, the good news: TSA devices run on a closed network called TSANET that, from cursory looks, appears to be secure. (Rios didn't try to hack into it, as that would be a criminal offense.) Rios showed pictures of the network cables that attach to TSA machines, all of which are visible while going through an airport checkpoint. So far, so good.
Then Rios took a closer look at the Rapiscan 522B, the device that scans passengers' carry-on luggage at TSA checkpoints. Until recently, the devices were running on the very outdated Windows 98 operating system, but they recently were upgraded — to the also outdated Windows XP Professional.
Each Rapiscan 522B's code contains a file of all the IDs and passwords of its certified users. If you enter an incorrect password, no problem — the scanners will log you in anyway.
The Rapiscan 522B has another security issue, this one intentional. If you fly often enough, it's likely a TSA officer has looked into your luggage via the scanner and seen a gun nestled among your clothes and toiletries.
The scanners are designed to "test" employees by regularly overlaying images of dangerous items on top of random passengers' bags. TSA agents are expected to flag the items as if they were real weapons; if they fail to do so, they will be reprimanded.
That may sound like a good way to make sure TSA employees are on their toes, but Rios says it also means there's a serious problem with the scanners. The software permits other programs to modify the screen, making it possible for an attacker to cause other things to display on Rapiscan 522B screens.
Rios also found hard-coded usernames and passwords on a device called the Kronos 4500 that the TSA uses to manage employee check-ins. Six thousand Kronos 4500 units were connected to the Internet and could be remotely accessed via backdoors — hidden methods of bypassing normal security — built into the system.
The Kronos 4500 is made in China, Rios noted. The TSA had previously refused to buy a scanner because its light bulb was Chinese-made, but those concerns apparently didn't extend to employee-tracking software, he observed.
Finally, Rios discussed the Itemizer, which looks for traces of hazardous materials on passengers or luggage. The Itemizer also contains backdoor accounts, plus lists of usernames and passwords contained in an easy-to-modify file called config.bin. If config.bin is deleted, all passwords revert to the default.
Rios says he told the TSA six months ago about all the vulnerabilities he'd found, but to his knowledge, the agency hasn't addressed them yet. Instead, he said, the TSA told him its software "cannot be hacked or fooled" and that it "add[s] [its] own software and protections."
The slides of Rios' presentation, entitled "Pulling Back the Curtain on Airport Security: Can a Weapon Get Past the TSA?," are available on the BlackHat website.
- Best Antivirus Software 2014
- Pwnie Awards Celebrate Security Wins and Epic Fails
- 9 Tips to Stay Safe on Public Wi-Fi
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.