If you've gone through security in an American airport, you've passed by millions of dollars' worth of equipment. There are backscatter machines, luggage X-rays and explosive-sniffing computers — some of the most advanced monitoring machines the US government can offer. But a new report from the security firm Qualys may have uncovered some gaping security holes in that equipment, letting attackers disable or undermine crucial elements of the TSA's security apparatus.
"It's a really, really bad problem."
The biggest problem is the Morpho Itemiser 3, an early version of the device currently used to scan for traces of narcotics and explosives. Because of how Morpho built the Itemiser 3, Rios says there's a master-level password hard-coded into the device, designed to give a technician top-level access to the machine. But since the password is hard-coded into the Itemiser 3's firmware, Qualys says there's a real risk of attackers reverse-engineering the password, which could have disastrous consequences. That would give attackers free rein over the machine, allowing them to shut down the system or alter the database of chemical signatures to let explosives or drug traces slip through undetected. "It's a really, really bad problem," says Billy Rios, the director of threat intelligence at Qualsys. "For some reason there's a paradigm in the embedded world where they want to do these technician passwords."
The Itemiser 3 was accepted into the TSA lab but never qualified for use in the field, but the TSA has since deployed the Itemiser DX model. Rios says DX has the same technician-password feature, but Morpho strenuously denies the charge, telling The Verge, "we can say unequivocally there are no hard-coded passwords on TSA’s Itemiser DX." The company says it will also push an update to the Itemiser 3 by year's end to fix the vulnerability.
The Itemiser isn't directly connected to the web, but Rios says an attacker could access the machine through the agency's internal TSAweb network, which could be accessed through other vulnerabilities in the agency's payroll-monitoring hardware. Several other pieces of TSA equipment have the same universal-password bug, according to Rios, although the Itemiser is the most important one. If any of the other devices were left online, they could be used as a bridge to the internal TSAweb, potentially allowing bad actors to attack the system from anywhere in the world. "When we have backdoor passwords, and you introduce the concept of networking, it gets really bad," Rios says.
"They don't know how to do a software assessment of these devices."
Rios is taking the issue public in a talk at Black Hat today, but he's been forcing the issue more quietly for months. He reported the problem to Homeland Security earlier in the year, and the agency has been treating it as a known vulnerability. Still, Rios isn't sure if they already knew about the vulnerability or simply hadn't vetted it's equipment. "What's more likely is, they have an acquisition process but they don't know how to do a software assessment of these devices," Rios says. If so, this week's report may serve as a rude awakening for the agency.
8/7 7:57am EST: Article was updated to include comment from Morpho.
9:38am EST: Article was updated to clarify the TSA's adoption of the Itemiser 3.
10:52am EST: Article was updated to include a more emphatic denial from Morpho.