Airport security has become far more advanced in the last decade, but according to the findings of one security researcher, the technology being used to protect travelers is still dangerously vulnerable to hackers.
On his own time, Billy Rios of Qualys Security said he purchased some of the hardware and software used by the Transportation Security Administration.
At a talk at this year’s Black Hat conference in Las Vegas, he revealed details about several vulnerabilities he was able to find, most notably in the device entrusted to detect trace levels of drugs and explosives.
The machine, the Morpho Itemiser, is set up so that the technician level password is hardcoded in.
It’s a common practice for a range of devices, one aimed at making it easier for technicians to get in and do maintenance, but it’s become taboo among security advocates because it also makes it easier for machines to be hacked.
Rios said the security weakness allows the machine to be reverse-engineered, so a hacker can log in and wreak havoc.
“If you’re a super user you can do whatever you want,” he said.
The device, Rios said, is set up so that it can be designated to detect certain drugs or explosive devices. Rios said one thing a hacker could have done is remove one or two items from the list, so the removed substances could pass through security.
One route into the machine, Rios said, might be through the organization’s Internet-connected payroll system.
The manufacturer of the Itemiser, Morpho, sent a representative to Rios’ session to defend the product. The company said it will be releasing an upgrade by year’s end to patch the identified vulnerability. “Morpho Detection takes the security of its products and its customers very seriously,” the statement read.
But the company said the version TSA uses does not have the vulnerability. Rios said the TSA has used the version he hacked in the past, and he worries the current version might have similar problems.
His findings, he said, show TSA is not properly vetting the products it uses for security.
He described himself as “one guy…no budget …and a laptop.“
“What that means is anyone can do this,” he said.
©2014 the Los Angeles Times. Distributed by McClatchy-Tribune Information Services.