Hacking airport security systems with a common laptop

Hackers can compromise airport security networks by using a common laptop, this is the disconcerting discovery of the popular expert Billy Rios.

Cyber security from I-Team investigation revealed that hackers could have the ability to shut down an airport’s security network just using a laptop.

It is embarrassing read that system designed to improve security of the airports could represent the entry point for attackers.

“Walking by these devices and knowing how poorly secure they are, it doesn’t sit well with me,” explained the popular cyber security expert Billy Rios. “It’s pretty bad — probably no thought has been given to cyber security at all.”

In 2013, Billy Rios tested various machines deployed at airports throughout the world discovering numerous security vulnerabilities. The list of machines tested includes an X-ray scanner, an explosives detector, also known as itemiser, and a time clock.

Rios explained that the vulnerabilities affecting the machine could be exploited to access the airport’s network, for example, is discovered very common to discover hard-coded passwords into the software running on these security systems.

“So anyone that knew the username and password, which we know, could just log into the device and get access to an airport network,” said Rios. “It just takes one second to abuse some of the vulnerabilities that we’ve seen.”

The unauthorized access to an X-ray machine could be exploited by a terrorist or a criminal to hide weapons from screeners.

Rios reported the flaws to the US authorities that prompted the Department of Homeland Security to issue a warning about password vulnerabilities in some explosive detection machines. According to NBCNewYork , Rios has found many other flaws in the itemiser and in the time clocks.

“One machine Rios examined is called the itemiser. The company that makes itemisers says the version Rios bought was only used at foreign airports and the company recently released an update to correct the flaw, it said.

Rios maintains the broader concern continues at domestic airports, where he says he found three time clocks with vulnerable passwords.” states the NBCNewYork.

The company that produces the time clocks have already fixed the flaws and personnel at the airports can now change the passwords.

The most disconcerting aspect of the story is that it is likely that the vulnerabilities discovered by Rios have already been exploited, this is the opinion of the cyber security strategist from Cylance, Jon Miller.

“Now that we have extremists that are gaining these capabilities, they’re going to start using information for other types of attacks we haven’t seen before. It’s going to be a sobering couple of years,” said Miller.

The Cylance firm recently published a report on an Iranian hacking crew, which run a cyber espionage campaign exfiltrating sensitive information from many organizations and environments, including the airports.

“We were following them for 18 to 24 months, but it wasn’t until we started seeing them pull things like emergency response times and information that could put the physical safety of people at harm we knew we had to stop it,” says Miller.

“Anyone who has a copy of the plan on how an airport or any facility responds to an emergency now has a blueprint on how to beat that system,” said Kenneth Honig, a former commanding officer for the police department of the Port Authority of New York and New Jersey.

“Now that it’s been brought out into the open, hopefully they will take steps to fix it, but it will take time.” added Honig, who has 20 years leadership on the force.

Rios urges Transportation Security Administration to adopt more stringent requirements in term of cyber security of the equipment used in any airport.

“The bar is too low,” Rios said. “There will always be security issues, we can’t solve every single security issue, but we shouldn’t have the bar be so low that anybody can hack into these devices. The bar has to be a lot higher.”

Pierluigi Paganini

(Security Affairs – security, airport)