pulling the curtain on airport security
TRANSCRIPT
![Page 2: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/2.jpg)
How to get put on the no-fly list…
![Page 3: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/3.jpg)
Why are you doing this?
• Just an average Joe
• Interest in ICS, Embedded and Medical devices
• I travel a lot
![Page 4: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/4.jpg)
![Page 5: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/5.jpg)
![Page 6: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/6.jpg)
Lessons Learned by a Young Butterbar
• Show respect
• Accept Responsibility
• Trust, but Verify
![Page 7: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/7.jpg)
Show me the Money… (budget.house.gov)
• > 50,000 people at more than 400 airports across the country and an annual budget of $7.39 billion (2014)
• TSA receives about $2 billion a year in offsetting collections under current law, through air-carrier and aviation-passenger security fees. The largest of the fees, in terms of total collections, is the Aviation Passenger Security Fee (sometimes called the September 11th Security Fee), which brings in about $1.7 billion a year.
• By law, the first $250 million of passenger-security fees is set aside for the Aviation Security Capital Fund, which provides for airport-facility modifications and certain security equipment
![Page 8: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/8.jpg)
Show me the Money…
One guy
no budget
and a laptop
![Page 9: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/9.jpg)
Disclosure
All issues in this presentation were reported to DHS
via ICS-CERT >6 months ago
![Page 10: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/10.jpg)
Response?
• Our software “cannot be hacked or fooled”
• “add their own software and protections.”
• <silence>
• Spoke with Morpho last week
![Page 11: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/11.jpg)
Scenarios
(1) TSA doesn’t know about the security issues in their software
(2) TSA knew about the security issues, developed their own custom fixes, never told the vendors… and is hording embedded zero day vulnerabilities and leaving other organizations exposed?
![Page 12: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/12.jpg)
![Page 13: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/13.jpg)
![Page 14: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/14.jpg)
![Page 15: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/15.jpg)
![Page 16: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/16.jpg)
![Page 17: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/17.jpg)
![Page 18: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/18.jpg)
![Page 19: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/19.jpg)
![Page 20: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/20.jpg)
![Page 21: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/21.jpg)
![Page 22: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/22.jpg)
![Page 23: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/23.jpg)
![Page 24: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/24.jpg)
A Quick Lesson on Backdoors
![Page 25: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/25.jpg)
I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?
[Yelling] Mr. Potato Head! Mr. Potato head! Backdoors are not secrets!
Yeah, but your giving away our best tricks!
They’re not tricks!
![Page 26: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/26.jpg)
A Word About Backdoors
• Malicious account added by a third party
• Debugging accounts that someone forget to remove
• Accounts used by Technicians for Service and Maintenance
![Page 27: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/27.jpg)
Technician Accounts == Backdoors
• Often hardcoded into the software
• Applications which depend on the passwords
• Business process which depend on passwords
• External software which depend on passwords
• Training which train technicians to use these passwords
![Page 28: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/28.jpg)
Technician Accounts == Backdoors
• Can be discovered by external third parties (like me!)
• Cannot be changed by the end user (in most cases)
• Once initial work is completed, these passwords usually scale
![Page 29: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/29.jpg)
![Page 30: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/30.jpg)
![Page 31: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/31.jpg)
![Page 32: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/32.jpg)
![Page 33: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/33.jpg)
![Page 34: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/34.jpg)
![Page 35: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/35.jpg)
![Page 36: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/36.jpg)
![Page 37: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/37.jpg)
![Page 38: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/38.jpg)
![Page 39: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/39.jpg)
try {if (Checkpassword()){
Authenticate();}Else{
AuthFail();}
}catch{
ShowErrorMessage();Authenticate();
}
![Page 40: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/40.jpg)
![Page 41: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/41.jpg)
![Page 42: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/42.jpg)
![Page 43: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/43.jpg)
![Page 44: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/44.jpg)
![Page 45: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/45.jpg)
“TSA has strict requirements that all vendors must meet for security effectiveness and efficiency and
does not tolerate any violation of contract obligations. TSA is responsible for the safety and
security of the nearly two million travelers screened each day.”
http://www.bloomberg.com/news/2013-12-06/naked-scanner-maker-osi-systems-falls-on-losing-tsa-
order.html
![Page 46: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/46.jpg)
"Questions remain about how the situation will be rectified and the potential for unmitigated threats posed by the failure to remove the machinery," the
committee's Republican and Democratic leaders wrote in a Dec. 6 letter to the men. "It is our understanding that these new components -- inappropriately labeled with the same part number as the originally approved component --were entirely manufactured and assembled in the People's
Republic of China."
http://www.nextgov.com/defense/2013/12/congress-grills-tsa-chinese-made-luggage-scanner-
parts/75098/
![Page 47: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/47.jpg)
“The referenced component is the X-ray generator, a simple electrical item with no moving parts or
software.”
He described the piece as "effectively, an X-ray light bulb."
http://www.nextgov.com/defense/2013/12/congress-grills-tsa-chinese-made-luggage-scanner-
parts/75098/
![Page 48: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/48.jpg)
![Page 49: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/49.jpg)
![Page 50: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/50.jpg)
![Page 51: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/51.jpg)
![Page 52: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/52.jpg)
![Page 53: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/53.jpg)
![Page 54: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/54.jpg)
Interesting Items
• VxWorks on PowerPC
• VxWorks FTP
• VxWorks Telnet
• Web server
• Server: Allegro-Software-RomPager/4.32
• WWW-Authenticate: Basic realm="Browser"
![Page 55: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/55.jpg)
![Page 56: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/56.jpg)
![Page 57: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/57.jpg)
![Page 58: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/58.jpg)
![Page 59: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/59.jpg)
![Page 60: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/60.jpg)
![Page 61: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/61.jpg)
Backdoors…
• FTP and Telnet - SuperUser:2323098716
• config\devCfg.xml file
• MaintValidation.class file within the m8m.jar
• Web - KronosBrowser:KronosBrowser
• ~6000 on the Internet, two major airports
![Page 62: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/62.jpg)
Here’s a thought…
• Foreign made main board on TSA Net that can track which TSA personnel are on the floor at any given moment
• Hardcoded FTP password/backdoor
• Hardcoded Telnet password/backdoor which gives up a VxWorks shell
• Hardcoded Web password/backdoor
![Page 63: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/63.jpg)
Does TSA know Kronos 4500’s have Chinese made main boards?
Does the TSA know the software has hardcoded backdoors?
![Page 64: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/64.jpg)
Trust but Verify the Engineering
![Page 65: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/65.jpg)
![Page 66: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/66.jpg)
![Page 67: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/67.jpg)
![Page 68: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/68.jpg)
![Page 69: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/69.jpg)
![Page 70: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/70.jpg)
![Page 71: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/71.jpg)
![Page 72: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/72.jpg)
Itemiser
• X86 (Pentium Processor)
• Windows CE
• Disk on chip with ~7.5 meg main program
• PS2, Floppy, USB
• IrDA?!?!?!?!
![Page 73: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/73.jpg)
File System
• ITMSCE.exe (Main Application)
• Users.bin (User Accounts)
• Config.bin (Settings for detection)
• Options.bin
• History.bin
• Alarms (folder)
![Page 74: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/74.jpg)
![Page 75: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/75.jpg)
![Page 76: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/76.jpg)
![Page 77: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/77.jpg)
![Page 78: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/78.jpg)
![Page 79: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/79.jpg)
![Page 80: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/80.jpg)
![Page 81: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/81.jpg)
Users on the user menu Itemiser
• Operator 1
• Maintenance 1
• Administrator 1
• Super User 1
• <various user accounts>
![Page 82: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/82.jpg)
![Page 83: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/83.jpg)
Users in the Binary
• Operator 1
• Maintenance 1
• Administrator 1
• Super User 1
• Administrator 2
• Super User 2
![Page 84: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/84.jpg)
Users in the Binary vs User Menu
Binary
• Operator 1
• Maintenance 1
• Administrator 1
• Super User 1
• Administrator 2
• Super User 2
User Menu
• Operator 1
• Maintenance 1
• Administrator 1
• Super User 1
![Page 85: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/85.jpg)
Two Backdoor Accounts
• Administrator 2: 838635
• SuperUser 2: 695372
![Page 86: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/86.jpg)
![Page 87: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/87.jpg)
![Page 88: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/88.jpg)
![Page 89: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/89.jpg)
Blame the vendor?
![Page 90: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/90.jpg)
This is actually, TSA’s Fault
• TSA depends on this equipment to do their job
• TSA operators do not have the expertise to detect exploited devices
• TSA has not conducted adequate threat models on how these devices are designed from a cyber security standpoint
• TSA has not audited these devices for even the most basic security issues
• Vendors develop devices to meet TSA requirements
• TSA certifies devices it deems satisfactory
• We pay for all this…
![Page 91: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/91.jpg)
I hope that someone (maybe the GAO?) trustswhat the TSA is telling us about their
devices, but verifies the engineering is a reality
![Page 92: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/92.jpg)
If you have embedded devices, I would hope you would do the same for your devices
BEFORE you fork over the $$!
![Page 93: Pulling the Curtain on Airport Security](https://reader033.vdocument.in/reader033/viewer/2022042619/58a2c2a21a28abff648b5274/html5/thumbnails/93.jpg)
Questions?