If you try to think of the most secure place in the world, you probably think of some military bunker or U.S. President’s hiding vault. But for us ordinary folks, the strictest security we can encounter is located in an airport. Armed security staff, multiple screening and ID checking points form a 360-degree security perimeter, preventing terrorists and criminals from leisurely traveling onboard those huge Boeings and Airbuses. That’s why it was quite shocking for me to discover that those folks at TSA and similar agencies from other countries pay much more attention to physical security, neglecting the importance of the cybersec.
A presentation on the subject was given at the SAS 2014 Conference by Qualys researchers Billy Rios and Terry McCorkle, who spent some time exploring a very important system of the airport protection perimeter – an X-Ray introscope. For those who are familiar with the term, an X-Ray introscope is a machine that scans a bag on a transporter belt and shows its contents in solarized colors on the operator’s screen. The device is controlled by a special key panel and doesn’t really look like a computer, but is essentially a highly specialized scanner connected to an ordinary PC running software on top of a typical Windows installation. Rios and McCorkle obtained Rapiscan 522B, a used introscope, via online auction and checked its software components. The findings were quite shocking for seasoned security specialists. First of all, the computer ran Windows 98, which is literally 15 years old. Microsoft hasn’t supported it for years. And you could imagine how many exploitable and unpatched vulnerabilities still exist in those old machines running Win98. Back then it was possible to infect a computer just by connecting to its network port and talking to the OS, without extra investigation on software configuration, etc. Second, the special security software itself turned out to be very concentrated on physical security, i.e. bags’ contents. Computer security definitely was not a priority. Operator passwords are stored in plain text, and there are multiple ways to log into the system without any prior knowledge of user names and other details. “It tells you there’s an error, [but then] just logs you in,” said Rios. However, the most important finding is the third one.
The image on the operator’s screen is essentially a computer simulation, as X-Ray scans don’t include any colors. What the computer does is preform a specially tailored image processing, which helps an operator quickly highlight metallic objects, or something with a liquid inside, etc. Multiple “filters” are available, but the software goes much further than this. As the threat detection level on the introscope is dramatically low (no one really tries to bring a gun onboard nowadays), supervisors keep operators awake by sporadically inserting a weapon image on top of real bag contents. When an operator sees a gun or a knife (the system contains dozens of such images), he/she must press the alarm button. In this training scenario, the alarm won’t really be triggered, but an internal assessment system will record the operator’s attentiveness. This trick is clever, but it raises a concern as well. What kind of “Photoshopping” could be further applied to a bag image? Wouldn’t it be possible to add some neutral image to the internal database and place it on top of the real gun on the screen? Such a hack is theoretically possible, given the dated and vulnerable software configuration of the scanner tested.
Don’t cancel your next flight; the situation is not that bad. First of all, computers in the airport security zone are isolated from the Internet. It’s still possible to hack them locally, but it poses a significant extra challenge to hypothetical attackers. Second, there are multiple vendors of X-Ray scanners and Qualys researchers tested only one (plus it is not new). I truly hope, that others are more secure. Third, airport security is layered and many specialists consider those well-visible measures like metal detectors and introscopes the least important. So even in an unlikely case of scanner malfunction, there are other security measures in place. However, this research teaches us, that traditional security measures like administrative access control and “airgapping” (network isolation) are no replace for a dedicated layer of cyber-security. TSA has very detailed standards describing the configuration of screening checkpoints, including even small details like dimensions of plastic trays used by passengers. This standard must include a detailed description of IT security measures as well, as airport systems definitely fall into the category of critical infrastructure. Only this can ensure our long-term safety in-flight.
P.S. This post was entirely written on board of Airbus A330 flying from Tenerife to Moscow. Despite these vulnerability issues, I’m still not afraid of flying.