When thinking about government security, the more I find out, the more I wish I did not know. This talk at BlackHat 2014 in Las Vegas, “Pulling back the curtain on Airport Security: Can a weapon get past TSA”, was another one of those fun facts that you wish you can forget. His focus was airport security and the equipment that is used to scan all passengers before boarding a plane.
Billy Rios started by talking about the OS (Operating System) that is at the foundation of the scanning technology. They had recently upgraded the operating system of the scanner from Windows 3.x to Windows XP. No wonder the government wanted to pay Microsoft to continue to support Windows XP. As in an earlier blog I had mentioned that to be able to support Windows XP in your environment your going to have to invest in your security strategy to mitigate the risk that a non-supported operating systems introduces into your environment.
He mentioned that the vendors who supply our scanning equipment use circuit boards that originate from China. You would think the U.S. government would not use foreign manufactured parts for such a sensitive operation. There have been instances where circuit boards that are manufactured in China have come installed with malicious code and Wi-Fi scanning capabilities (http://www.geek.com/apps/chinese-appliances-are-shipping-with-malware-distributing-wifi-chips-1575315/ )
His next point was on the fact that the passwords used are statically in the code of the system and comprised of numerals only. This leave the password open for attack and compromise based on sniffing traffic and brute force attacks. He also pointed out that the Ethernet cable, which supplies connection for network, was exposed and could easily be tapped. He had some photos but I will make sure to take a few of my own as I pass through TSA on my next trip.
In conclusion, when talking around the globe I hear far too often that people are relying on the government to protect their business from a cyber attack. The talk at Blackhat really brought home that point that the government has its own cyber problems to deal with, let alone trying to protect a small to medium size business. I’m not saying to stop paying your taxes, but you do need to invest in a security in depth strategy that will protect your environment.