The TSA had a budget of $7.39 billion in 2014, and it employs more than 50,000 people at 400 airports through the country. They screen 2 million people a day. About $250 million a year is spent on security equipment. The first response Rios received from the TSA was “our software cannot be hacked or fooled.”
Rios said he does not know if the TSA has patched the security issues already.
Backdoors are secret ways to access software in a device. They are often malicious accounts added by a third party. Rios hasn’t seen those in his research of TSA equipment. But he has seen debugging accounts that some people forget to remove, and he has often seen technician accounts that are often hard-coded into software.
The problem is the backdoors can be discovered by external parties, like Rios. They often can’t be changed by the end user, and once the passwords are broken, they often work on every machine.
With Rapiscan, once Rios gained access to the password, he was able to look up the passwords of other users. TSA canceled the security contract with Rapiscan in 2013.
The Kronos device ran Java code and it actually had a password for a super user. Rios figured out that a particular machine was being used at San Francisco International Airport at one point. The device was subsequently taken offline.
Rios said the responsibility for fixing security lies with TSA, as vendors will build their machines to meet its specifications.
Rios said he hopes that someone verifies that TSA’s security is good, and that all makers of embedded devices take note of the vulnerabilities.