Skip to main content
Advertising

Originally published Thursday, August 7, 2014 at 11:18 AM

  • Share:
           
  • Comments
  • Print

Airport security devices can be hacked, says researcher

Device used to detect trace amounts of drugs, explosives, called vulnerable.


Los Angeles Times

advertising

Airport security has become far more advanced in the last decade, but according to the findings of one security researcher, the technology being used to protect travelers is still dangerously vulnerable to hackers.

On his own time, Billy Rios of Qualys Security said he purchased some of the hardware and software used by the Transportation Security Administration.

At a talk at this year’s Black Hat conference in Las Vegas, he revealed details about several vulnerabilities he was able to find, most notably in the device entrusted to detect trace levels of drugs and explosives.

The machine, the Morpho Itemiser, is set up so that the technician level password is hardcoded in.

It’s a common practice for a range of devices, one aimed at making it easier for technicians to get in and do maintenance, but it’s become taboo among security advocates because it also makes it easier for machines to be hacked.

Rios said the security weakness allows the machine to be reverse-engineered, so a hacker can log in and wreak havoc.

“If you’re a super user you can do whatever you want,” he said.

The device, Rios said, is set up so that it can be designated to detect certain drugs or explosive devices. Rios said one thing a hacker could have done is remove one or two items from the list, so the removed substances could pass through security.

One route into the machine, Rios said, might be through the organization’s Internet-connected payroll system.

The manufacturer of the Itemiser, Morpho, sent a representative to Rios’ session to defend the product. The company said it will be releasing an upgrade by year’s end to patch the identified vulnerability. “Morpho Detection takes the security of its products and its customers very seriously,” the statement read.

But the company said the version TSA uses does not have the vulnerability. Rios said the TSA has used the version he hacked in the past, and he worries the current version might have similar problems.

His findings, he said, show TSA is not properly vetting the products it uses for security.

He described himself as “one guy ... no budget ... and a laptop.”

“What that means is anyone can do this,” he said.



Want unlimited access to seattletimes.com? Subscribe now!

Also in Travel & Outdoors

News where, when and how you want it

Email Icon

The Seattle Times photographs

Seattle space needle and mountains

Purchase The Seattle Times images


Advertising
The Seattle Times

The door is closed, but it's not locked.

Take a minute to subscribe and continue to enjoy The Seattle Times for as little as 99 cents a week.

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited seattletimes.com content access is included with most subscriptions.

Subscriber login ►
The Seattle Times

To keep reading, you need a subscription upgrade.

We hope you have enjoyed your complimentary access. For unlimited seattletimes.com access, please upgrade your digital subscription.

Call customer service at 1.800.542.0820 for assistance with your upgrade or questions about your subscriber status.

The Seattle Times

To keep reading, you need a subscription.

We hope you have enjoyed your complimentary access. Subscribe now for unlimited access!

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited seattletimes.com content access is included with most subscriptions.

Activate Subscriber Account ►