SlideShare a Scribd company logo
1 of 93
Download to read offline
Pulling the Curtain on Airport Security
Billy Rios
Xssniper@gmail.com
@xssniper
How to get put on the no-fly list…
Why are you doing this?
• Just an average Joe
• Interest in ICS, Embedded and Medical devices
• I travel a lot
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
Lessons Learned by a Young Butterbar
• Show respect
• Accept Responsibility
• Trust, but Verify
Show me the Money… (budget.house.gov)
• > 50,000 people at more than 400 airports across the country and an annual
budget of $7.39 billion (2014)
• TSA receives about $2 billion a year in offsetting collections under current law,
through air-carrier and aviation-passenger security fees. The largest of the fees, in
terms of total collections, is the Aviation Passenger Security Fee (sometimes
called the September 11th Security Fee), which brings in about $1.7 billion a year.
• By law, the first $250 million of passenger-security fees is set aside for the
Aviation Security Capital Fund, which provides for airport-facility modifications
and certain security equipment
Show me the Money…
One guy
no budget
and a laptop
Disclosure
All issues in this presentation were reported to DHS
via ICS-CERT >6 months ago
Response?
• Our software “cannot be hacked or fooled”
• “add their own software and protections.”
• <silence>
• Spoke with Morpho last week
Scenarios
(1) TSA doesn’t know about the security issues in
their software
(2) TSA knew about the security issues, developed
their own custom fixes, never told the vendors…
and is hording embedded zero day vulnerabilities
and leaving other organizations exposed?
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
A Quick Lesson on Backdoors
I can't believe it, Jim. That girl's standing over there listening
and you're telling him about our back doors?
[Yelling] Mr. Potato Head! Mr. Potato head! Backdoors
are not secrets!
Yeah, but your giving away our best tricks!
They’re not tricks!
A Word About Backdoors
• Malicious account added by a third party
• Debugging accounts that someone forget to remove
• Accounts used by Technicians for Service and
Maintenance
Technician Accounts == Backdoors
• Often hardcoded into the software
• Applications which depend on the passwords
• Business process which depend on passwords
• External software which depend on passwords
• Training which train technicians to use these passwords
Technician Accounts == Backdoors
• Can be discovered by external third parties (like me!)
• Cannot be changed by the end user (in most cases)
• Once initial work is completed, these passwords usually
scale
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
try {
if (Checkpassword()){
Authenticate();
}
Else{
AuthFail();
}
}
catch{
ShowErrorMessage();
Authenticate();
}
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
“TSA has strict requirements that all vendors must
meet for security effectiveness and efficiency and
does not tolerate any violation of contract
obligations. TSA is responsible for the safety and
security of the nearly two million travelers
screened each day.”
http://www.bloomberg.com/news/2013-12-06/naked-
scanner-maker-osi-systems-falls-on-losing-tsa-
order.html
"Questions remain about how the situation will be
rectified and the potential for unmitigated threats
posed by the failure to remove the machinery," the
committee's Republican and Democratic leaders wrote in a
Dec. 6 letter to the men. "It is our understanding that
these new components -- inappropriately labeled with the
same part number as the originally approved component --
were entirely manufactured and assembled in the People's
Republic of China."
http://www.nextgov.com/defense/2013/12/congress-
grills-tsa-chinese-made-luggage-scanner-
parts/75098/
“The referenced component is the X-ray generator,
a simple electrical item with no moving parts or
software.”
He described the piece as "effectively, an X-ray
light bulb."
http://www.nextgov.com/defense/2013/12/congress-
grills-tsa-chinese-made-luggage-scanner-
parts/75098/
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
Interesting Items
• VxWorks on PowerPC
• VxWorks FTP
• VxWorks Telnet
• Web server
• Server: Allegro-Software-RomPager/4.32
• WWW-Authenticate: Basic realm="Browser"
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
Backdoors…
• FTP and Telnet - SuperUser:2323098716
• configdevCfg.xml file
• MaintValidation.class file within the m8m.jar
• Web - KronosBrowser:KronosBrowser
• ~6000 on the Internet, two major airports
Here’s a thought…
• Foreign made main board on TSA Net that can track which TSA
personnel are on the floor at any given moment
• Hardcoded FTP password/backdoor
• Hardcoded Telnet password/backdoor which gives up a
VxWorks shell
• Hardcoded Web password/backdoor
Does TSA know Kronos 4500’s have Chinese
made main boards?
Does the TSA know the software has
hardcoded backdoors?
Trust but Verify the Engineering
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
Itemiser
• X86 (Pentium Processor)
• Windows CE
• Disk on chip with ~7.5 meg main program
• PS2, Floppy, USB
• IrDA?!?!?!?!
File System
• ITMSCE.exe (Main Application)
• Users.bin (User Accounts)
• Config.bin (Settings for detection)
• Options.bin
• History.bin
• Alarms (folder)
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
Users on the user menu Itemiser
• Operator 1
• Maintenance 1
• Administrator 1
• Super User 1
• <various user accounts>
BlackHat 2014 - xsssniper
Users in the Binary
• Operator 1
• Maintenance 1
• Administrator 1
• Super User 1
• Administrator 2
• Super User 2
Users in the Binary vs User Menu
Binary
• Operator 1
• Maintenance 1
• Administrator 1
• Super User 1
• Administrator 2
• Super User 2
User Menu
• Operator 1
• Maintenance 1
• Administrator 1
• Super User 1
Two Backdoor Accounts
•Administrator 2: 838635
•SuperUser 2: 695372
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
BlackHat 2014 - xsssniper
Blame the vendor?
This is actually, TSA’s Fault
• TSA depends on this equipment to do their job
• TSA operators do not have the expertise to detect exploited
devices
• TSA has not conducted adequate threat models on how these
devices are designed from a cyber security standpoint
• TSA has not audited these devices for even the most basic security
issues
• Vendors develop devices to meet TSA requirements
• TSA certifies devices it deems satisfactory
• We pay for all this…
I hope that someone (maybe the GAO?) trusts
what the TSA is telling us about their
devices, but verifies the engineering is a
reality
If you have embedded devices, I would hope
you would do the same for your devices
BEFORE you fork over the $$!
Questions?

More Related Content

Similar to BlackHat 2014 - xsssniper

CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assPROIDEA
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i SecurityPrecisely
 
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Ruby Meditation
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNitesh Malviya
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing BasicsNSConclave
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessHelpSystems
 

Similar to BlackHat 2014 - xsssniper (20)

CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 seba
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i Security
 
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat	ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing Basics
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC Access
 

Recently uploaded

User Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller ResumeUser Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller ResumeKaylee Miller
 
Einstein Copilot Conversational AI for your CRM.pdf
Einstein Copilot Conversational AI for your CRM.pdfEinstein Copilot Conversational AI for your CRM.pdf
Einstein Copilot Conversational AI for your CRM.pdfCloudMetic
 
renewable energy renewable energy renewable energy renewable energy
renewable energy renewable energy renewable energy  renewable energyrenewable energy renewable energy renewable energy  renewable energy
renewable energy renewable energy renewable energy renewable energyjeyasrig
 
Enterprise Content Managements Solutions
Enterprise Content Managements SolutionsEnterprise Content Managements Solutions
Enterprise Content Managements SolutionsIQBG inc
 
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptx
BusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptxBusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptx
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptxAGATSoftware
 
Mobile App Development company Houston
Mobile  App  Development  company HoustonMobile  App  Development  company Houston
Mobile App Development company Houstonjennysmithusa549
 
8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.Ritesh Kanjee
 
8 key point on optimizing web hosting services in your business.pdf
8 key point on optimizing web hosting services in your business.pdf8 key point on optimizing web hosting services in your business.pdf
8 key point on optimizing web hosting services in your business.pdfOffsiteNOC
 
Boost Efficiency: Sabre API Integration Made Easy
Boost Efficiency: Sabre API Integration Made EasyBoost Efficiency: Sabre API Integration Made Easy
Boost Efficiency: Sabre API Integration Made Easymichealwillson701
 
Mobile App Development process | Expert Tips
Mobile App Development process | Expert TipsMobile App Development process | Expert Tips
Mobile App Development process | Expert Tipsmichealwillson701
 
Technical improvements. Reasons. Methods. Estimations. CJ
Technical improvements.  Reasons. Methods. Estimations. CJTechnical improvements.  Reasons. Methods. Estimations. CJ
Technical improvements. Reasons. Methods. Estimations. CJpolinaucc
 
VuNet software organisation powerpoint deck
VuNet software organisation powerpoint deckVuNet software organisation powerpoint deck
VuNet software organisation powerpoint deckNaval Singh
 
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...jackiepotts6
 
Unlocking AI: Navigating Open Source vs. Commercial Frontiers
Unlocking AI:Navigating Open Source vs. Commercial FrontiersUnlocking AI:Navigating Open Source vs. Commercial Frontiers
Unlocking AI: Navigating Open Source vs. Commercial FrontiersRaphaël Semeteys
 
MinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young EntrepreneurMinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young EntrepreneurPriyadarshini T
 
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...Maxim Salnikov
 
Revolutionize Your Field Service Management with FSM Grid
Revolutionize Your Field Service Management with FSM GridRevolutionize Your Field Service Management with FSM Grid
Revolutionize Your Field Service Management with FSM GridMathew Thomas
 
Unlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsUnlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsconfluent
 
Leveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDevLeveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDevpmgdscunsri
 

Recently uploaded (20)

User Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller ResumeUser Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller Resume
 
Einstein Copilot Conversational AI for your CRM.pdf
Einstein Copilot Conversational AI for your CRM.pdfEinstein Copilot Conversational AI for your CRM.pdf
Einstein Copilot Conversational AI for your CRM.pdf
 
renewable energy renewable energy renewable energy renewable energy
renewable energy renewable energy renewable energy  renewable energyrenewable energy renewable energy renewable energy  renewable energy
renewable energy renewable energy renewable energy renewable energy
 
20140812 - OBD2 Solution
20140812 - OBD2 Solution20140812 - OBD2 Solution
20140812 - OBD2 Solution
 
Enterprise Content Managements Solutions
Enterprise Content Managements SolutionsEnterprise Content Managements Solutions
Enterprise Content Managements Solutions
 
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptx
BusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptxBusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptx
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptx
 
Mobile App Development company Houston
Mobile  App  Development  company HoustonMobile  App  Development  company Houston
Mobile App Development company Houston
 
8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.
 
8 key point on optimizing web hosting services in your business.pdf
8 key point on optimizing web hosting services in your business.pdf8 key point on optimizing web hosting services in your business.pdf
8 key point on optimizing web hosting services in your business.pdf
 
Boost Efficiency: Sabre API Integration Made Easy
Boost Efficiency: Sabre API Integration Made EasyBoost Efficiency: Sabre API Integration Made Easy
Boost Efficiency: Sabre API Integration Made Easy
 
Mobile App Development process | Expert Tips
Mobile App Development process | Expert TipsMobile App Development process | Expert Tips
Mobile App Development process | Expert Tips
 
Technical improvements. Reasons. Methods. Estimations. CJ
Technical improvements.  Reasons. Methods. Estimations. CJTechnical improvements.  Reasons. Methods. Estimations. CJ
Technical improvements. Reasons. Methods. Estimations. CJ
 
VuNet software organisation powerpoint deck
VuNet software organisation powerpoint deckVuNet software organisation powerpoint deck
VuNet software organisation powerpoint deck
 
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
 
Unlocking AI: Navigating Open Source vs. Commercial Frontiers
Unlocking AI:Navigating Open Source vs. Commercial FrontiersUnlocking AI:Navigating Open Source vs. Commercial Frontiers
Unlocking AI: Navigating Open Source vs. Commercial Frontiers
 
MinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young EntrepreneurMinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
 
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
 
Revolutionize Your Field Service Management with FSM Grid
Revolutionize Your Field Service Management with FSM GridRevolutionize Your Field Service Management with FSM Grid
Revolutionize Your Field Service Management with FSM Grid
 
Unlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsUnlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insights
 
Leveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDevLeveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDev
 

BlackHat 2014 - xsssniper

  • 1. Pulling the Curtain on Airport Security Billy Rios Xssniper@gmail.com @xssniper
  • 2. How to get put on the no-fly list…
  • 3. Why are you doing this? • Just an average Joe • Interest in ICS, Embedded and Medical devices • I travel a lot
  • 6. Lessons Learned by a Young Butterbar • Show respect • Accept Responsibility • Trust, but Verify
  • 7. Show me the Money… (budget.house.gov) • > 50,000 people at more than 400 airports across the country and an annual budget of $7.39 billion (2014) • TSA receives about $2 billion a year in offsetting collections under current law, through air-carrier and aviation-passenger security fees. The largest of the fees, in terms of total collections, is the Aviation Passenger Security Fee (sometimes called the September 11th Security Fee), which brings in about $1.7 billion a year. • By law, the first $250 million of passenger-security fees is set aside for the Aviation Security Capital Fund, which provides for airport-facility modifications and certain security equipment
  • 8. Show me the Money… One guy no budget and a laptop
  • 9. Disclosure All issues in this presentation were reported to DHS via ICS-CERT >6 months ago
  • 10. Response? • Our software “cannot be hacked or fooled” • “add their own software and protections.” • <silence> • Spoke with Morpho last week
  • 11. Scenarios (1) TSA doesn’t know about the security issues in their software (2) TSA knew about the security issues, developed their own custom fixes, never told the vendors… and is hording embedded zero day vulnerabilities and leaving other organizations exposed?
  • 24. A Quick Lesson on Backdoors
  • 25. I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors? [Yelling] Mr. Potato Head! Mr. Potato head! Backdoors are not secrets! Yeah, but your giving away our best tricks! They’re not tricks!
  • 26. A Word About Backdoors • Malicious account added by a third party • Debugging accounts that someone forget to remove • Accounts used by Technicians for Service and Maintenance
  • 27. Technician Accounts == Backdoors • Often hardcoded into the software • Applications which depend on the passwords • Business process which depend on passwords • External software which depend on passwords • Training which train technicians to use these passwords
  • 28. Technician Accounts == Backdoors • Can be discovered by external third parties (like me!) • Cannot be changed by the end user (in most cases) • Once initial work is completed, these passwords usually scale
  • 45. “TSA has strict requirements that all vendors must meet for security effectiveness and efficiency and does not tolerate any violation of contract obligations. TSA is responsible for the safety and security of the nearly two million travelers screened each day.” http://www.bloomberg.com/news/2013-12-06/naked- scanner-maker-osi-systems-falls-on-losing-tsa- order.html
  • 46. "Questions remain about how the situation will be rectified and the potential for unmitigated threats posed by the failure to remove the machinery," the committee's Republican and Democratic leaders wrote in a Dec. 6 letter to the men. "It is our understanding that these new components -- inappropriately labeled with the same part number as the originally approved component -- were entirely manufactured and assembled in the People's Republic of China." http://www.nextgov.com/defense/2013/12/congress- grills-tsa-chinese-made-luggage-scanner- parts/75098/
  • 47. “The referenced component is the X-ray generator, a simple electrical item with no moving parts or software.” He described the piece as "effectively, an X-ray light bulb." http://www.nextgov.com/defense/2013/12/congress- grills-tsa-chinese-made-luggage-scanner- parts/75098/
  • 54. Interesting Items • VxWorks on PowerPC • VxWorks FTP • VxWorks Telnet • Web server • Server: Allegro-Software-RomPager/4.32 • WWW-Authenticate: Basic realm="Browser"
  • 61. Backdoors… • FTP and Telnet - SuperUser:2323098716 • configdevCfg.xml file • MaintValidation.class file within the m8m.jar • Web - KronosBrowser:KronosBrowser • ~6000 on the Internet, two major airports
  • 62. Here’s a thought… • Foreign made main board on TSA Net that can track which TSA personnel are on the floor at any given moment • Hardcoded FTP password/backdoor • Hardcoded Telnet password/backdoor which gives up a VxWorks shell • Hardcoded Web password/backdoor
  • 63. Does TSA know Kronos 4500’s have Chinese made main boards? Does the TSA know the software has hardcoded backdoors?
  • 64. Trust but Verify the Engineering
  • 72. Itemiser • X86 (Pentium Processor) • Windows CE • Disk on chip with ~7.5 meg main program • PS2, Floppy, USB • IrDA?!?!?!?!
  • 73. File System • ITMSCE.exe (Main Application) • Users.bin (User Accounts) • Config.bin (Settings for detection) • Options.bin • History.bin • Alarms (folder)
  • 81. Users on the user menu Itemiser • Operator 1 • Maintenance 1 • Administrator 1 • Super User 1 • <various user accounts>
  • 83. Users in the Binary • Operator 1 • Maintenance 1 • Administrator 1 • Super User 1 • Administrator 2 • Super User 2
  • 84. Users in the Binary vs User Menu Binary • Operator 1 • Maintenance 1 • Administrator 1 • Super User 1 • Administrator 2 • Super User 2 User Menu • Operator 1 • Maintenance 1 • Administrator 1 • Super User 1
  • 85. Two Backdoor Accounts •Administrator 2: 838635 •SuperUser 2: 695372
  • 90. This is actually, TSA’s Fault • TSA depends on this equipment to do their job • TSA operators do not have the expertise to detect exploited devices • TSA has not conducted adequate threat models on how these devices are designed from a cyber security standpoint • TSA has not audited these devices for even the most basic security issues • Vendors develop devices to meet TSA requirements • TSA certifies devices it deems satisfactory • We pay for all this…
  • 91. I hope that someone (maybe the GAO?) trusts what the TSA is telling us about their devices, but verifies the engineering is a reality
  • 92. If you have embedded devices, I would hope you would do the same for your devices BEFORE you fork over the $$!