The scanners used by many airports in the United States are riddled with security flaws, a security researcher told attendees at the Black Hat conference in Las Vegas Wednesday.
They are both used by the Transportation and Security Agency, Rios said. More importantly, TSA accepted the Itemiser 3 was accepted into its testing lab, but it was never qualified for use in the field, Rios said.
Rios found about 6000 Kronos time clock systems on the Internet, but only two belonged to airports. The system in the San Francisco International Airport has been removed, but Rios declined to mention the location of the second unit as it is still available online. The Itemiser, while not directly connected to the Web, could be accessed the the internal network. Some TSA equipment also has the universal-password-fail.
One of the default passwords is hardcoded in the Itemiser’s 3 firmware. The newer models don’t use the same firmware, so it would be highly unlikely for the scanner to have the same flaw. The fact there were backdoor accounts shouldn’t be a surprise, since device manufacturers like to create embedded accounts with hardcoded passwords to make it easier to remotely maintain and support these systems.