Cyber security experts warn that hackers could have the ability to shut down an airport’s security network with nothing more than a laptop, according to an I-Team investigation.
The cyber security systems are designed to keep airports secure, but security experts warn that the very technology used to keep us safe could also be the weak link for an attack.
“Walking by these devices and knowing how poorly secure they are, it doesn’t sit well with me,” said Billy Rios, a cyber security researcher who makes his living finding security flaws. “It’s pretty bad — probably no thought has been given to cyber security at all.”
In 2013, Rios tested machines –an X-ray scanner, an explosives detector called an itemiser and a time clock — found at airports throughout the world and uncovered major security flaws.
Rios says the biggest vulnerability he discovered were passwords built into the software used in these security systems.
“So anyone that knew the username and password, which we know, could just log into the device and get access to an airport network,” said Rios. “It just takes one second to abuse some of the vulnerabilities that we’ve seen.”
Once in the system, Rios says a hacker could manipulate an X-ray machine to hide weapons from screeners or steal sensitive data on how to bypass security.
Rios says he alerted U.S authorities after making his discovery, which prompted the Department of Homeland Security to issue a warning about password vulnerabilities in some explosives detection machines.
One machine Rios examined is called the itemiser. The company that makes itemisers says the version Rios bought was only used at foreign airports and the company recently released an update to correct the flaw, it said.
Rios maintains the broader concern continues at domestic airports, where he says he found three time clocks with vulnerable passwords.
Cyber security strategist Jon Miller suspects these vulnerabilities may have already been exploited.
“Now that we have extremists that are gaining these capabilities, they’re going to start using information for other types of attacks we haven’t seen before. It’s going to be a sobering couple of years,” said Miller.
Miller’s firm, Cylance, recently released allegations that a hacker group based out of Iran successfully hacked secure information throughout the world, including from airports.
“We were following them for 18 to 24 months, but it wasn’t until we started seeing them pull things like emergency response times and information that could put the physical safety of people at harm we knew we had to stop it,” says Miller.
“Anyone who has a copy of the plan on how an airport or any facility responds to an emergency now has a blueprint on how to beat that system,” said Kenneth Honig, a former commanding officer for the police department of the Port Authority of New York and New Jersey.
“Now that it’s been brought out into the open, hopefully they will take steps to fix it, but it will take time.” said Honig, who has 20 years leadership on the force..
Officials at Transportation Security Administration and the Department of Homeland Security declined to comment on the concerns raised by Rios and Cylance.
Rios hopes that by speaking out, TSA will impose more stringent requirements for manufacturers.
“The bar is too low,” Rios said. “There will always be security issues, we can’t solve every single security issue, but we shouldn’t have the bar be so low that anybody can hack into these devices. The bar has to be a lot higher.”
The company that makes the time clocks says the vulnerability in their devices have been addressed and airports can now change the passwords Rios discovered.
Meanwhile Cylance security experts believes while there have been several cyberattacks on the airline industry; there is no evidence that U.S airports have been compromised.