ASSESSMENT: X-Ray Machine Exploits and TIP File Manipulation
Exploiting The X-Ray Machines, TIPs, & TSANet:
A few years ago I worked with a startup who’s main goal was to protect the L3/Smith/Rapiscan machines from compromise from physical and network attacks. At the time the claim was made that the systems were not connected to any networks and were in fact islands and that this type of attack was not a real problem. Of course in the process of assessing these machines (one of them in a garage with an explosives expert) it became quite clear that these machines were wholly insecure and likely to be compromised at some point to allow things through the system. The connectivity issues aside, the physical access to the systems could be procured by saboteurs working in TSA and local compromise of the weak OS (Win98 as well as Xp based as the article states in Wired) could be carried out locally with a USB drive. So when looking at the threat-scape and reporting back to TSA and the makers of these machines it was clear that this type of attack could be possible but my issue was whether or not there was a probability of it being used as an attack vector. When talk was started about networking these machines as well as others (i.e. bomb sniffers) to the TSANet the startup changed their direction a bit and began to work the idea of a SOC to monitor the machines and the network to insure no tampering had been carried out. Unfortunately though the TSA and other entities did not really buy off on the idea and in fact the technologies on the systems did not make it easy for any kind of monitoring to be carried out. I went on my way having had a good insight into how TSA/DHS/Detection machines worked and had fun with the explosives expert messing around with the technologies and talking about red team exercises he had carried out in the old days with simulants. Then I saw the article in Wired yesterday and hit up my explosives and machine experts who got a bit unhappy with the article.
Exploit to Terrorism:
The Wired article on the whole of it is correct, it is quite possible to insert those already pre-made images into the system because that is how it is supposed to work. The article though mentions being able to insert socks over a gun for example in an image to cover up the fact that the gun is there. This one point was vehemently refuted by the guys I worked with as too hard to pull off live and that, as I agreed, it would just be easier to pass along a similar imaged bag image itself instead of trying to insert an image into an image to obfuscate things. I think perhaps that the reporter got that idea a bit wrong in translation but perhaps the researchers thought they could pull that off. Either way, this issue brings up a larger issue of the exploit itself being used at all. In hacking and exploits like terrorism often times the attackers opt for the path of least resistance approach. In this case I personally don’t see this type of attack as the first go to for any attacker. It think it would be much more advantageous and easier for the attackers to insiders to allow things to get past the systems or bypass them altogether to effect their goals. This type of attack has been seen before within the airports security mechanism with regard to thefts and smuggling so it is a higher likelihood that if AQAP were to attempt to board a plane with guns or other explosives, they would use insiders to pass that through the system without being seen by any X-ray or bomb detection at all and not attempt to hire hackers to compromise a networked or physically access a machine to pass a gun or guns through the TSA line. This also is why at the time of 9/11 the 19 went for very low tek solutions of box cutters to overtake planes and use them as missiles against buildings, it’s just the path of least resistance.
Failure Rates on X-ray and MM Wave Results:
Meanwhile the TSA has never been seen as a bastion of security by the public from day one. As time has progressed the people of this nation have realized that much of the function of the TSA seems to be to harass the passengers and provide a simulacra of security that really isn’t there. How many times have you dear traveller passed things through security, primarily the color x-ray Smith/L3/Rapiscan machines without even trying? I have gone through TSA on many occasions with forgotten knives and other things that are forbidden and TSA completely missed them on the scans. Once again I would point to the systems being insecure or the processes being lax that would lead to compromise of the overall security and not so much a hack on a Smith machine for a terrorist attacks success. A recent OSINT search in Google turned up an interesting document of an assessment of Hartsfield, Atlanta’s airport by the OIG that shows just how this airport at least was not following processes and procedures that would make an attack much easier for the prepared aggressor. There are other documents out there and you can go dig them up but the point is that if you are not carrying out the policies and procedures, the technologies will not prevent their being bypassed. Additionally, there are issues around the technologies accuracy as well that have been addressed by the makers of the machines and the government so these systems are in no way foolproof and it requires vigilance to make them work well. The net/net here is that the technology can fail, be tampered with, or bypassed altogether without the need for an exotic and technical exploit series to be carried out on them to forward a terrorist attack.
My analysis here is that yet again the research is valid but the hype around the revealing of such research at places like the recent Kaspersky Security Analyst Summit is just a way to garner attention. Much like the issues with the power grid and physical attacks which I profiled last on this blog, we are enamoured with the idea of cyber attacks as a vector for terror but the realities are somewhat more mundane. A physical attack or an insider attack is much more probable in this case as in the power systems attacks as the main modus operandi not an elaborate hack to insecure machines that will require access to begin with. At such time as we have networked all of these machines (remember many are islands presently) then we will have to address these issues much more closely and yet still, this attack vector may be sexy to the hacker set, but not so much to the terrorist set today. The machines are insecure though, the researchers are bang on about that and these issues should be addressed but then you have to look at the government procurement process as well as the corporations that do not want to have to re-architect their systems completely. It was a pain to try and get these makers to add API’s to their code in order to allow for remote monitoring by a SOC so think about telling them then that they have to not only harden their systems but also re-architect them completely to run on more advanced systems than WIN98. I would also point you all to the recent revelation that 94% of the ATM’s in the world still run on Windows Xp… How about an upgrade there?