Friday, February 24, 2017
Security lapse exposed New York airport's critical servers for a year
Exclusive: The files included gigabytes of emails, sensitive government files, and a password list, which researchers say could give hackers "full access" to the airport's systems.
By Zack Whittaker
NEW YORK -- A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found.
The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents.
The airport, about 60 miles north of Manhattan, serves hundreds of thousands of passengers each year, and is regularly used by the military. The airport is known for accommodating charter flights of high-profile guests, including foreign dignitaries.
But since April last year, the airport had been inadvertently leaking its own highly sensitive files as a result of the drive's misconfiguration.
Chris Vickery, lead security researcher of the MacKeeper Security Center, who helped to analyze the exposed data and posted his findings, said the drive "was, in essence, acting as a public web server" because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist.
When contacted Thursday, the contractor dismissed the claims and would not comment further.
Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured.
"You cannot expect one person to maintain an airport network infrastructure. Doing so is a recipe for security lapses," said Vickery.
"This is a classic example of what can go wrong with privatization. For-profit companies have every incentive to, all too often, prioritize revenue over best practices," he said.
The files contained 11 disk images, accounting for hundreds of gigabytes of files and folders, which when mounted included dozens of airport staff email accounts, sensitive human resources files, interoffice memos, payroll data, and what appears to be a large financial tracking database.
Many of the files we reviewed include "confidential" internal airport documents, which contain schematics and details of other core infrastructure.
Others belonging to Homeland Security agencies were marked "sensitive" but not classified, including comprehensive security plans, screening protocols, and arrival procedures for private jet passengers.
One exposed file includes a complaint letter from the Transportation Security Administration from 2010.
But one file contained a list of usernames and passwords for various devices and systems, allowing unfettered access to the airport's internal network, according to two security researchers.
Khalil Sehnaoui, founder of Krypton Security, and Brad "Renderman" Haines, a hacker and security researcher, analyzed the password file and a network schematic found among the files to determine the reach of a potential attacker.
"The password file would give us full access to every component of the internal network," said Sehnaoui.
He added that the passwords in part relate to the airport's passenger processing system, provided by AirIT, which allows airport staff to manage passenger records, gates, and boarding.
That could allow a hacker to manipulate boarding passes and other passenger information.
"For the best case scenario part, where no one really gets hurt, you could upgrade yourself to first class or just issue yourself a boarding pass to any destination served by departing planes," he said.
But in the wrong hands, it could also be used to issue valid boarding passes to people on the "no-fly" list, a government watchlist that prevents possible terrorists from boarding flights, he said.
"You could access the database of travelers and know who is going where and when, and get a list of the passenger's data, such as names and passport numbers," said Haines.
That could be used to track passengers in and out of the airport, he added.
Or, worst case scenario, hackers could shut down airport operations, stranding passengers on the ground, the researchers say.
While we are not publishing specifics, the researchers criticized the airport's password policies. Haines said that it could be possible to extrapolate one set of passwords for another airport that uses the same AirIT system.
"You really don't want that kind of information floating around the internet," said Haines.
"I think all airports that are using services from AirIT should review their passwords and policies in light of this leak," said Sehnaoui.
A spokesperson for Port Authority, which owns the airport, said it was investigating the leak.
"Based on information from AVPorts, it does not appear that Port Authority information was compromised at any time by the exposure," said the spokesperson. "There is no indication of a direct breach, or of malware installed on the Port Authority network. We are being provided with a copy of the back-up file, system logs, network diagrams and their firewall configuration, to determine whether there are any ongoing risks or vulnerabilities to the agency's data.
"Until we examine the backup file, we can't be sure of the contents, but we don't believe it contained customer passenger data," the spokesperson added.
Port Authority said it will be meeting with AVPorts, the third-party company that manages Stewart, next week.
Representatives for the company did not return request for comment prior to writing.