retired version of the operating system that no longer receives security fixes and updates from Microsoft. Need a little more scare? The airport security employees were running an x-ray scanner (called Rapidscan 522B) to scan and check the luggage, and shockingly this was the hardware that was running on Windows 98. This report has Billy Rios, a security expert working as the director of vulnerability research and threat intelligence at Qualys, talking about this at the BlackHat security conference, and explaining that some of the hardware that airports are using could easily be hijacked by cybercriminals. Obviously, you’d be hard pressed to blame Microsoft for this. It all comes down to the organizations and entities in question that are still running outdated hardware powered by unsupported operating systems. But this is the reality of the technology world we live in. More so, when you consider just how much airport security has been amped up in the last decade.]]>
All Comments
There needs to be some type of assistance program to help companies get the most up-to-date equipment, so they can use a modern OS. I would love to see some type of government program that helps people with money to upgrade equipment, hire training stuff and consultants, get new computers, and upgrade software. It would probably provide some jobs in a few areas
Assistance!?! You’re kidding of course. Just let them take a chunk out of those profits they are making.
Wow. Impressive, whats really surprising is their choice to go with XP. I wonder whether this was a decision based on software compatibility, although you would like to think that businesses would like to get the maximum out of any investment, hence a move to Windows 7 or 8 would greatly extend this. As for hardware such the X-ray machine, if its an embedded system and not connected to the internet, then you really don’t have anything to worry about. I seriously doubt an airport X-ray scanner would need any sort of internet connection.
Most of those scanners, like the medical imaging systems they’re patterned after, consist of several embedded computers on a subnet with combinations typically of RTOS (for motion control), Linux (for image processing), and a Windows front end running graphics and GUI. The OS versions are old, they weren’t designed with distributed firmware updates in mind let alone security patches or AV signature updates, and the Windows machines are rarely secured from malware-infected thumb drives – even those from field service people doing calibrations and maintenance. If they aren’t already connected to the Internet (even through firewalls), there’s a push to make them so as cost-effectively as possible by leveraging the existing (highly-insecure) architectures and code base.
Having the scanners connected to the Internet and remotely monitored not only allows aggregated collection and back-end analysis of image data for security purposes, it would allow Rapidscan to monitor machine performance (and vulnerability) and perform remote calibrations and updates. Companies with deployed systems like this want to know about problems before their customers do, and they also want to enable service contracts with the lowest costs (highest margins) possible – truck rolls are expensive.
Was hoping to see more detailed info from Billy Rios in this article; he is a true expert in the cyber-security field.
Thanks for your insight. Its definitely an interesting subject given many computers which run on such devices, and on devices responsible for infrastructure are not protected against many security vulnerabilities. As we move closer towards an internet of things im sure security will become a higher priority item on the lists of system developers.
Oh, and I suspect it’s more about hardware compatibility. Microsoft’s driver model changed dramatically with Vista and above.
Maybe they’re just getting pirated XP discs from Asia to save money? 😉
Software compatibility is usually the problem. A lot of professional software won’t run in Windows 7 or later if it ran in XP.