Punch Out: Security Holes In Time Clock Bite TSA, Others

A common time clock that is used by companies and government agencies, including the Transportation Security Administration (TSA) contains pre-programmed “back door” user accounts that could allow malicious attackers to gain access to sensitive networks, according to research by a security researcher at Qualys Inc.

Billy Rios of Qualys said that hard coded passwords in Kronos 4500 time clocks could pose security issues for sensitive networks.
Billy Rios of Qualys said that hard coded passwords in Kronos 4500 time clocks could pose security issues for sensitive networks.

Speaking before an audience at the Black Hat Briefings in Las Vegas on Wednesday, Billy Rios, the Director of Threat Intelligence at Qualys Inc., revealed research on the Kronos 4500, a “time and attendance” product (aka time clock) that employees use to ‘punch in’ and ‘punch out’ from work. Rios said that an in-depth analysis of the Kronos equipment and the software that it runs revealed two types of backdoor accounts (user names and passwords) that will provide access to any deployed 4500 device.

The accounts are particularly worrying because some vulnerable devices can be discovered using Internet searches, and because TSA is known to use Kronos attendance clocks at major airports. Rios discovered one vulnerable TSA-operated Kronos device at San Francisco International Airport and another on the network of an unnamed east coast airport.

Rios said he worked with the Department of Homeland Security (DHS) to identify the exposed devices and make sure they could not be accessed from the Internet.

The research is just the latest to underscore the role that non-traditional computing devices, such as embedded systems, can play in sophisticated attacks. Rios said that legal (and ethical) restraints prevented him from further probing the Kronos devices at use at the U.S. airports. As a result, he cannot prove that individuals who could connect to them and use the default passwords could gain access to the devices or the network they were attached to. However, he said it is reasonable to assume they could.

“Often these devices are Internet facing and, on the other end, they’re connected to another network. One would be the airport control network or a TSA network,” he said. “It’s just a scenario that I’m proposing.”

The Kronos devices run an embedded operating system and the passwords were included to allow technicians who work for the manufacturer to remotely service the devices. Because they are administrative accounts, they give the user total control over the Kronos clocks. “These are essentially root on the devices,” Rios said.

The data on the device would depend on how it was configured. Its possible that records of employees who have used the clock would reside on it. Typically, such devices also connect to back end database servers to look up employee IDs and access control policies. That connection could be abused by a malicious actor, Rios said.

An Internet scan for other, vulnerable Kronos devices turned up scores of such devices that can be accessed from the public Internet. The list of vulnerable devices include those operated by colleges and universities, as well as residential housing complexes.