SAN FRANCISCO -- Aviation officials have quietly notified airports in the United States and Britain that a design flaw in a widely used security system could enable terrorists to gain control of the electronic badges that allow employees with security clearance to enter and leave restricted areas.
The computer security experts who discovered the flaw say that the same system, which is made by a small company in Southern California, is frequently used in state prisons, county jails, financial institutions, technology companies, drug companies, county and federal government buildings -- including the CIA -- and by military contractors.
The flaw could make these sites vulnerable to terrorists or computer intruders, the experts said.
The problem was found in December by MSB Associates, a computer security consulting concern in San Mateo, Calif., in a routine security audit for a California-based financial services software company. MSB security experts spoke with a reporter on the condition that the company they were auditing not be identified.
The failure to detect the problem for several years in so many supposedly secure sites underscores the risks inherent in the increasingly widespread reliance on computers and computer networks for security once performed by mechanical locks and human guards.
Because such systems relinquish control of door-locking mechanisms to the computer that administers and monitors the electronic badges, all the entry points of a supposedly secure building become vulnerable to any skilled outsider who gains access to the computer.
For that reason, the computer is supposed to be completely tTC isolated: not only kept in a guarded room but not connected to other computers through a network and not accessible to the outside world on telephone lines.
But MSB found that in the case of the electronic badge system made by Receptors Inc. of Torrance, Calif., it was possible for an intruder to use a dial-up telephone line or another computer on a network to:
Create permanent or temporary badges that would allow access to secured areas by unauthorized people.
Schedule events, such as unlocking doors at a particular time.
Create badges that would leave no record that a person had entered or left a secured area.
MSB contacted aviation officials in the United States and Britain in mid-December after discovering the flaw. The consultants said they became concerned about vulnerability to terrorists when they found the names of customers that use the system, including airports, listed in the software company's own source code.
Rebecca Trexler, a spokeswoman for the Federal Aviation Administration, said that the agency never publicly commented on airport security "because it's not in the public interest to discuss security vulnerabilities in the aviation system."
But she added, "As for this specific problem, we've notified our field personnel, and they are examining the situation with airports that use this system." The agency is planning to meet soon with industry to explain new security guidelines, she said.
Receptors' chief operating officer, Dale Williams, said in January that the company's security equipment was being used in 40 airports around the world. But he insisted that the problem uncovered by MSB lay not with the Receptors equipment itself but with the way it had been installed.
"This is not a problem," Williams said, because the airport officials who had contacted him had said that they did not permit routine outside access to the computer systems that control the electronic badge systems.
But Williams acknowledged that a number of the electronic badge systems were connected to computers and that he could not be certain that the networks were secure from the outside.
Pub Date: 2/08/98