While making my way through the terminal at IAD yesterday in the early morning hours, I walked past the Delta check-in area and noticed one of the self service check-in terminals was not logged in. What attracted my interest was the login screen was clearly Windows XP. The imagination easily runs a bit wild on this one, particular since we must be so vigilant about security at the airport.
To begin with, these kiosks are all free standing in the terminal and may even be wireless. Regardless, running an operating system which is no longer supported, and may manifest numerous security vulnerabilities makes no sense at something we might consider part of critical transportation infrastructure.
Most criminals are after credentials and how easy would it be to gain credentials at a compromised kiosk? Of the many ways to check in, these kiosks allow name entry with itinerary, confirmation code, scanning a credit card (some due, have not confirmed this with Delta), or scanning a document such as a passport. Could a terrorist potentially use a compromised kiosk to obtain a fraudulent boarding pass, get past the TSA and actually board a plane?
Thinking of compromises less dire than a terrorist getting on a plane, could these kiosks become compromised to the point of harvesting thousands of identities as unsuspecting travelers check in for their flights? How long would it take Delta to discover such a compromise and how many identities would have been harvested by the time discovery was made?
The risks of continuing to run Windows XP in a public facing, and potentially compromised application are simply too high. Delta, along with other companies should take timely steps to remove such vulnerabilities and in Delta’s case, protect the flying public.