Systems security gone wrong
First came word that the Transportation Security Administration's master keys for TSA-approved luggage locks had been copied and turned into publicly available 3D printing files -- effectively compromising millions of locks used by travelers worldwide.
The agency briefly allowed the Washington Post to publish a photograph of the keys last November. It was taken down almost immediately when both parties recognized the risk, but the image had already been duplicated elsewhere -- and last week 3D blueprints were uploaded to GitHub, used to create keys and successfully tested.
“Honestly I wasn’t expecting this to work, even though I tried to be as accurate as possible from the pictures," the individual who created the 3D printer plans told Wired via email. “But if someone reported it that my 3D models are working, well, that’s cool, and it shows…how a simple picture of a set of keys can compromise a whole system.”
In Boston, meanwhile, it was revealed the city Transportation Department's license plate reader database was being stored online in plain text, with no password protection whatsoever.
According to PrivacySOS site, the database contains "a million or so license plate reader records, the home addresses of every single person with a Boston parking permit and lists of 2,500 people the police or FBI (it remains unclear which) have designated suspected gang members or terrorists, among other data."
The database, which is no longer publicly accessible, was hosted on servers owned by the Xerox subsidiary Affiliated Computer Services. It appeared to be tied to the Canadian firm Gentech, which owns the popular AutoVu license plate reader system and provides various services to Boston government agencies. A Gentech official, told the reporter who discovered the open access that the server in question was "used by a customer to transfer data to be used in a parking or law enforcement patrol car, equipped with a Genetec system," but that the data itself was “not gathered by a Genetec AutoVu ALPR system … [which is] automatically encrypted.”
The reporter alerted Boston government officials to the open access in late August, and login controls were quickly added.
Connect with the GCN staff on Twitter @GCNtech.