Donate to Science & Enterprise

S&E on Mastodon

S&E on LinkedIn

S&E on Flipboard

Please share Science & Enterprise

Security Flaws Revealed in Full-Body X-Ray Scanner

Hovav Shacham with scanner

UC San Diego computer scientist Hovav Shacham before a backscatter X-ray scanner (Erik Jepsen, UC San Diego)

20 August 2014. Computer scientists at three universities evaluated the backscatter X-ray scanners used in U.S. airports up to 2013, finding weapons could be readily concealed, and the device vulnerable to hacking. The team from University of California in San Diego, Johns Hopkins University in Baltimore, and University of Michigan in Ann Arbor will present its findings tomorrow at the Usenix Security Symposium in San Diego.

The eight researchers tested the Rapiscan Secure 1000 scanner, a device to reveal hidden weapons or contraband before boarding an airplane or entering a secure building. The U.S. Transportation Security Administration used Rapiscan backscatter systems for several years as a less-invasive alternative to physical pat-downs by airport screeners, but stopped using the scanners in 2013 after complaints about the detailed anatomical body outlines produced by the systems led to their removal.

TSA now uses millimeter wave scanners that display a less-detailed image. However, the backscatter devices were distributed as surplus, with many devices now in use for security in facilities such as jails and courthouses.

The researchers obtained an unused Rapiscan Secure 1000 scanner on eBay from a seller who bought the system at a U.S. government surplus auction in Europe. The system came with operational and maintenance manuals and schematics that helped the team in its reverse engineering. The authors say the system used in the study was made in 2006, and that newer devices with updated software were used by TSA.

The team first tested the Rapiscan Secure 1000’s ability to detect weapons and contraband. The researchers note that the system seems to work well finding hidden objects on naive subjects, but more sophisticated adversaries with an ability to refine their techniques by purchasing a system as the team had done, or with help from an unscrupulous or disgruntled expert, or through trial and error could find ways of hiding prohibited items.

One method of concealment from the scanner exploits a weakness in the technology that makes it possible to conceal objects with a high effective nuclear charge, such as iron and lead, where the scanner cannot discriminate between an absence of an object and an object that absorbs all of the X-rays, thus returning no backscatter. Using this principle, the researchers were able to conceal a handgun (.380 ACP) and knife by taping the object above the knee or sewing it inside a pant leg near that spot, which were invisible against the dark background of the images.

A related concealment technique is masking the object, where the prohibited items are covered with a material that scatters the X-rays in a manner similar to human flesh. The researchers tested a number of materials and discovered the plastic PTFE, known popularly as Teflon made by DuPont and others, could in a sufficient thickness, mask a knife taped to the spine of a person passing through the scanner. In this case, the knife’s outline is similar to the spine, which merges with the knife in the image returned by the scanner.

A third technique conceals materials that can be shaped to resemble body parts outlined by the Rapiscan Secure 1000. The researchers molded 200 grams (7 ounces) of simulated C-4 plastic explosive to fit tightly over a subject’s abdomen. They also fitted in a detonator in a metal shell — absorbing the X-rays, thus not returning a backscatter — but appearing like a human navel in the scanner’s image.

The researchers were also able to hack the Rapiscan Secure 1000 operator console, even though it is a stand-alone system and not connected to a network for remote access. The hacking in this case was done by physically picking the lock in under 10 seconds on the console’s cabinet, getting access to the cabinet. There the team discovered the system had no electronic access controls, such as passwords or software verification.

Once inside the cabinet, the researchers reverse-engineered the system’s front-end software to write a malware program that works like the original software, but is designed to retrieve images, which are normally hidden from retrieval. The malware is designed as well to look for a triggering code, such as a QR code, to return an innocuous image rather than an image showing a concealed weapon. The team as well discovered ways of capturing images of people in the scanner that reveal more anatomical details than many people find comfortable, bypassing the safeguards requested by TSA to protect travelers’ privacy.

The researchers shared their paper in May 2014 with TSA and the manufacturer Rapiscan Systems. Science & Enterprise asked Rapiscan Systems for its reactions to the study, and will post its comments as an update to this story.

The authors note that the Rapiscan Secure 1000 suffers from a closed testing process that tried to maintain secrecy about the device’s operation rather than opening up the review to an adversarial process that could uncover more and different vulnerabilities. “Secret testing should be replaced or augmented by rigorous, public, independent testing of the sort common in computer security,” says UC San Diego computer scientist and senior author Hovav Shacham in a university statement.

Read more:

*     *     *

Comments are closed.