A team of computer scientists, including one from Johns Hopkins, has discovered several security vulnerabilities in the full-body X-ray scanners used at U.S. airports between 2009 and 2013.
The team members conducted the first independent security evaluation of the Rapiscan Secure 1000 full-body scanner, which was widely deployed at U.S. airport security checkpoints. They bought a surplus unit on eBay in 2012.
What the researchers found was not particularly reassuring. In laboratory tests, the team was able to conceal firearms and plastic explosive simulants from the Rapiscan Secure 1000 scanner. They were also able to modify the scanner's operating software so it presented an "all-clear" message to the operator even when contraband was detected.
The results of their evaluation are described in a paper scheduled for public presentation Thursday at the USENIX Security conference in San Diego.
"We find that the system provides weak protection against adaptive adversaries: It is possible to conceal knives, guns, and explosives from detection by exploiting properties of the device's backscatter X-ray technology," the scientists write.
Secure 1000 scanners were removed from airports in 2013 due to privacy concerns, but they are now being repurposed for use in jails, courthouses, and other government facilities.
The eight authors of the paper include faculty members, graduate students, and other scholars from the University of California, San Diego; the University of Michigan; and Stephen Checkoway, an assistant research professor in the Department of Computer Science in Johns Hopkins' Whiting School of Engineering.
Also see: Researchers Easily Slipped Weapons Past TSA's X-Ray Body Scanners (Wired)
Checkoway reverse-engineered the software that ran the operator console for the scanning equipment. By figuring out how the software worked, he says, the team could see how a criminal might tamper with the programming or find blind spots that would make it possible for weapons and other unwanted items to go undetected.
"I was not surprised that there were security vulnerabilities in the system because they made a lot of faulty assumptions," Checkoway says. "For example, they believed a scanner operator would be able to detect a block of C-4 plastic explosive material under a person's clothes because it would cast an X-ray shadow. But when we molded the material tight against a person's body, it didn't show up."
Adds J. Alex Halderman, a University of Michigan professor of computer science who was one of the principal investigators in the study: "Frankly, we were shocked by what we found. A clever attacker can smuggle contraband past the machines using surprisingly low-tech techniques."
The researchers attribute these shortcomings to the process by which the machines were designed and evaluated before their introduction at airports.
"The system's designers seem to have assumed that attackers would not have access to a Secure 1000 to test and refine their attacks," says Hovav Shacham, a UC San Diego professor of computer science who was the other principal investigator.
But the researchers were able to purchase a government-surplus machine online and subject it to laboratory testing.
Many physical security systems that protect critical infrastructure are evaluated in secret, without input from the public or independent experts, the researchers say. In the case of the Secure 1000, that secrecy did not produce a system that can resist attackers who study and adapt to new security measures.
"Secret testing should be replaced or augmented by rigorous, public, independent testing of the sort common in computer security," Shacham says.
The researchers shared their findings with the Department of Homeland Security and Rapiscan, the scanner's manufacturer, in May and have suggested changes to screening procedures that can reduce, but not eliminate, the scanners' blind spots.
However, Shacham notes, "any screening process that uses these machines has to take into account their limitations."