The Rapiscan Secure 1000 uses backscatter X-ray technology that was developed in the 1990s, which computer security researchers have proved to be ineffectual against “adaptive adversaries”.
By exploiting properties of the backscatter X-ray technology, it is possible to conceal weapons from the machine. The Rapiscan Secure 1000 uses ionizing radiation to detect objects hidden beneath clothing, but is unable to differentiate between items of high iron and lead content.
Under Transportation Security Administration (TSA) procedures, passengers were to be screened from the front and back. Researchers found that a .380 pistol could be successfully concealed from front and back scans by taping it to the outside of the leg. Anyone wanting to smuggle a knife need only wrap it in 1.5cm of Teflon tape, which scatters X-rays with almost the same intensity as human flesh, rendering it invisible.
Airport Body Scanners: A handy guide to terrorism
The researchers wrote that the major reason for weaknesses in security scanners is a lack of independent testing. The government prohibits testing for fear that flaws will be leaked and terrorists will adapt their methods in consequence.
For those of you worried that this is exactly what will happen upon the release of this latest paper, you may rest easy in the knowledge that the Rapiscan Secure 1000 was withdrawn from US airports last year. The flaws of the millimeter-wave scanning technology currently being used have yet to be investigated.
Although our airports will surely not be suffering a flood of smuggled weapons, courthouses and prisons still use the Rapiscan Secure 1000. Hopefully authorities will prove to be as “adaptive” as researchers fear terrorists to be, and introduce side scanning, which was found to reveal weapons in some cases.
Airport body scanners’ vulnerability cyber attacks
The paper also tested vulnerability to malware attacks, including one program which could recognize a QR code worn on a terrorist’s shirt and substitute a clean image into the scanner. It might surprise you to hear that the machine’s console is an MS-DOS based PC, with all of the vulnerabilities that entails.
With a growing emphasis on cyber security in contemporary geopolitics, we can only hope that the TSA will consider stepping up its defenses against malware attacks as well as physical ones.
The paper will be presented at the Usenix Security Symposium in San Diego, 21 August.