Researchers Expose Security Flaws in Backscatter X-ray Scanners

"" Enlarge
Prof. J. Alex Halderman (L), graduate student Eric Wustrow, and their collaborators slipped knives, guns, and other contraband past backscatter X-ray scanners previously used in airports.

A team of security researchers from the University of California, San Diego, the University of Michigan, and Johns Hopkins University have discovered several security vulnerabilities in full-body backscatter X-ray scanners that were deployed to U.S. airports between 2009 and 2013.

The team, which included Prof. J Alex Halderman and graduate student Eric Wustrow, was able to successfully conceal firearms and plastic explosive simulants from the Rapiscan Secure 1000 scanner in laboratory tests. The researchers were also able to modify the scanner operating software so it would present an “all-clear” image to the operator, even when contraband was detected.

Their findings, published in the paper “Security Analysis of a Full-Body Scanner,” were presented at the 23rd USENIX Security Symposium on August 21, 2014.

“Frankly, we were shocked by what we found,” said Prof. Halderman. “A clever attacker can smuggle contraband past the machines using surprisingly low-tech techniques.”

"" Enlarge
UCSD professor Hovav Shacham with the Secure 1000

The researchers attribute these shortcomings to the process by which the machines were designed and evaluated before their introduction at airports. “The system’s designers seem to have assumed that attackers would not have access to a Secure 1000 to test and refine their attacks,” said Hovav Shacham, a professor of computer science at UC San Diego. However, the researchers were able to purchase a government-surplus machine found on eBay and subject it to laboratory testing.

Many physical security systems that protect critical infrastructure are evaluated in secret, without input from the public or independent experts, the researchers said. In the case of the Secure 1000, that secrecy did not produce a system that can resist attackers who study and adapt to new security measures. “Secret testing should be replaced or augmented by rigorous, public, independent testing of the sort common in computer security,” said Shacham.

Secure 1000 scanners were removed from airports in 2013 due to privacy concerns, and are now being repurposed for use in jails, courthouses, and other government facilities. The researchers have suggested changes to screening procedures that can reduce, but not eliminate, the scanners’ blind spots.

The researchers shared their findings with the Department of Homeland Security and Rapiscan, the scanner’s manufacturer, in May.

Details of the results are available at radsec.org.

****

Prof. Halderman is a noted computer security expert whose research places an emphasis on problems that broadly impact society and public policy. His interests include software security, network security, data privacy, anonymity, electronic voting, censorship resistance, digital rights management, computer forensics, ethics, and cybercrime, as well as the interaction of technology with law, governmental regulation, and international affairs. He is the director of the Center for Computer Security and Society.