Security Researchers Lay Bare TSA Body Scanner Flaws
Aug 22, 2014 12:06 PM PT
The U.S. Transportation Security Administration, part of the Department of Homeland Security, has spent more than a billion dollars on full-body scanners designed to strengthen airport security. It turns out that at least one model of scanner in use for four years -- the Rapiscan Secure 1000 full-body scanner -- easily could have been foiled by a savvy bad actor. In addition, it harbored software flaws that made it vulnerable to cyberattacks.
That was the conclusion of nine researchers who presented their findings Thursday at the USENIX security conference in San Diego.
Their conclusions have broad security implications for the deployment of these kinds of devices by the TSA and other government agencies, the researchers said. The team is comprised of members from the University of California San Diego, University of Michigan and John Hopkins University.
While the TSA phased out the Rapiscan Secure 1000 full-body scanner last year, it's still used in venues such as courthouses and prisons.
"Our results suggest that while the Secure 1000 is effective against naïve attackers, it is not able to guarantee either efficacy or privacy when subject to attack by an attacker who is knowledgeable about its inner workings," the researchers wrote in their report.
"While some of the detailed issues we describe are specific to the scanner model we tested, the root cause seems to be the failure of the system designers and deployers to think adversarially," they added.
"Frankly, we were shocked by what we found," said one of the researchers, J. Alex Halderman, a professor of computer science at the University of Michigan. "A clever attacker can smuggle contraband past the machines using surprisingly low-tech techniques."
During their tests of a surplus model of the scanner, which they obtained on eBay, the researchers discovered that with practice, an adversary could confidently smuggle contraband past the scanner by carefully arranging it on the body, obscuring it with other materials, or properly shaping it.
Using those techniques, the researchers were able to hide firearms, knives, plastic explosive simulants and detonators without being detected by the scanner.
The researchers also successfully subjected the scanner model to a number of cyberattacks. They infected the scanner's operating console with malware, for example, which made contraband invisible with the use of a "secret knock" by an attacker.
They also found a way to pump up the radiation levels of the scanner on subjects passing through it, and they discovered a method for capturing naked images of people being scanned.
Security by Obscurity
"The system's designers seem to have assumed that attackers would not have access to a Secure 1000 to test and refine their attacks," said another one of the researchers, Hovav Shacham, a professor of computer science at UC San Diego.
That's not unusual for government agencies with a secretive orientation, according to Richard Stiennon, chief research analyst with IT Harvest.
"It's really common reasoning among people who develop standalone systems that a hacker won't have access to a system to discover vulnerabilities," he told TechNewsWorld.
"That is security by obscurity, and it's completely false and should never be relied on. It's a nice theory until someone steals the software," Stiennon pointed out.
"It's not just scanners," said Scott Borg, CEO and chief economist of the United States Cyber Consequences Unit.
"Anything that anyone is using as a security tool is potentially vulnerable," he told TechNewsWorld. "My organization has investigated a number of security tools, including security cameras, and we can usually find a way to foil them."
Rigorous Review Process
The TSA used its own proprietary software on the Rapiscan scanners while they were in service. When they were decommissioned, that software was removed from the machines, it said.
"Technology procured by the Transportation Security Administration goes through a rigorous testing and evaluation process, along with certification and accreditation," TSA spokesperson Ross Feinstein told TechNewsWorld.
"This process ensures information technology security risks are identified and mitigation plans put in place, as necessary," he explained. "A majority of the equipment we utilize is not available for sale commercially or to any other entity; the agency regularly uses its own libraries, software and settings."
However, the TSA's evaluation process is questionable, according to Billy Rios, director of threat intelligence for Qualys. Rios conducted a session on scanner security at the Black Hat hacker conference earlier this month.
Rios reviewed three scanners from three makers and discovered "really obvious security issues" -- such as hard-coded backdoor passwords -- in all of them. Moreover, the problems were too deep to be addressed by proprietary libraries and software settings.
"If the TSA has a certification process, it seems to revolve around general acquisition due diligence, not cybersecurity," Rios told TechNewsWorld.
"So when they purchase these devices and certify them," he continued, "they actually don't know if these devices are robust from a cybersecurity standpoint."
Other researchers contributing to the security analysis of the Rapiscan Secure 1000 full-body scanner were Eric Wustrow of the University of Michigan; Keaton Mowery, Tom Wypych, Corey Singleton, Chris Comfort and Eric Rescorla of UC San Diego; and Stephen Checkoway of John Hopkins.
Rapiscan did not respond to our request to comment for this story.