Last month a team of researchers from U.C. San Diego, the University of Michigan, and Johns Hopkins University revealed a slew of security shortcomings in a line of TSA’s backscatter X-ray scanners manufactured by Rapiscan and used in U.S. airports between 2009 and 2013.
Now, these scanners are no longer being used in airports, but that doesn’t mean their vulnerabilities don’t still exist. These Advanced Imaging Technology (AIT) units are being used, and have been repurposed for prisons, courthouses, and other government-run buildings.
Rapiscan Secure 1000 scanners have been placed in prisons in a number of states, most recently Iowa, Louisiana, and Virginia back in May. In fact, the County Sheriff’s Department in Lapeer County, Mich. formally requested the use of a Rapiscan scanner last October under the State of Michigan’s Federal Surplus Property Program.
“This unique safety/security measure would have a positive impact on our Jail and Court Security Operations, as well as, enhance our Community’s Safety,” read the County documents requesting the purchase of the AIT scanners.
In Wilkesboro, N.C., the scanners are also being used in jails with Wilkes Sheriff, Chris Shew explaining that they would be used to find drugs, razors, and phones.
“We don’t really have good visibility into where these things are going,” says Hovav Shacham, associate professor at the Department of Computer Science and Engineering, UC San Diego and one of the researchers behind the latest study. “We know that TSA is looking to make them available to other agencies but we know that based on sources that we found online.”
Shacham and his colleagues conducted a series of attacks and simulations on a Rapiscan Secure 1000, which they acquired second-hand through eBay. The attacks, such as concealing firearms and blades, showed that “adaptive” adversaries with access to how the technology works could spoof the scans.
“Frankly, we were shocked by what we found,” said J. Alex Halderman, one of the authors of the study when it was released. “A clever attacker can smuggle contraband past the machines using surprisingly low-tech techniques.”
“We notified both the manufacturer and the Department of Homeland Security in May and then we didn’t talk about our findings in public for three months in the hope of giving them time to assess our findings and assess our proposed mitigations,” Hovav tells us. “We have not had a lot of interaction with either the DHS or the manufacturer.”
Rapiscan did not respond to email requests for comment.
TSA’s statement on the matter said that any and all equipment is put through “a rigorous testing and evaluation process.”
“A majority of the equipment we utilize is not available for sale commercially or to any other entity; the agency regularly uses its own libraries, software, and settings,” it reads.
“What was interesting about that statement was that it doesn’t really contradict anything in our report and it also talks about how TSA machines have special software,” says Hovav. Basically it’s not clear if this special software can actually defeat the attacks raised in the study.
“They also say that they remove that special software before they decommission the machines, which presumably means that it’s not installed on the ones that are in courthouses and prisons.”
Airport security, and the issue of privacy that stems from it, is a topic of great discussion and debate. It’s exactly why this team decided to research the scanners, which were actually decommissioned over privacy concerns relating to the images of people that are created rather than security vulnerabilities.
But even the change in location (from airports to courthouses and jails) doesn’t alleviate the safety concerns.
“We have a lot less visibility into not just where else these devices might end up but what procedures are being used,” explains Hovav.
One of the recommendations for use of the scanners in airports is the addition of a metal detector, which would make the security check process a little longer but ultimately more thorough.
“I don’t know, where for example in prisons, they might do something differently,” says Hovav. “All the same, even though we don’t really know what kind of procedures are involved, some of the things that we were able to get through our scanner and laboratory testing seemed like the kind of things that would also raise security concerns at courthouses and jails and prisons, like firearms for example.”
Hovav adds that the scanners don’t “reduce security” but rather they require another layer of security to tackle these shortcomings. For example, the study makes a case for adding side scans to the unit, which currently only carries out front and back scans. It’s also not the first study to make such a recommendation: Another report back in 1992 said the same thing.
Currently, airports are using millimeter wave scanners, but the researchers have not tested this particular kind of scanner. Meanwhile TSA is working with American Science & Engineering (AS&E) to explore other scanning technologies.
But without access to these scanners for an independent study, it remains unclear if similar vulnerabilities can be exploited by adaptive adversaries.
This means studying the scanners’ software is out, too. And if compromised by someone physically in its presence, can cause a whole wave of issues such as killing the connection between what’s actually seen by the sensors and what’s presented to the operator on screen. The latest study even included attacks such as installing malware on the user console.
The researchers want more open and independent studies on security scanners in airports. And given the fact that these scanners are making their way into new locations, it’s even more important we know their risks.
“I’d say we’re very interested in knowing more about other kinds of scanners. I’d love to have one of those millimeter wave scanners as well to test,” says Hovav, adding that their study was very time consuming and intensive, and was done out of the researchers’ own pockets.
“We were working on this for close to two years. I think having academics do your security research for you on their own money and on their own time is not really a scalable solution. I think there are other ways of organizing security evaluation that is independent, thorough, and transparent but wouldn’t rely on this kind of volunteer labor.”