Security Researchers Lay Bare TSA Body Scanner Flaws

 The U.S. Transportation Security Administration, part of the Department of Homeland Security, has spent more than a billion dollars on full-body scanners designed to strengthen airport security. It turns out that at least one model of scanner in use for four years -- the Rapiscan Secure 1000 full-body scanner -- easily could have been foiled by a savvy bad actor. In addition, it harbored software flaws that made it vulnerable to cyberattacks.
That was the conclusion of nine researchers who presented their findings Thursday at the USENIX security conference in San Diego.
Their conclusions have broad security implications for the deployment of these kinds of devices by the TSA and other government agencies, the researchers said. The team is comprised of members from the University of California San Diego, University of Michigan and John Hopkins University.
While the TSA phased out the Rapiscan Secure 1000 full-body scanner last year, it's still used in venues such as courthouses and prisons.
"Our results suggest that while the Secure 1000 is effective against naïve attackers, it is not able to guarantee either efficacy or privacy when subject to attack by an attacker who is knowledgeable about its inner workings," the researchers wrote in their report.
"While some of the detailed issues we describe are specific to the scanner model we tested, the root cause seems to be the failure of the system designers and deployers to think adversarially," they added.

Shocking Findings

"Frankly, we were shocked by what we found," said one of the researchers, J. Alex Halderman, a professor of computer science at the University of Michigan. "A clever attacker can smuggle contraband past the machines using surprisingly low-tech techniques."
During their tests of a surplus model of the scanner, which they obtained on eBay, the researchers discovered that with practice, an adversary could confidently smuggle contraband past the scanner by carefully arranging it on the body, obscuring it with other materials, or properly shaping it.
Using those techniques, the researchers were able to hide firearms, knives, plastic explosive simulants and detonators without being detected by the scanner.
The researchers also successfully subjected the scanner model to a number of cyberattacks. They infected the scanner's operating console with malware, for example, which made contraband invisible with the use of a "secret knock" by an attacker.
They also found a way to pump up the radiation levels of the scanner on subjects passing through it, and they discovered a method for capturing naked images of people being scanned.

Security by Obscurity

"The system's designers seem to have assumed that attackers would not have access to a Secure 1000 to test and refine their attacks," said another one of the researchers, Hovav Shacham, a professor of computer science at UC San Diego.
That's not unusual for government agencies with a secretive orientation, according to Richard Stiennon, chief research analyst with IT Harvest.
"It's really common reasoning among people who develop standalone systems that a hacker won't have access to a system to discover vulnerabilities," he told TechNewsWorld.
"That is security by obscurity, and it's completely false and should never be relied on. It's a nice theory until someone steals the software," Stiennon pointed out.
"It's not just scanners," said Scott Borg, CEO and chief economist of the United States Cyber Consequences Unit.
"Anything that anyone is using as a security tool is potentially vulnerable," he told TechNewsWorld. "My organization has investigated a number of security tools, including security cameras, and we can usually find a way to foil them."

Content From :

Milan Tomic

Hi. I’m Designer of Blog Magic. I’m CEO/Founder of ThemeXpose. I’m Creative Art Director, Web Designer, UI/UX Designer, Interaction Designer, Industrial Designer, Web Developer, Business Enthusiast, StartUp Enthusiast, Speaker, Writer and Photographer. Inspired to make things looks better.

  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment


  1. I have been using AVG protection for many years, I recommend this antivirus to all you.