If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
In response to evolving terrorist threats, including non-metallic explosive devices and weapons, the U.S. TSA has adopted full-body scanners as the primary passenger screening method at nearly 160 airports nationwide at a cost exceeding $1 billion. Although full-body scanners play a critical role in transportation security, they have generated considerable controversy, including claims that the devices are unsafe, violate privacy and civil liberties, and are
ineffective. Furthermore, these scanners are complex embedded systems that raise important computer security questions.
Despite such concerns, neither the manufacturers nor the government have disclosed enough technical details to allow for rigorous independent evaluation, on the grounds that such information could benefit attackers, or is a trade secret. To help advance the public debate, we purchased a government-surplus Rapiscan Secure 1000 full-body scanner and performed a detailed security evaluation of its hardware and software.
We tested the Secure 1000's effectiveness by experimenting with different methods of concealing contraband. While the device performs well against naive attackers, fundamental limitations of its backscatter X-ray technology allow more clever attackers to defeat it. We show that an adaptive adversary can confidently smuggle contraband past the scanner by carefully arranging it on his body, obscuring it with other materials, or properly shaping it. Using these techniques, we are able to hide firearms, knives, plastic explosive simulants, and detonators in our tests. These attacks suggest a failure on the part of the Secure 1000's designers and the TSA to think adversarially.
We also evaluated the security of the Secure 1000 as a cyberphysical system. We show how malware infecting the operator's console could selectively render contraband invisible to screeners. We also attempt (with limited success) to use software-based attacks to bypass the scanner's safety interlocks and deliver an elevated X-ray radiation dose. Lastly, we show how an external device carried by an attacker can capture naked images of the subject being scanned.
Our results suggest that the Secure 1000 is not able to guarantee effectiveness or privacy against attackers who are knowledgeable about its inner workings, and that such knowledge is easy to obtain for an attacker with modest resources. We believe this study reinforces the message that security systems must be subjected to testing that is rigorous, adversarial, and public before they can be deemed safe for critical applications.
Warning: Nudity. We plan to show unmodified scanner images in order to demonstrate the privacy implications of full-body scanning.