Full-body scanners, also known as "naked scanners", are used in airports and other government facilities to detect metallic and nonmetallic objects hidden beneath people's clothes. In many countries, they play a critical part in airline security, but they have also been criticized for being unsafe, ineffective, and an invasion of privacy. To shed scientific lights on these questions, we conducted the first rigorous, independent security evaluation of such a system. We bought a government-surplus Rapiscan Secure 1000 full-body scanner on eBay and extensively tested it in our lab. We found that it's possible to conceal knives, guns, and explosives from detection by exploiting properties of the device's backscatter X-ray technology. We also investigated computer security threats: malicious software and hardware that can compromise the effectiveness, safety, and privacy of the machine. In this talk, we'll explain how full-body scanners work, describe the results of our experiments, and draw lessons to inform transportation security, embedded systems security, and the public debate over secretive and privacy invasive government technologies.
In response to evolving terrorist threats, including non-metallic explosive devices and weapons, the U.S. TSA has adopted full-body scanners as the primary passenger screening method at nearly 160 airports nationwide at a cost exceeding $1 billion. Although full-body scanners play a critical role in transportation security, they have generated considerable controversy, including claims that the devices are unsafe, violate privacy and civil liberties, and are ineffective. Furthermore, these scanners are complex embedded systems that raise important computer security questions. Despite such concerns, neither the manufacturers nor the government have disclosed enough technical details to allow for rigorous independent evaluation, on the grounds that such information could benefit attackers, or is a trade secret. To help advance the public debate, we purchased a government-surplus Rapiscan Secure 1000 full-body scanner and performed a detailed security evaluation of its hardware and software. We tested the Secure 1000's effectiveness by experimenting with different methods of concealing contraband. While the device performs well against naive attackers, fundamental limitations of its backscatter X-ray technology allow more clever attackers to defeat it. We show that an adaptive adversary can confidently smuggle contraband past the scanner by carefully arranging it on his body, obscuring it with other materials, or properly shaping it. Using these techniques, we are able to hide firearms, knives, plastic explosive simulants, and detonators in our tests. These attacks suggest a failure on the part of the Secure 1000's designers and the TSA to think adversarially. We also evaluated the security of the Secure 1000 as a cyberphysical system. We show how malware infecting the operator's console could selectively render contraband invisible to screeners. We also attempt (with limited success) to use software-based attacks to bypass the scanner's safety interlocks and deliver an elevated X-ray radiation dose. Lastly, we show how an external device carried by an attacker can capture naked images of the subject being scanned. Our results suggest that the Secure 1000 is not able to guarantee effectiveness or privacy against attackers who are knowledgeable about its inner workings, and that such knowledge is easy to obtain for an attacker with modest resources. We believe this study reinforces the message that security systems must be subjected to testing that is rigorous, adversarial, and public before they can be deemed safe for critical applications. Warning: Nudity. We plan to show unmodified scanner images in order to demonstrate the privacy implications of full-body scanning.
Speakers: Eric Wustrow Hovav Shacham