Backscatter x-ray is a full-body scanning technology, typically used for passenger screening at airports and to detect plastic bombs and other hidden weapons. The Transportation Security Administration (TSA) has taken backscatter x-ray machines out of U.S. airports because of changing requirements, although they are still used internationally and at other venues, such as courthouses, prisons, etc. Controversy has plagued the devices since they were introduced in 2009, including concerns about safety and privacy.
But how well do they work? More to the point, could a group of intrepid terrorists figure out a way to outsmart them? Several U.S. scientists from three universities decided to find out, and their results include a list of multiple ways to get around the detection provided by backscatter x-ray machines. Here are some ways a terrorist could do it:
- He could strap a metal weapon at his side under his clothing, or sew it into his pants leg. The metal of a gun or knife would scan as a dark area that blends in with the background, leaving the lighter body scan clear (as long as the weapon doesn’t overlap with the body image).
- She could mask a gun or knife using a significant thickness of PTFE plastic (Teflon), carefully tapered to avoid hard edges and shadows. Affixing a masked knife, for example, to align with the vertebrae or other bone could also help avoid detection against the darker areas that bones generate on a body scan.
- He could press plastic explosives into a tapered “pancake” and strap it to his belly. The required detonator could be positioned to approximate the location on the scanned image of a belly button.
- After hours, she could hack into the scanner’s computer system and load software programmed to replace one scanned image (that might show a weapon) with another, clear image so the operator would never see the weapon. The terrorist could also create a simple quick response (QR) code using lead tape that scans darker than the human body and is applied to an undergarment. The code would trigger the hacked software to substitute another image.
The Transportation Security Administration (TSA) has taken backscatter x-ray machines out of U.S. airports because of changing requirements, although they are still used internationally and at other venues
Scary stuff. The researchers’ report makes a distinction between the effectiveness of the system in everyday use or against a “naïve attacker” versus how well it holds up to an “adaptive attacker.” Also, effectiveness of the some adaptive techniques could be eliminated by simple operational adjustments, such as scanning passengers from the side as well as from the front and/or back.
The researchers admit that employing one of these strategies would require some trial and error, which would almost require that the terrorists own an X-ray backscatter machine to do their testing (as the researchers did). Availability of the machine might not be that big an obstacle, however, given that the researchers obtained a previously unused machine on eBay from a seller who acquired it at a surplus auction from a U.S. government facility in Europe. “Keeping the machine out of the hands of would-be attackers may well be an effective strategy for preventing reliable exploitation,” say the researchers.
Another vulnerability of the system is the possibility of a so-called “side-channel attack” to obtain images from the system that include private and sensitive information, including anatomical size and shape of body parts, location and quantity of fat, existence of medical devices such as implants or prosthetics, etc. A scenario here might include using a secondary external x-ray backscatter sensor to access an image (of a celebrity, perhaps) that spills over from the device to, as the researchers note, “create a kind of physical side channel that potentially leaks a naked image of the subject to [a] nearby attacker.” The researchers attempted a “proof of concept” test, obtaining a less-than-detailed image, but suggested that a determined attacker might achieve better results.
The researchers are from the University of California, San Diego; the University of Michigan; and Johns Hopkins University. Their results were presented in a paper at the USENIX conference in San Diego in August 2014. Here is a link to the paper included in the Proceedings of the 23rd UNSENIX Security Symposium.
X-ray backscatter is just one body scan technology used at airports and other facilities. Also used are millimeter wave scanners and 3D body scanners, supplied throughout the world by a variety of manufacturers. The researchers offer some advice to manufacturers: “The root cause of many of the issues we describe seems to be failure of the system designers to think adversarially.” They recommend “independent, adversarial testing” of advanced imaging technology systems, especially considering software security.