Beyond creating controversy over the lifelike nude body images they generated, the Rapiscan Secure 1000 full-body scanners deployed at airports nationwide were susceptible to missing various contraband, researchers from UC San Diego, the University of Michigan, and Johns Hopkins University conclude in a study released on August 20.
"Frankly, we were shocked by what we found," said University of Michigan computer-science professor J. Alex Halderman in an announcement accompanying the release. "A clever attacker can smuggle contraband past the machines using surprisingly low-tech techniques."
During their study of the machines, researchers were able to conceal firearms and plastic explosives from the machine. They were also able to manipulate the scanners' software to give a false "all clear" indication even when contraband had been detected.
"The system’s designers seem to have assumed that attackers would not have access to a Secure 1000 to test and refine their attacks," says Hovav Shacham, a professor of computer science at UC San Diego, who noted that testing for the system was conducted without public or independent expert input. "Secret testing should be replaced or augmented by rigorous, public, independent testing of the sort common in computer security."
Researchers say they were able to easily obtain a Secure 1000 machine from government surplus stock via an eBay auction and that it should be assumed a sophisticated terror operation would be capable of doing the same.
After the scanners' removal from airports last year amid an uproar over privacy concerns, they've found new lives in jails, courthouses, and government buildings. The research group says it has provided suggestions for making the repurposed machines more secure but that they're still not foolproof.
"Any screening process that uses these machines has to take into account their limitations," said Shacham.