(Part 1 of a 2 part series)

Ever since the unsuccessful bombing attempt against Northwest Airlines Flight 253 from Amsterdam to Detroit  on Christmas day 2009, there has been renewed scrutiny of airport security measures.  Given that the suspected bomber Umar Farouk Abdulmutallab was able to easily pass through security with mixture of explosive materials, including PETN and triacetone triperoxide (TAPN), it is not surprising that extensive scrutiny has been focused on the adequacy of current airport X-ray scanners.

In the wake of this incident a phalanx of politicians and security officials from around the world has arisen, including the former Secretary of the US Department of Homeland Security Michael Chertoff, who have called for the widespread adoption of whole-body imaging scanners that use radio waves or X-rays to reveal objects beneath a person’s clothes.  The new generation of airport security scanners are based upon one of two underlying technologies, including millimeter wave detection and backscatter X-rays.  Such devices are controversial as they allow airport screeners to in effect view naked images of passengers passing through machines during what some have termed a “digital stripsearch.”

Now another relevant question has arisen about these new airport X-ray machines, can they be hacked?

Given that these high tech security devices are often controlled by nothing more than a standard desktop or laptop computer, running any number of familiar operating systems, why would they NOT be hackable?  A quick search for manufacturers of airport X-ray machines yields some interesting product information, including this company which advertises its X-ray machine is controlled by a laptop running Microsoft Windows XP and this firm who has included support for a number of network connections into their security scanners, including either wired LAN or an internal WiFi router option. To-date, thousands of reliability and security patches have been issued for Microsoft XP.  Moreover, hundreds of WiFi vulnerabilities exist and many related protocols, such as WEP and WPA have been compromised.

The purpose of this article is not to vilify any particular X-ray equipment manufacturer or even the underlying operating systems upon which they operate.  The more interesting question is, given the number of well-documented vulnerabilities in these systems, what are the resultant criminal possibilities should these machines be successfully compromised?

To date, much of the media and public scrutiny about millimeter wave/backscatter X-ray machines has focused on privacy concerns.  That is to say, the debate has centered on whether or not naked images of passengers were being stored on the controlling laptop computer system and thus could be available in perpetuity in some government system.  In other cases, lawmakers and child protection advocates have opposed the installation of the machines on the grounds that the unclothed images of children might violate child pornography laws.  To respond to these complaints, airport and security officials, including the British Airport Authority and the US Department of Homeland Security have noted that there is no reason for concern as images were purportedly deleted immediately after the passenger completed the screening process.

Much of the chatter on the internet, including the article below from the Sydney Morning Herald noted the possibility of a a hacker compromising one of the new X-ray machines, inserting a Trojan or other malware, which in turn could save naked images on the airport machines for future reference.  Others have speculated about the ability to capture the machine’s electronic emanations, including gamma rays, and then re-assembling them on another computer for viewing.  That seems like an awful lot of work, especially given the vast amounts of pornography freely available with much less trouble.

That said, it abuses are bound to occur and some already have already been reported.  For example, noted Bollywood actor and “sex symbol” Shah Rukh Khan alleged that naked images of him were taken while passing through a scanner at Heathrow airport and printed out by female airport employees, something vigorously denied by British Airport Authorities. In what appears to be a confirmed case of abuse (again in London), a male airport security official was cautioned by police for snapping a naked picture of a female co-worker as she inadvertently passed through the full body scan imaging machine.

That airport security staff would act inappropriately or use a $300,000 X-ray machine as a toy for their own amusement will likely not shock any traveler who passes through airport security on a frequent basis.  While the privacy concerns are notable, they may not, however ultimately be the greatest problem that these machines pose to society.  Far worse, is their vulnerability to technical exploitation by terrorists intent on attacking the global aviation infrastructure by destroying civilian aircraft.  In part two of this article, we will explore these and other pernicious criminal scenarios related to the latest generation of airport X-ray devices.

X-ray security: can airport system be hacked?

by Arjun Ramachandran
The Sydney Morning Herald

January 7, 2010

Scanning ... how private can it be?

Having a strange airport employee looking at your “naked” image on a full-body x-ray scanner might be disturbing enough. But what if hackers got access to your “virtual strip search” and distributed it to an even wider audience?

Authorities have gone to significant lengths to appease privacy advocates about x-ray scanners, but protection from technological intrusions haven’t featured in explanations.

Hackers have successfully cracked open bank accounts, government websites and even the private Yahoo email account of would-be US vice president Sarah Palin … so why not an airport x-ray machine?

“From the attackers perspective, it’s more around how secure the computers are that control the x-ray machine,” said Ty Miller, chief technology officer of Pure Hacking, which tests the security of websites and online systems.

“The way to hack in and get access to images would be by accessing the computers controlling them. There’s someone sitting there at a computer hitting ‘enter’ as people go through [to be scanned], and it’s possible that that computer might have some sort of vulnerability, just as any desktop might.”

Alan Watt, head of forensics at e.law and who has researched cyber-terrorism, said most computer software had a “back door” that could be exploited by hackers.

“If the x-ray software is owned and managed by some company in Seattle, they often have a back door that allows them to perform remote maintenance.”

If a hacker came in via that backdoor, “it would be the same for them as being in front of computer, it doesn’t matter if they’re sitting 100 miles away [from the airport]”, he said.

They would then have access to data stored on the computer.

Authorities say scanned images will not be stored.

“In fact, all machines are delivered to airports with [save] functions disabled,” says the US Transport Security Administration, which has rolled out the machines to 19 airports.

But this might not be enough.

“If the computer is compromised, [the hacker] could install a trojan on the machine, which can capture a video of what the operator is looking at, and record it,” Mr Miller said.

These hacker attacks would rely on the x-ray machine being plugged into the airport’s computer network, and so connected to the outside world.

The Office of Transport Security has been asked whether x-ray scanning – if implemented in Australia – would involve the networking of x-ray equipment. A response is pending.

In recent days, the office has said it is waiting on results from a 2008 trial – in Sydney, Melbourne and Adelaide – before deciding how or when to implement screening locally.

Another, albeit less likely, way that scanned images could get out was the capture of x-rays, Mr Watt said.

“If it’s emitting an electric signal, you can capture those signals but you’ll need some application to interface with it [and unscramble it to re-create the image],” he said.

He cited a device that could re-generate the image on a computer screen based on the gamma rays the monitor emitted as an example of technology that could be developed for this purpose.

“So I’d say someone with the right knowledge and 2-3 hours could do it.”

On 702 ABC radio yesterday, Crikey aviation writer Ben Sandilands also raised concerns that x-ray machines used the same radio frequency as wifi. This meant a hacker could use a wifi-enabled PC to hack into the machines and access scanned images.

Mr Miller believed this was unlikely, as x-rays and wifi were distinctly different protocols.

In any case, while it was more dramatic to think of hackers using wizardry breaking into a network, it was usually human slip-ups that opened the door, Mr Miller’s CEO Robert McAdam said.

“You don’t have to do it as a full frontal attack, rather focus on some weaker link in the chain,” he said.

The quality and integrity of airport staff would thus be crucial to the protection of scanned images. In the US, airport officers evaluating images are banned from taking cameras, phones or photo-enabled devices into viewing room.

“It’s usually the people, like an unhappy ex-employee, or someone just being lax with passwords … that leads to a [hack attack],” Mr Watt said.

“Usually a place like an airport is pretty secure but there’s always a loop-hole.”