(Part 2 of a 2 part series)
In part one of this series, we examined the latest generation airport full-body scanners and explored the privacy concerns raised by many regarding potential abuses of this technology, to include the unauthorized preservation and sharing of nude images of passengers passing through the devices. In this second article, we look more closely at significantly more nefarious abuses of airport X-ray scanner machines, to include their potential abuse by terrorists.
As previously shown, airport X-ray scanners are indeed subject to hacking and technical exploitation as they are often built with widely available off the shelf technologies, such as Windows XP and WiFi routers. Each of these technologies has myriad security vulnerabilities and thus could be targeted with computer malware.
The introduction of malware into airport X-ray machines (or any other security-related screening machine for that matter-such as those at the White House, the Houses of Parliament or the Kremlin), is a troublesome possibility to consider. If for example such a device was infected with malware and had a rootkit placed on it, those with root access could completely control the images the legitimate owner thought they were seeing. Thus for example, an X-ray machine with a rootkit on it would allow the hacker controlling the device to project any image on the screen of the security official screening luggage at an airport security checkpoint.
In this scenario, hackers or terrorists could obtain weeks of video-feeds from a standard machine and merely replay or “loop” video or a screen image of what they wanted the airport security official to see, rather than what was actually inside the machine. In a current typical airport security configuration, one official watches the bags as they go into the machine, where they are X-rayed by a second official, while yet a third individual supervises the removal of the bags as they came out of the device. With segmented responsibilities such as these, the first and third screener could view a Tumi small wheeled suitcase go in and out of the device, while the second screener was presented with a video image of a completely different laptop bag. Since the person in the number two position rarely physically observes the object, he or she relies completely on the computer representation of the object to determine whether or not the bag passes security screening.
Moreover, and for greater efficiency, terrorists could obtain video of a Tumi bag that passed through the X-ray machine in the prior week, then having identified the bag, merely go out and purchase their own version of the same carry-on. In their carry-on, however, they could load the suitcase with weapons. As the device passed through the machine, an image of the prior week’s Tumi could instead be presented to the video screen monitoring station, allowing the weapons to pass through without detection.
Some clearly might think such a scenario is far-fetched. After all, why would terrorists go through so much trouble when 19 individuals armed with nothing more than box-cutters were able to perpetrate the 9/11 attacks? Well, for one, not too many sharp metal objects are making it on-board aircraft today. Instead, in recent years, terrorists have been reduced to employing improvised explosive devices, none of which (thankfully) has had much effect. Exploding shoes and underwear, while rife with potential, have done little except burn the feet and genitals of those carrying them. Getting a suitcase full of handguns and automatic rifles aboard an aircraft, however, would be a significant coup and a major success for those seeking to cause widespread harm to the general public.
Some might also naively suggest that terrorists are not technologically savvy enough to attack the operating system of an airport X-ray machine. Yet as reported numerous times in the press, terrorists are have indeed understood the potential of incorporating technology into their global terrorist methodologies. Al-Qaeda is known to have extensively benefited from the skills of its famed hacker, Irhabi-007, aka Younis Tsouli, who coordinated various bomb plots from his West London residence. Not only did Irhabi-007 build various Al-Qaeda websites and terrorist forums, but he also wrote numerous messages on how to commit cyber attacks. In addition, Irhabi 007 posted a 20-page message entitled “Seminar on Hacking Websites,” to the Ekhlas forum. It provided detailed information on the art of hacking, listing dozens of vulnerable Web sites to which one could upload shared media.
Doubters of the technical prowess and sophistication of some terrorists should also recall the December 2009 surprising news that insurgents in Iraq had technically exploited/hacked into the internal systems of multimillion-dollar UAV drones in order to intercept the video feeds they were providing to US military forces back in the States. As such, insurgents were able to see and watch the same video feeds the US government was watching of insurgent activity, potentially providing insurgents with an early warning system of impending offensives by coalition forces.
Of course altering the video/photographic images presented on x-ray machines is not the only type of possible attack against these devices. A rootkit or other malware would allow for a zero day exploit in which simultaneously, across the country, any country, all airport X-ray machines simultaneously shut down and could not be turned-back on, likely bringing all aviation traffic to a halt.
In sum, though much press coverage has been dedicated to the potential abuses related to the re-distribution of naked pictures of airline passengers taken with the new generation of millimeter wave detection and backscatter X-ray devices, such concerns miss the point of much more significant threats. While a naked picture of a passenger is surely an invasion of privacy, it pales in comparison to the true security threats described above. As such, greater care and scrutiny must be applied when building and deploying X-ray and other security screening technologies. One thing is clear, building these devices with commonly available off-the-shelf controlling software and hardware may be an invitation to disaster.