Airport X-Ray Scanners Can be Hacked to Mask Weapons

Airport X-Ray Scanners Can be Hacked to Mask Weapons: Scanners used at airport security checkpoints can be infiltrated and manipulated to fool Transportation Security Administration (TSA) screeners into seeing false images, according to security experts.

The potential vulnerability in the machines (Rapiscan 522B) could result in terrorists smuggling weapons through checkpoints and boarding planes with them.

Billy Rios and Terry McCorkle, who work for the security firm Qualys, discovered the flaw in the Rapiscan’s software.

They said the trouble lies within the equipment’s Threat Image Projection (TIP) function, which allows supervisors to train and test TSA screeners by superimposing fake images inside luggage being x-rayed.

But a hacker could use this same training function to trick agents into seeing, for example, a pair of socks instead of a handgun hidden inside a suitcase.

“Someone could basically own this machine and modify the images that the operators see,” Rios told Wired.

Rios and his colleague also discovered that hackers can access the machine’s system without needing a TSA supervisor’s password.

Wired’s Kim Zetter wrote that “the supervisor’s password screen could be subverted through a simple SQL injection attack — a common hacker tactic that involves entering a special string of characters to trigger a system into doing something it shouldn’t do. In this case, the string would allow an attacker to bypass the login to gain access to a console screen that controls the TIP feature.”

“Just throw [these] characters into the login,” Rios said, and the system accepts it. “It tells you there’s an error, [but then] just logs you in.”

The hacker would then be free to superimpose an image of a harmless item, masking the visibility of one that could be threatening to the aircraft, such as a gun or an explosive.