Security researchers from Qualys have conducted an in-depth analysis of an x-ray machine such as the ones used at airports, embassies, courthouses and other government buildings. They claim to have found a way to trick the devices.Billy Rios and Terry McCorkle have performed their experiments on Rapiscan 522B. It’s worth noting that Rapiscan is one of the three vendors that provides scanners to the US Transportation Security Administration (TSA).
According to Wired, the researchers have found a way to exploit the scanner’s Threat Image Projection (TIP) function to replace dangerous items with images of harmless ones.
The TIP system is integrated into all scanners. It’s mainly used to train x-ray operators since it allows supervisors to plant images of contraband into luggage at airports.
Normally, you can’t access the TIP functionality unless you have the correct login credentials, but Rios and McCorkle have managed to bypass authentication by exploiting an SQL Injection vulnerability.
The device tested by the experts runs Windows 98. Other models operate on Windows XP. In any case, Windows 98 is no longer supported and starting with April 8, Windows XP will have the same fate.
By gaining access to the TIP, an attacker could replace the image of a bag containing illegal items with a picture of one that doesn’t.
According to representatives of Rapiscan and the TSA, there are some factors that mitigate such attacks.
For instance, Rapiscan says the controller tested by Rios and McCorkle is different from the one sold to the TSA. Furthermore, the company denies the existence of the vulnerability exploited by the experts to bypass the supervisor password. The device tested by the researchers had been most likely misconfigured, according to Rapiscan.
The company’s Executive VP, Peter Kant, says that the attack described by the experts doesn’t work because it’s impossible to superimpose anything on the operator’s screen. There’s apparently an algorithm that tells the system how to use each image.
On the other hand, the researchers argue that they could manipulate the algorithm since each image is accompanied by a file that instructs the TIP how to use it. Furthermore, they’ve found a file containing all operator credentials in clear text, so it’s really not that difficult for a malicious actor to gain access to the information.
Representatives of the TSA are also not convinced that there’s any real threat. They also say that the TIP software they’re using is different from the commercial version, and it’s not easy for someone to get their hands on the variant utilized by the agency.
“The agency uses its own libraries and settings. Furthermore, the 522B systems are not currently networked,” TSA spokesman Ross Feinstein explained.
While it may be true that the scanners in airports are not connected to the world wide web, they are linked to a central network dubbed TSANet. TSANet connects LANs at 500 TSA offices and airports, so the x-ray machines are not exactly isolated.