Billy Rios and Terry McCorkie, two security researchers, have bought their own x-ray control machine on the internet and analyzed how it works in a bid to discover flaws.
They found that the Threat Image Projection is possibly at threat from hackers. Designed to train x-ray operators and their skills at spotting banned items, the feature allows supervisors to superimpose a chosen image of verboten things on to the screen of any baggage system in an airport.
The risk is that an unsavoury character could gain access to the supervisor’s workstation and superimpose a fake image over an x-ray scan, concealing the fact that there is a hidden weapon or explosive.
“Someone could basically own this machine and modify the images that the operators see,” says Rios, who along with McCorkle works for the security firm Qualys.
Ordinarily a hacker would require the supervisor’s machine and login details before loading up the bogus images. However, using software for a Rapiscan 522B, the researchers discovered that in the version of control software they had, it was possible to corrupt the password screen by using a simple SQL injection attack.
“Just throw [these] characters into the login,” Rios says, and the system accepts it. “It tells you there’s an error, [but then] just logs you in.”
Once gaining control of the machine, an attacker would be free to superimpose images of clean bags on to the monitor, covering the true items contained in the bag. As a diversion, the attacker could also superimpose images of weapons on to the bags of an innocent traveller.
Impossible Say The TSA
In response to these findings, the TSA has said that it is impossible that the researchers were able to get hold of the software used by the agency.
“The Rapiscan version that is utilized by TSA is not available for sale commercially or to any other entity; the commercial version of the TIP software is not used by TSA,” says TSA spokesman Ross Feinstein. “The agency uses its own libraries and settings. Furthermore, the 522B systems are not currently networked. Prior to decommissioning any TSA unit, this proprietary software in use by TSA is removed,” adds Feinstein.
Rapiscan says that the supervisor password vulnerability does not exist and thinks that the machine used by the researchers was misconfigured. It also claims that it is impossible for a hacker to superimpose images on to the operator’s screen because there is an alorithm in place to prevent images of weapons that are too big from being projected on to the bag.
The research duo purchased the Rapiscan system for just $300 second-hand from an online reseller who thought it was broken.
[Image via airport-world]