{"id":2989,"date":"2014-03-14T10:50:15","date_gmt":"2014-03-14T14:50:15","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=2989"},"modified":"2020-02-26T18:58:21","modified_gmt":"2020-02-26T14:58:21","slug":"hacking-the-airport-security-scanner","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/hacking-the-airport-security-scanner\/2989\/","title":{"rendered":"Hacking The Airport Security Scanner"},"content":{"rendered":"<p>If you try to think of the most secure place in the world, you probably think of some military bunker or U.S. President\u2019s hiding vault. But for us ordinary folks, the strictest security we can encounter is located in an airport. Armed security staff, multiple screening and ID checking points form a 360-degree security perimeter, preventing terrorists and criminals from leisurely traveling onboard those huge Boeings and Airbuses.\u00a0 That\u2019s why it was quite shocking for me to discover that those folks at TSA and similar agencies from other countries pay much more attention to physical security, neglecting the importance of the cybersec.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/03\/05111138\/scanner-1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4093\" alt=\"scanner\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/03\/05111138\/scanner-1.jpg\" width=\"640\" height=\"480\"><\/a><\/p>\n<p>A presentation on the subject was given at the <a href=\"https:\/\/www.kaspersky.com\/blog\/sas-day-one-kaspersky-showcases-company-industry-talent\" target=\"_blank\" rel=\"noopener nofollow\">SAS 2014<\/a> Conference by Qualys researchers Billy Rios and Terry McCorkle, who spent some time exploring a very important system of the airport protection perimeter \u2013 an X-Ray introscope. For those who are familiar with the term, an X-Ray introscope is a machine that scans a bag on a transporter belt and shows its contents in solarized colors on the operator\u2019s screen. The device is controlled by a special key panel and doesn\u2019t really look like a computer, but is essentially a highly specialized scanner connected to an ordinary PC running software on top of a typical Windows installation. Rios and McCorkle obtained Rapiscan 522B, a used introscope, via online auction and checked its software components. The findings were quite shocking for seasoned security specialists. First of all, the computer ran Windows 98, which is literally 15 years old. Microsoft hasn\u2019t supported it for years. And you could imagine how many <a href=\"https:\/\/threatpost.com\/category\/microsoft\" target=\"_blank\" rel=\"noopener nofollow\">exploitable and unpatched vulnerabilities<\/a> still exist in those old machines running Win98. Back then it was possible to infect a computer just by connecting to its network port and talking to the OS, without extra investigation on software configuration, etc. Second, the special security software itself turned out to be <b>very <\/b>concentrated on physical security, i.e. bags\u2019 contents. Computer security definitely was not a priority. Operator passwords are stored in plain text, and there are multiple ways to log into the system without any prior knowledge of user names and other details. \u201cIt tells you there\u2019s an error, [but then] just logs you in,\u201d said Rios. However, the most important finding is the third one.<\/p>\n<div class=\"pullquote\">Can you bring a gun onboard just by hacking a software running on those X-ray machines? It turns out it could be quite realistic, although not easy.<\/div>\n<h2>Virtual guns<\/h2>\n<p>The image on the operator\u2019s screen is essentially a computer simulation, as X-Ray scans don\u2019t include any colors. What the computer does is preform a specially tailored image processing, which helps an operator quickly highlight metallic objects, or something with a liquid inside, etc. Multiple \u201cfilters\u201d are available, but the software goes much further than this. As the threat detection level on the introscope is dramatically low (no one really tries to bring a gun onboard nowadays), supervisors keep operators awake by sporadically inserting a weapon image on top of real bag contents. When an operator sees a gun or a knife (the system contains dozens of such images), he\/she must press the alarm button.\u00a0 In this training scenario, the alarm won\u2019t really be triggered, but an internal assessment system will record the operator\u2019s attentiveness.\u00a0 This trick is clever, but it raises a concern as well. What kind of \u201cPhotoshopping\u201d could be further applied to a bag image? Wouldn\u2019t it be possible to add some neutral image to the internal database and place it on top of the real gun on the screen? Such a hack is theoretically possible, given the dated and vulnerable software configuration of the scanner tested.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/03\/05102332\/threatimage.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4096\" alt=\"threatimage\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/03\/05102332\/threatimage.jpg\" width=\"640\" height=\"416\"><\/a><\/p>\n<h2>No worries?<\/h2>\n<p>Don\u2019t cancel your next flight; the situation is not that bad. First of all, computers in the airport security zone are isolated from the Internet. It\u2019s still possible to hack them locally, but it poses a significant extra challenge to hypothetical attackers. Second, there are multiple vendors of X-Ray scanners and Qualys researchers tested only one (plus it is not new). I truly hope, that others are more secure. Third, airport security is layered and many specialists consider those well-visible measures like metal detectors and introscopes the least important. So even in an unlikely case of scanner malfunction, there are other security measures in place. However, this research teaches us, that traditional security measures like administrative access control and \u201cairgapping\u201d (network isolation) are no replace for a dedicated layer of cyber-security. TSA has very detailed standards describing the configuration of screening checkpoints, including even small details like dimensions of plastic trays used by passengers. This standard must include a detailed description of IT security measures as well, as airport systems definitely fall into the category of <a href=\"https:\/\/www.kaspersky.com\/industrial-security-cip\" target=\"_blank\" rel=\"noopener nofollow\">critical infrastructure<\/a>. Only this can ensure our long-term safety in-flight.<\/p>\n<p>P.S. This post was entirely written on board of Airbus A330 flying from Tenerife to Moscow. Despite these vulnerability issues, I\u2019m still not afraid of flying.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you try to think of the most secure place in the world, you probably think of some military bunker or U.S. President\u2019s hiding vault. But for us ordinary folks,<\/p>\n","protected":false},"author":32,"featured_media":2990,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[536,519,535],"class_list":{"0":"post-2989","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-airport-security","9":"tag-hacks","10":"tag-thesas2014"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/hacking-the-airport-security-scanner\/2989\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/hacking-the-airport-security-scanner\/3090\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/hacking-the-airport-security-scanner\/3387\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/hacking-the-airport-security-scanner\/3366\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/hacking-the-airport-security-scanner\/4092\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/hacking-the-airport-security-scanner\/2941\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/hacking-the-airport-security-scanner\/4092\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/hacking-the-airport-security-scanner\/4092\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/airport-security\/","name":"airport security"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2989","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=2989"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2989\/revisions"}],"predecessor-version":[{"id":15739,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2989\/revisions\/15739"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/2990"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=2989"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=2989"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=2989"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}