When the Transportation Security Administration (TSA) pulled out the full-body backscatter scanners from U.S. airports, it wasn't because the machines weren't doing their jobs. They were pulled out because of the public clamor that followed after the scans showed they were essentially pictures of naked people.
That, however, does not render useless. A new study [pdf] conducted by researchers from the University of Michigan, Johns Hopkins University and University of California, San Diego, shows that the Rapiscan Secure 1000 machines deployed at U.S. airports from 2009 to 2013 actually don't do their jobs very well. In fact, the researchers found out that the scanners do not do their jobs at all, since the scanner fails to detect guns, bombs, knives and other contraband that are easily hidden by Teflon or through the folds of one's clothing.
That doesn't pose much of a threat at U.S. airports, where the Rapiscan scanners are now replaced with millimeter wave machines. However, in courthouses, jailhouses and other government facilities that bought off the second-hand machines at discounted prices from the airports, and in other airports around the world such as those in Kenya, Rwanda and Tanzania, the question of security remains.
The team conducted research on the same model used by the TSA purchased for around $49,000 off eBay and attempted to smuggle a variety of items through the scanner's detectors. They found out that they could conceal a full-metal gun, namely a .380 ACP simply by taping the gun to the person's side with Teflon or sewing it on the inside of his pant's leg. They were also able to do the same thing with a folding knife taped to the person's spine.
Even more alarming is the fact that the fake plastic detonator the researchers created with a real bomb's x-ray-deflection properties and attached to a person's belly button went completely undetected by the Secure 1000 used by the researchers.
For even more advanced attackers, such as those employed by a well-heeled terrorist group for instance, they could even physically install malware into the scanners that causes the machine to display a certain image when it detects a symbol or QR code specified by the attackers.
But the findings are not all about the effectiveness of the scanners. They also pose a question about how the TSA tests and procures these machines.
"These machines were tested in secret, presumably without this kind of adversarial mindset, thinking about how an attacker would adapt to the techniques being used," says J. Alex Halderman, a computer science professor at University of Michigan and one of the study's authors.
"They might stop a naïve attacker," he continues. "But someone who applied just a bit of cleverness to the problem would be able to bypass them. And if they had access to a machine to test their attacks, they could render their ability to detect contraband virtually useless."
The TSA remains mum on the researchers' findings, which confirms what blogger Jonathan Corbett demonstrated two years ago via a YouTube video that the Rapiscan scanners used by the TSA fail to pick up metal weapons attached to the side or back of a person.
TSA spokesperson Ross Feinstein did not comment on the findings but insists that all security equipment deployed by the agency go through "a rigorous testing and evaluation process, along with certification and accreditation." He also says that the TSA uses its own proprietary security software that is not commercially available in place of the system that comes with its machines.
