Advanced imaging technologies are a new class of people
screening systems used at airports and other sensitive
environments to detect metallic as well as nonmetallic
contraband. We present the first independent security
evaluation of such a system, the Rapiscan Secure 1000
full-body scanner, which was widely deployed at airport
checkpoints in the U.S. from 2009 until 2013. We find
that the system provides weak protection against adaptive
adversaries: It is possible to conceal knives, guns, and
explosives from detection by exploiting properties of the
device’s backscatter X-ray technology. We also investigate
cyberphysical threats and propose novel attacks that
use malicious software and hardware to compromise the
the effectiveness, safety, and privacy of the device. Over
all, our findings paint a mixed picture of the Secure 1000
that carries lessons for the design, evaluation, and operation
of advanced imaging technologies, for the ongoing
public debate concerning their use, and for cyberphysical
security more broadly
more here.................https://radsec.org/secure1000-sec14.pdf
screening systems used at airports and other sensitive
environments to detect metallic as well as nonmetallic
contraband. We present the first independent security
evaluation of such a system, the Rapiscan Secure 1000
full-body scanner, which was widely deployed at airport
checkpoints in the U.S. from 2009 until 2013. We find
that the system provides weak protection against adaptive
adversaries: It is possible to conceal knives, guns, and
explosives from detection by exploiting properties of the
device’s backscatter X-ray technology. We also investigate
cyberphysical threats and propose novel attacks that
use malicious software and hardware to compromise the
the effectiveness, safety, and privacy of the device. Over
all, our findings paint a mixed picture of the Secure 1000
that carries lessons for the design, evaluation, and operation
of advanced imaging technologies, for the ongoing
public debate concerning their use, and for cyberphysical
security more broadly
more here.................https://radsec.org/secure1000-sec14.pdf