All images are licensed under a Creative Commons Attribution 4.0 International License.
All images are licensed under a Creative Commons
Attribution 4.0 International License.
The Rapiscan Secure 1000 — The Rapiscan
Secure 1000 full-body scanner uses backscattered X-rays to
construct an image through clothing. Naïvely hidden contraband,
such as the handgun tucked into this subject’s waistband, is
readily visible to the device operator. The scanners were used at
TSA airport checkpoints from 2009 until 2013.
Credit: Radsec.org
Available on eBay — The scanner designers seem to have
assumed that attackers would not have access to a Secure 1000
to test and rehearse their attacks. However, we found that we could
purchase a government-surplus Secure 1000 from an eBay seller,
even while the machines were still in use by TSA.
Credit: Radsec.org
Operator View — The scanner operator console displays
front and back images and offers basic enhancements and zoom. It
also allows the operator to print images or save them to disk. TSA
models used a different version of the software.
Credit: Radsec.org
Concealing a Pistol by Positioning — The
Secure 1000 cannot distinguish between
high Zeff materials, such as a metal
handgun, and the absence of a backscatter response. Carefully
placed metallic objects can be invisible against the dark
background. In the left pair of scans, there is a .380 ACP
pistol taped above the subject’s knee. In the right pair of
scans, the pistol is sewn into the pant leg.
Image download: Tape: Clean -
Red Circle
Sewn:
Clean -
Red Circle
Credit: Radsec.org
Concealing a Knife by Masking — We find that
high-Zeff materials can be hidden by
covering them with lower Zeff materials,
such as the common plastic PTFE (Teflon). For example, a metal
knife is clearly visible when naïvely concealed, but when covered
with a thin plastic block it approximates the color of the spine.
Tapering the block’s edges would reduce the visible outline.
Credit: Radsec.org
Concealing Explosives by Shaping — Left: Subject
with no contraband. Right: Subject with more than 200 g
of C-4 plastic explosive radiological simulant molded to stomach,
with detonator placed over navel.
Image download: Clean -
Red Circle
Credit: Radsec.org
A Secret Knock — We demonstrate how malware infecting
the Secure 1000 user console could be used to defeat the
scanner. The malware is triggered when it detects a specific
pattern in a scan, as shown here. It then replaces the real image
of the attacker, which might reveal hidden contraband, with an
innocuous image stored on disk. Pattern recognition occurs in real
time.
Credit: Radsec.org
Attacking Privacy — An attacker could use a detector
hidden in a suitcase to capture images of the subject during
scanning. As a proof of concept, we used a small hand-held PMT to
capture images that are consistent with the scanner’s output.
A larger detector would produce more detailed images.
Credit: Radsec.org
Naïve Evaluation — In an evaluation by Sandia
National Labs, a Secure 1000 prototype successfully detected
blocks of C-4 plastic explosive and Lucite attached to the
subject’s chest. Observe in this image from the report that
the detection is based almost entirely on the X-ray shadow
surrounding each rectangular block, which can be reduced or
eliminated by an adaptive adversary through clever shaping and
positioning of contraband. We argue that critical security devices
like the Secure 1000 should be subjected to rigorous, public,
independent testing of the sort common in computer security, where
evaluators apply an adversarial mindset and attempt to defeat the
system.
Secure 1000 front face and Secure 1000 cabinet interior (click to enlarge)
Credit: Jacobs School of Engineering/U.C. San Diego
Secure 1000 X-ray generator (click to enlarge)
Credit: Erik Jepsen, U.C. San Diego Publications
Film badge used for measuring radiation exposure (click to enlarge)
Credit: Erik Jepsen, U.C. San Diego Publications
UCSD professor Hovav Shacham with the Secure 1000 (click to enlarge)
Credit: Erik Jepsen, U.C. San Diego Publications
UCSD professor Hovav Shacham with the Secure 1000 (click to enlarge)
Credit: Erik Jepsen, U.C. San Diego Publications
UCSD professor Hovav Shacham with the Secure 1000 (click to enlarge)
Credit: Erik Jepsen, U.C. San Diego Publications
UCSD professor Hovav Shacham with the Secure 1000 (click to enlarge)
Credit: Erik Jepsen, U.C. San Diego Publications
UCSD professor Hovav Shacham and Ph.D. student Keaton Mowery (click to enlarge)
Credit: Erik Jepsen, U.C. San Diego Publications
UCSD Ph.D. student Keaton Mowery with the Secure 1000 (click to enlarge)
Credit: Erik Jepsen, U.C. San Diego Publications
University of Michigan professor J. Alex Halderman (click to enlarge)
Credit: Jacobs School of Engineering/U.C. San Diego
Johns Hopkins University professor Stephen Checkoway (click to enlarge)
Credit: Jacobs School of Engineering/U.C. San Diego
Prof. J. Alex Halderman and Ph.D. candidate Eric Wustrow of the University of Michigan (click to enlarge)
Credit: Jacobs School of Engineering/U.C. San Diego
