Security researchers have discovered a potentially dangerous flaw in airport x-ray machines that would allow hackers to pass deadly weapons through security.
Billy Rios and Terry McCorkle of security firm Qualys discovered that a training function called Threat Image Projection, which superimposes fake images of contraband on the screen to train security personnel, could be manipulated to work in reverse, and project images of weapon-free luggage over top of the real thing.
The training software is present in all TSA scanners, and also on machines deployed in government buildings, embassies, courthouses, ports and border crossings.
“Someone could basically own this machine and modify the images that the operators see,” Rios told Wired.
While experimenting with a scanner, the researchers were able to use a common hacking technique to bypass a supervisor’s login credentials and usurp control of the screen that controls Threat Image Projection.
Hackers would then be able to both project images of contraband over item-free bags to disrupt security and cover up bags containing knives, firearms or bombs with the image of a clean bag.
They also found the login credentials for personnel were stored in unencrypted plain-text files on the system. Since the machines only employ Windows 98 and XP operating systems, which Microsoft no longer supports, usernames and passwords for accessing the them are vulnerable to wireless hacking.
According to TSA spokesman Ross Feinstein, the Threat Image Projection software used by TSA is different from the commercially available version in some way, and added that the machine used in the researcher’s experiments – a Rapiscan 522B – is not networked when deployed in the field.
Rapiscan itself denies the machine could be hacked at all, and said the machine used in the tests must have been configured incorrectly. The company insists there’s no way to project a clean image over a bag containing contraband.
The researchers are presenting their findings Tuesday at the 2013 Kaspersky Security Analyst Summit.