While agents ogle naked bodies, “lame bugs” allow evildoers to easily bypass machines
February 13, 2014
New revelations from security researchers outline how much of the technology operated in airports by the TSA is fundamentally flawed and can be fairly easily bypassed by anyone with the intention of getting dangerous items through security lines.
Experts working at security firm Qualys, have discovered that both body and baggage scanners can be hacked in order to present false images that could fool TSA screeners into giving a person or baggage the all clear, when in fact weapons or explosives are present.
So while everyday Americans are being zapped with radiation and having their naked images recorded (yes the machines still produce naked images), it is entirely possible for terrorists with a little technical know-how to skip right through the TSA’s lines of defense.
Experts Billy Rios and Terry McCorkle note that the vulnerability exists in Rapiscan scanners, which have a Threat Image Projection (TIP) function, designed to train and test TSA screeners by superimposing fake images. They also found that passwords were not needed in order to access this function within the machines.
According to the two experts, the training software is also present in machines deployed in government buildings, embassies, courthouses, ports and border crossings.
“Someone could basically own this machine and modify the images that the operators see,” Rios, a director of threat intelligence, told Wired.
The report notes that “the supervisor’s password screen could be subverted through a simple SQL injection attack — a common hacker tactic that involves entering a special string of characters to trigger a system into doing something it shouldn’t do. In this case, the string would allow an attacker to bypass the login to gain access to a console screen that controls the TIP feature.”
“Just throw [these] characters into the login,” Rios said, and the system accepts it. “It tells you there’s an error, [but then] just logs you in.”
“It’s so outrageous that they didn’t [encrypt]. If anyone ever gets access to the [Rapiscan] file system, they will have access to all the user accounts and passwords in clear text,” he told Wired. “No need for keyloggers or malware, just read them out of the text files.”
“These bugs are actually embarrassing. It was embarrassing to report them to DHS — the ability to bypass the login screen. These are really lame bugs.” Rios added.
Critics will argue that this once again highlights how the TSA’s operations are pure security theater that actually does very little to ensure the safety of Americans, while guzzling billions in taxpayer funding.
Rapiscan has denied that the machines have any vulnerability, suggesting instead that Rios and McCorkle used “misconfigured equipment” during their research. The TSA also denied that the scanners were hackable.
“The Rapiscan version that is utilized by TSA is not available for sale commercially or to any other entity; the commercial version of the TIP software is not used by TSA,” TSA spokesman Ross Feinstein told Wired.
Then again, why should anyone in their right minds believe anything Rapiscan or the TSA claims. The two have been caught in lies and deliberate misinformation regarding the scanners on multiple occasions.
Last year, the TSA came under strict scrutiny from Congress over the mothballing of $14 million worth of body scanners. All in all, the 250 backscatter scanners the agency now has are worth a combined total of $40 million.
The real reason some of the machines were removed from airports is because of allegations that the manufacturer Rapiscan manipulated operational tests on the machines, and the company was never able to develop the “stick man” software that masks naked images produced by the scanners.
In addition, further documents obtained by EPIC show how the TSA “publicly mischaracterized” findings of the National Institute of Standards and Technology (NIST), in stating that the agency had positively confirmed the safety of full body scanners in tests.
It has also been proven that the scanner can be fooled by sewing a metallic object into the side of one’s clothing, rendering the entire fleet of machines virtually useless.
A recently discovered Homeland Security report also noted that federal investigators have “identified vulnerabilities in the screening process” involving the scanners.
Multiple other security experts have gone on record saying that the scanners are ineffective, yet the TSA is now seeking a whole new generation of more powerful, and many would argue more intrusive, scanners seemingly based on the same technology.
Another security experts, Bruce Schneier, CTO of Co3 Systems. also chimed in on the latest revelations of security flaws:
“This reminded me a lot of voting machines. When you design these government systems under procurement rules, you end up using old stuff. No one is paying attention to updating it, so security is crap because no one is analyzing it.”
“Stuff done in secret gets really shoddy security … We know what gives us security is the constant interplay between the research community and vendors.” Schneier added.
Steve Watson is the London based writer and editor for Alex Jones’ Infowars.com, and Prisonplanet.com. He has a Masters Degree in International Relations from the School of Politics at The University of Nottingham, and a Bachelor Of Arts Degree in Literature and Creative Writing from Nottingham Trent University.