PUNTA CANA, Dominican Republic – Could a threat-simulation feature found in airport x-ray machines around the country be subverted to mask weapons or other contraband hidden in a traveler's carry-on?

The answer is yes, according to two security researchers with a history of discovering flaws in critical systems, who purchased their own x-ray control machine online and spent months analyzing its inner workings.

The researchers, Billy Rios and Terry McCorkle, say the so-called Threat Image Projection function could someday backfire.

The feature is designed to train x-ray operators, and to periodically test their proficiency at spotting banned items. It allows supervisors to superimpose a chosen image of contraband onto the screen of any baggage system in the airport. That same capability would allow someone with access to the airport supervisor's workstation to superimpose a harmless image of socks or underwear over an x-ray scan that would otherwise reveal a weapon or explosive.

"Someone could basically own this machine and modify the images that the operators see," says Rios, who along with McCorkle works for the security firm Qualys.

Threat Image Projection, or TIP, is present in all TSA-approved scanners, regardless of vendor. For their research, the Qualys team examined software for the Rapiscan 522B (.pdf).

They found that an attacker would need access to a supervisor's machine, and, theoretically, knowledge of the supervisor's login credentials, to upload their own images into the system. But in the version of the control software they obtained for the Rapiscan 522B, the supervisor's password screen could be subverted through a simple SQL injection attack — a common hacker tactic that involves entering a special string of characters to trigger a system into doing something it shouldn't do. In this case, the string would allow an attacker to bypass the login to gain access to a console screen that controls the TIP feature.

"Just throw [these] characters into the login," Rios says, and the system accepts it. "It tells you there's an error, [but then] just logs you in."

Using the console, an attacker could then direct the system to superimpose weapons or other contraband onto the x-ray images of clean bags to disrupt passenger screening. Or the attacker could superimpose images of clean bags onto the operator's monitor to cover the true x-ray image of a bag containing contraband.

Upon seeing a weapon on the screen, operators are supposed to push a button to notify supervisors of the find. But if the image is a fake one that was superimposed, a message appears onscreen telling them so and advising them to search the bag anyway to be sure. If a fake image of a clean bag is superimposed on screen instead, the operator would never press the button, and therefore never be instructed to hand-search the bag.

It's not clear if the Rapiscan 522B controller that the researchers tested was deployed in an airport. Rapiscan systems, and the TIP feature, are also used in embassies, courthouses and other government buildings, as well as at border crossings and ports to scan for smuggled goods, though Rapiscan says the version of TIP that it sells to TSA is different from the version it sells to other customers. And the TSA says there's no chance the researchers got their hands on the software used by the agency.

"The Rapiscan version that is utilized by TSA is not available for sale commercially or to any other entity; the commercial version of the TIP software is not used by TSA," says TSA spokesman Ross Feinstein.

"The agency uses its own libraries and settings. Furthermore, the 522B systems are not currently networked."

"Prior to decommissioning any TSA unit, this proprietary software in use by TSA is removed," adds Feinstein.

The researchers plan to present their findings today at the Kaspersky Security Analyst Summit here.

The researchers' findings are interesting in part because airport security devices are generally not accessible to white-hat hackers who regularly analyze and test the security of commercial and open source products, like the Windows or Linux operating systems, to uncover vulnerabilities in them.

The TSA has approved scanners from three vendors – Rapiscan, L3 and Smith. The TIP feature is required in all such systems, but the researchers can't say for certain whether the others work in the same way or can be subverted as easily.

The Rapiscan system came with a database of about two dozen different images of weapons from which to choose. Through a console, supervisors can set the frequency with which fake images appear on screen – for example, every 100 bags scanned by the system – as well as add or modify the library of images from which to choose.

Rapiscan denies the supervisor password vulnerability exists, and claims the researchers must have purchased a machine that was misconfigured. Executive Vice President Peter Kant also denies that an attacker would be able to superimpose anything on the operator's screen; he says an algorithm determines how the contraband is projected into the bag, to avoid inserting an image of a gun that is too big for the bag.

But Rios says that he found each image has an accompanying file that tells the system how to use the image, and an attacker could simply upload his own instruction file to ensure that his rogue image blocks out the real x-ray image beneath it.

In addition to the login bypass, the researchers found that all of the operator credentials were stored in the system in an unencrypted text file. "Rapiscan could encrypt them, and they should," Rios says. "It's so outrageous that they didn't. If anyone, ever gets access to the [Rapiscan] file system, they will have access to all the user accounts and passwords in cleartext. No need for keyloggers or malware, just read them out of the text files."

Rios says the Rapiscan software he examined is based on Windows 98. More recent Rapiscan machines run on Windows XP. Neither of these operating systems is supported by Microsoft today.

"There are plenty of remote exploits for Win98 and WinXP that affect these systems," says Rios, suggesting that hackers could use these to hijack a supervisor's system to obtain access to the console for baggage scanners.

Images courtesy Qualys

The baggage scanners at airports are not connected to the public internet. But neither are they entirely isolated systems. TSA regulations require baggage scanners and other security equipment at large U.S. airports to be wired to a central network called TSANet.

As described in a recent job announcement for a government contractor, the TSA's Security Technology Integrated Program aims to connect 'the myriad of transportation security equipment (TSE) to one network," so that not only are systems at a single airport connected to one another, they're also connected to central servers.

TSANet has been described as an overarching network that connects to local area networks at nearly 500 airports and TSA offices for the exchange of voice, video and data communications to share security threat information between airports and to broadcast information from TSA headquarters to field offices. A 2006 inspector general report found security problems with the network.

Rios and McCorkle purchased the Rapiscan system secondhand from an online reseller in California. The Rapiscan system generally sells for $15,000 to $20,000 in surplus, but they were able to obtain it for just $300 because the seller incorrectly thought it was broken.

They also obtained and examined two other systems – one for detecting explosives and narcotics, and a walk-through metal detector – that they plan to discuss at a future point.

Last spring, Rapiscan lost part of its government contract for a different system it makes – the so-called nude body scanners – because the company failed to alter its software after privacy groups complained that the body images the machine produced were unnecessarily detailed. The company was forced to remove 250 of its body scanner machines from airports, which were replaced with machines made by a different company.

Then in December, Rapiscan lost the baggage screening contract too, following a complaint by a competitor – Smiths Detection – saying the company had used unapproved foreign parts in its system – specifically an "x-ray light bulb" produced by a Chinese company.