Full-body scanners used for years at airports across the U.S. are even worse than previously believed—in fact, according to new research, they are easily tricked, which may have allowed passengers to smuggle guns, bombs, and other contraband through airport security.

More troubling, researchers say, the study reaveals a severe lack rigorous testing of security systems by the Transportation Security Administration (TSA).

When the TSA pulled Rapiscan 1000 airport security scanners from airports last summer, it did so out of privacy concerns. However, according to a report released earlier this week by a team of researchers from U.C. San Diego, University of Michigan, and Johns Hopkins University, anyone with knowledge of how the scanners work could have easily slipped weapons past security checkpoints.

The results of the study are being presented this week at the USENIX Security Symposium in San Diego, Calif.

While the agency had spent over a billion dollars deploying the scanners at more than 160 airports around the country, an outcry over the scanners’ ability to show the airport security personnel manning the machine an outline of passengers’ ?junk” eventually led to the government scrapping the system, which was the primary means of ensuring security on airplanes from 2009 through 2013.

When the scanners first rolled out, the results of tests of their efficacy conducted both by Rapiscan and government officials were never made public due to security concerns, nor were any units of the full-body, backscatter X-ray machines made available for third-parties to run their own independent trials. Now that the machines are no longer in wide use in airports—they are still, however, common in government faciliteis around the country like courthouses and prisons—the researchers picked up a used one on eBay (where else?) and decided to take it for a spin.

What they discovered was shocking.

?In laboratory tests with a real machine, we were able to conceal guns, knives, and explosive simulants in such a way that they were not visible to the scanner operator,” the report reads. ?We also studied the cyberphysical security of the machine and were able to show how an attacker could subvert the operator console software so that it would be possible to conceal all types of contraband.”

They discovered that, while the machines did a good job of identifying most smuggled items, anyone with a familiarity with how the technology works—or who even just bought a unit of their own on eBay—could easily conceal weapons by hiding them in specific places on the body or covering them with other material to fool the machines into not being able to distinguish the contraband from the passenger’s body.

On the machines, the person’s body reads as white and all external items read as black. Here’s what it looks like when the scanner detects someone attempting to smuggle a handgun tucked into the front of his pants:

After running their own tests, the researchers discovered that by taping a pistol to the outside of a passenger’s leg just above the knee or sewing it into the same spot inside of a pants legs, the gun doesn’t show up at all.

In the image below, the subject on the left conceals a .380 ACP pistol by taping it just above his knee; the subject on the right hides the same gun by sewing it into his pant leg.

The items could be discovered if the passengers were scanned from the side, not just the front or back; however, TSA guidelines don’t require all passengers to be scanned from the side because that would significantly increase the amount of wait time at airport security check lines.

Another strategy, which worked well with knives, is to tape the weapon to the passenger’s body and then cover it with a material that will read as the same color as a human body, such as a polytetrafluoroethylene like Teflon.

The researchers found that it was possible to use a slight variation on this strategy to smuggle plastic explosives, which require a metallic detonator in order to go off.

These problems neatly solve each other: we attached a detonator, consisting of a small explosive charge in a metal shell, directly over our subject’s navel. Since the detonator is coated in metal, it absorbs X-rays quite well and mimics the look of the navel in the final image

The team also discovered that it’s possible to attack the machines to disable much of their functionality. The software on the scanner they purchased lacked any password protection or software verification, and the lock to the cabinet where the computer is housed could be picked in ?under ten seconds with a commercially available tool,” meaning an attacker could potentially infect a scanner with malware without much difficulty.

None of these stratagies would likely occur to an attacker who hadn’t done his or her homework. But someone who was both sophisticated and prepared could have use techniques like these to sneak virtually whatever they wanted onto airplanes for years.

?Our results suggest that while the … [machine] is effective against naïve attackers, it is not able to guarantee either efficacy or privacy when subject to attack by an attacker who is knowledgeable about its inner workings,” the authors argued.

Luckily, due to the privacy concerns, the TSA scrapped the Rapiscan machines in favor of ones based on millimeter wave technology, which likely lack many of the same vulnerabilities identified in this study.

Even so, the change doesn’t instill the report’s authors with much confidence about the overall level of security across the nation’s airline transit network.

?The problems that we identified in our study point to a lack of rigorous public testing,” study co-author Stephen Checkoway explained in an email to the Daily Dot. ?In particular, it demonstrates a lack of adaptive, adversarial thinking. That is, it was tested against adversaries who naively conceal contraband under their clothing but not against adversaries who adapt their concealment techniques to the detection system.”

?I think that this sort of secret testing is counterproductive and ultimately harms security,” Checkoway added.

This study isn’t the first time someone has used similar techniques to demonstrate the insecurity of this type of body scanner. In 2012, activist Jonathan Corbett, who also filed a lawsuit against the TSA over charges that the scanners violated his Fourth Amendment rights protecting against unreasonable search and seizure, released a video on YouTube showing just how easy it is to get past the machines.

In a blog post responding to Corbett’s video, a TSA official dismissed any problems with its scanners.

I watched the video and it is a crude attempt to allegedly show how to circumvent TSA screening procedures. For obvious security reasons, we can’t discuss our technology’s detection capability in detail, however TSA conducts extensive testing of all screening technologies in the laboratory and at airports prior to rolling them out to the entire field. Imaging technology has been extremely effective in the field and has found things artfully concealed on passengers as large as a gun or nonmetallic weapons, on down to a tiny pill or tiny baggies of drugs. It’s one of the best tools available to detect metallic and non-metallic items, such as… you know… things that go BOOM.

When asked about the study, a TSA spokesperson told Bloomberg Businessweek that all of its technology goes through “a rigorous testing and evaluation process, along with certification and accreditation. This process ensures information technology security risks are identified and mitigation plans put in place, as necessary.”

The official also noted that the agency had been given a copy of the study by its authors earlier this year.

Rapiscan received the TSA contract for the scanners after a significant lobbying effort that saw the company giving over a quarter of a billion dollars to politicians in 2010 alone.

According to a Huffington Post article about the company’s political activities, the major push to employ backscatter technology in the nation’s airports came after ?underwear bomber” Umar Farouk Abdulmutallab attempted to blow up an airline en route from Amsterdam to Detroit, Mich., on Christmas Day, in 2009.

George W. Bush Administration Homeland Security Director Michael Chertoff wrote an op-ed in the Washington Post arguing for the desperate need full-body scanners at airports without disclosing that Rapiscan was a client of his private consulting firm.

Photo by Writpit/Wikimedia Commons (CC BY-SA 3.0)