Two years ago, a blogger named Jonathan Corbett published a YouTube video that seemed to show a facepalm-worthy vulnerability in the TSA’s Rapiscan full-body X-ray scanners: Because metal detected by the scanners appeared black in the images they created, he claimed that any passenger could hide a weapon on the side of his or her body to render it invisible against the scans' black background. The TSA dismissed Corbett’s findings, and even called reporters to caution them not to cover his video.

Now a team of security researchers from the University of California at San Diego, the University of Michigan, and Johns Hopkins plans to reveal their own results from months of testing that same model of scanner. And not only did they find that Corbett’s weapon-hiding tactic worked; they also found that they could pull off a disturbing list of other possible tricks, such as using teflon tape to conceal weapons against someone's spine, installing malware on the scanner’s console that spoofed scans, or simply molding plastic explosives around a person’s body to make it nearly indistinguishable from flesh in the machine’s images.

The Rapiscan Secure 1000 machines the researchers tested haven’t actually been used in airports since last year, when they were replaced by millimeter wave scanners designed to better protect passengers’ privacy. But the X-ray scanners are still installed in courthouses, jails, and other government security checkpoints around the country.

More importantly, the glaring vulnerabilities the researchers found in the security system demonstrate how poorly the machines were tested before they were deployed at a cost of more than $1 billion to more than 160 American airports, argues J. Alex Halderman, a University of Michigan computer science professor and one of the study’s authors. The findings should raise questions regarding the TSA's claims about its current security measures, too.

“These machines were tested in secret, presumably without this kind of adversarial mindset, thinking about how an attacker would adapt to the techniques being used,” says Halderman, who along with the other researchers will present the research at the Usenix Security Conference Thursday. “They might stop a naive attacker. But someone who applied just a bit of cleverness to the problem would be able to bypass them. And if they had access to a machine to test their attacks, they could render their ability to detect contraband virtually useless.”

Unlike others who have made claims about vulnerabilities in full body scanner technology, the team of university researchers conducted their tests on an actual Rapiscan Secure 1000 system they purchased on eBay. They tried smuggling a variety of weapons through that scanner, and found—as Corbett did—that taping a gun to the side of a person's body or sewing it to his pant's leg hid its metal components against the scan's black background. For that trick, only fully metal guns worked; An AR-15 was spotted due to its non-metal components, the researchers report, while an .380 ACP was nearly invisible. They also taped a folding knife to a person's lower back with a thick layer of teflon tape, which they say completely masked it in the scan.

Rapiscan images showing a subject carrying no weapon (left) versus a .380 ACP pistol sewn to the side of his pants leg, (right) which is practically invisible in the scan.

Even more disturbingly, the researchers found they could easily conceal a 200 gram pancake of putty designed to have the same X-ray deflecting properties as plastic explosives by molding it around a passenger's torso. The simulated bomb's detonator, made from a different material, was hidden in the would-be bomber's belly button.

Scanner images showing a subject with no explosives (left) versus more than 200 grams of simulated plastic explosives molded around his torso, with the detonator hidden in his belly button.

In the explosive example, as with the other hidden weapons, the researchers admit they had to experiment with different setups several times before finding one that left no trace in the scanner's images. But they won't share all the concealment tricks they learned. "We're not trying to to provide recipes to attack actual devices in the field," says UCSD researcher Keaton Mowery.

In addition to their physical attacks, the researchers also experimented with more inventive digital ones. They found that they could infect the scanner with malware—most practically for an attacker by picking the lock on the scanner's cabinet and physically installing the malware on the PC inside. Once installed, that malware could be programmed to selectively replace the scan of any passenger with a fake image if he or she wore a piece of clothing with a certain symbol or QR code, as shown in the image below.

In their malware demonstration, the researchers used a distinctive image to signal to their software that the scanner should replace a certain person's image with an innocuous one.

The researchers say they presented their findings to both Rapiscan and the TSA earlier this year, but didn't receive any feedback beyond an acknowledgement that the research had been received. When WIRED reached out to the TSA for comment, a spokesperson wrote in a statement that "technology procured by the Transportation Security Administration goes through a rigorous testing and evaluation process, along with certification and accreditation. This process ensures information technology security risks are identified and mitigation plans put in place, as necessary."

The statement also seemed to emphasize that potential attackers wouldn't have access to the equipment for testing: "A majority of the equipment we utilize is not available for sale commercially or to any other entity; the agency regularly uses its own libraries, software and settings," it adds.

The researchers say that preventing would-be hijackers and terrorists from using the techniques they found wouldn't necessarily be difficult with small changes to how the scanners are used. Though foiling their malware attack would require updates to the device's software, the trick of hiding a weapon against the side of a person's body could be prevented simply by forcing subjects to turn 90 degrees for a second scan.

The most important lessons of the study, however, apply more broadly to the airport security scanning systems. They admit that there's good reason to prevent the machines from being freely available to just anyone—they write that they were only able to hone the dangerous tricks they found because they had access to a working model. But the researchers nonetheless recommend that current and future systems be subject to the same "adversarial" testing that they performed, which would require giving others in the security community access to the machines.

None of researchers among the three universities has been able to obtain a millimeter wave scanner, so they're not sure whether any of same vulnerabilities they found apply to the full-body scanning machines currently used in American airports. But UCSD's Mowery says it's important that those machines be probed for weaknesses by third-party researchers, just as potential attackers like terrorists or hijackers might if they do get their hands on one of the scanners. "We think that putting the machines through testing with independent security experts would result in a more secure system overall," he says. "We haven’t been able to buy one yet. But that’s not to say other people don't have access to them."