Security researchers from Qualys have conducted an in-depth analysis of an x-ray machine such as the ones used at airports, embassies, courthouses and other government buildings. They claim to have found a way to trick the devices.
According to Wired, the researchers have found a way to exploit the scanner’s Threat Image Projection (TIP) function to replace dangerous items with images of harmless ones.
The TIP system is integrated into all scanners. It’s mainly used to train x-ray operators since it allows supervisors to plant images of contraband into luggage at airports.
Normally, you can’t access the TIP functionality unless you have the correct login credentials, but Rios and McCorkle have managed to bypass authentication by exploiting SQL Injection vulnerability.
The device tested by the experts runs Windows 98. Other models operate on Windows XP. In any case, Windows 98 is no longer supported and starting with April 8, Windows XP will have the same fate.
By gaining access to the TIP, an attacker could replace the image of a bag containing illegal items with a picture of one that doesn’t.
On the other hand, the researchers argue that they could manipulate the algorithm since each image is accompanied by a file that instructs the TIP how to use it. Furthermore, they’ve found a file containing all operator credentials in clear text, so it’s really not that difficult for a malicious actor to gain access to the information.
Representatives of the TSA are also not convinced that there’s any real threat. They also say that the TIP software they’re using is different from the commercial version, and it’s not easy for someone to get their hands on the variant utilized by the agency.
“The agency uses its own libraries and settings. Furthermore, the 522B systems are not currently networked,” TSA spokesman Ross Feinstein explained.
While it may be true that the scanners in airports are not connected to the World Wide Web, they are linked to a central network dubbed TSANet. TSANet connects LANs at 500 TSA offices and airports, so the x-ray machines are not exactly isolated.