Full-body scanners miss guns, explosives

A full-body security scanner that’s marketed as the best of its kind has serious flaws that can prevent it from seeing firearms, knives and explosives, says a new study led by UC San Diego.

Researchers also say that they were able to tweak the Rapiscan Secure 1000 backscatter X-ray machine’s software to produce an “all clear” image when contraband was present.

Rapiscan System’s Secure 1000 was used at dozens of airports between 2009 and 2013, including, for a time, San Diego’s Lindbergh Field. The Transportation Security Administration (TSA) ordered the scanners to be removed last year because they produced nearly nude images of passengers, stirring an uproar over privacy. Many passengers were also concerned that the low dose of radiation produced by the machines could damage their health.

The scanners are still used at some government facilities, including jails and courthouses, says the study by the University of California San Diego, the University of Michigan and Johns Hopkins University. The study was released on Wednesday.

Airports now heavily rely on so-called millimeter wave body scanners, a different type of technology that was not tested by the researchers.

UC San Diego said found the flaws in a Secure 1000 scanner purchased from an eBay seller who got the machine at a surplus auction at a U.S. government facility in Europe.

Scientists performed a series of laboratory tests that largely involved obscuring firearms, knives and simulated plastic explosives.

“The gold standard in computer security is to have an independent, adversarial evaluation where the adversary is assumed to have resources and is adaptive and clever,” said Hovav Shacham, a UC San Diego computer scientist who helped lead the study.

“That approach seems to be missing from the process in which these machines were developed.”

In airport settings, the Secure 1000 was typically used to take images of the front and back of a person while they stood still. Objects -- such as a gun or a knife -- would appear as dark areas against a bright silhouette of the person.

Shacham says a problem can occur when a metal gun is held at a person’s side. Such weapons absorb much of the X-ray. The gun appears as a dark area against a dark background, just off the silhouette. That can make guns and knives hard to see.

Shacham said the team also used “organic but translucent” material to successfully hide a knife from the scanner. Other concealment techniques were used to prevent the scanner from seeing knives and plastic explosives. And the machine’s software was manipulated in a way that made the scanner report that a person was not carrying contraband.

“We find that the (Secure 1000) system provides weak protection against adaptive adversaries,” the study says. “It is possible to conceal knives, guns, and explosives from detection by exploiting properties of the device’s backscatter X-ray technology.”

Shacham said that the research team notified TSA and Rapiscan of its findings, and made suggestions for correcting problems, in May.

U-T San Diego emailed Rapiscan for comment. The company did not respond. Rapiscan says on its website that the scanner “is the most effective and most widely deployed image-based people screening solution. The Secure 1000 produces high resolution images that enable the operator to easily identify concealed threat and contraband items. The Rapiscan Secure 1000 is ideal for high security environments because both organic (e.g. solid and liquid explosives, narcotics, ceramic weapons) and inorganic (e.g. metal) materials are apparent in the image.”

The TSA issued a statement Wednesday that says, “Technology procured by the Transportation Security Administration goes through a rigorous testing and evaluation process, along with certification and accreditation. This process ensures information technology security risks are identified and mitigation plans put in place, as necessary. A majority of the equipment we utilize is not available for sale commercially or to any other entity; the agency regularly uses its own libraries, software and settings.”

The Secure 1000 technology was developed about 20 years ago and acquired in 1997 by Rapiscan Systems, whose main research and development center is located in Torrance, near Los Angeles. TSA contracted with Rapiscan in 2007 to create a version of the Secure 1000 to screen airport passengers. The scanner went into service two years later.

For a while, Lindbergh Field had 11 Rapiscan scanners at three terminals. Many people complained, including John Tyner of Oceanside, who told a TSA agent, “If you touch my junk, I’ll have you arrested.” Tyner used his cellphone to record the encounter. It was posted to his blog and it went viral, fueling the public’s dislike of the scanners.

Tyner recorded the 30-minute encounter on his cellphone and later posted it to his blog, along with an extensive account of the incident. The blog went viral, tapping into the public’s concerns about invasion of privacy.

U-T San Diego reporter Lori Weisberg contributed to this story.

READERS: If you would like to comment about these security scanners, email me at gary.robbins@utsandiego.com. Please include your full name and hometown.