Thursday, January 7, 2010

Get Out Your Trojans

or more on the X-ray vision security.

X-ray security: can airport system be hacked?
January 7, 2010 - 2:43PM

Having a strange airport employee looking at your "naked" image on a full-body x-ray scanner might be disturbing enough. But what if hackers got access to your "virtual strip search" and distributed it to an even wider audience?

Authorities have gone to significant lengths to appease privacy advocates about x-ray scanners, but protection from technological intrusions haven't featured in explanations.

Hackers have successfully cracked open bank accounts, government websites and even the private Yahoo email account of would-be US vice president Sarah Palin ... so why not an airport x-ray machine?

"From the attackers perspective, it's more around how secure the computers are that control the x-ray machine," said Ty Miller, chief technology officer of Pure Hacking, which tests the security of websites and online systems.

"The way to hack in and get access to images would be by accessing the computers controlling them. There's someone sitting there at a computer hitting 'enter' as people go through [to be scanned], and it's possible that that computer might have some sort of vulnerability, just as any desktop might."

Alan Watt, head of forensics at and who has researched cyber-terrorism, said most computer software had a "back door" that could be exploited by hackers.

"If the x-ray software is owned and managed by some company in Seattle, they often have a back door that allows them to perform remote maintenance."

If a hacker came in via that backdoor, "it would be the same for them as being in front of computer, it doesn't matter if they're sitting 100 miles away [from the airport]", he said.

They would then have access to data stored on the computer.

Authorities say scanned images will not be stored.

"In fact, all machines are delivered to airports with [save] functions disabled," says the US Transport Security Administration, which has rolled out the machines to 19 airports.

But this might not be enough.

"If the computer is compromised, [the hacker] could install a trojan on the machine, which can capture a video of what the operator is looking at, and record it," Mr Miller said.

These hacker attacks would rely on the x-ray machine being plugged into the airport's computer network, and so connected to the outside world.

The Office of Transport Security has been asked whether x-ray scanning - if implemented in Australia - would involve the networking of x-ray equipment. A response is pending.

In recent days, the office has said it is waiting on results from a 2008 trial - in Sydney, Melbourne and Adelaide - before deciding how or when to implement screening locally.

Another, albeit less likely, way that scanned images could get out was the capture of x-rays, Mr Watt said.

"If it's emitting an electric signal, you can capture those signals but you'll need some application to interface with it [and unscramble it to re-create the image]," he said.

He cited a device that could re-generate the image on a computer screen based on the gamma rays the monitor emitted as an example of technology that could be developed for this purpose.

"So I'd say someone with the right knowledge and 2-3 hours could do it."

On 702 ABC radio yesterday, Crikey aviation writer Ben Sandilands also raised concerns that x-ray machines used the same radio frequency as wifi. This meant a hacker could use a wifi-enabled PC to hack into the machines and access scanned images.

Mr Miller believed this was unlikely, as x-rays and wifi were distinctly different protocols.

In any case, while it was more dramatic to think of hackers using wizardry breaking into a network, it was usually human slip-ups that opened the door, Mr Miller's CEO Robert McAdam said.

"You don't have to do it as a full frontal attack, rather focus on some weaker link in the chain," he said.

The quality and integrity of airport staff would thus be crucial to the protection of scanned images. In the US, airport officers evaluating images are banned from taking cameras, phones or photo-enabled devices into viewing room.

"It's usually the people, like an unhappy ex-employee, or someone just being lax with passwords ... that leads to a [hack attack]," Mr Watt said.

"Usually a place like an airport is pretty secure but there's always a loop-hole."

No comments:

Post a Comment