/ / / / / /

For Valentine's Day, TSA Focuses on What's Important

February 11, 2014 at 3:53 PM | by | ()

TSA recently blogged a list of tips for traveling during and around Valentine's Day. Yes to regular and even liquid-filled chocolates, but no to flower vases with water in them, plus a reminder that there are special rules for traveling with wedding dresses. Because wedding dresses and flower vases with water in them could be used to compromise the security of aircraft, you see.

In other news, engineers have discovered a way that hackers can hijack TSA scanning machines to remotely overlay what screeners see with arbitrary images. So if you're a terrorist smuggling a gun through security, and you've got a friend who has gained access to the computer linked to your checkpoint, your friend can cover over the image of your gun with what looks like a pile of socks.

The problem with the so-called "Threat Image Projection" (TIP) feature is that TSA mandates it be included in all TSA machines. This little bit of inspired software allows supervisors to log into scanning machines remotely and project the image of a threat - say, a gun - onto the screen (hence "Threat Image Projection"). It's designed to help supervisors test screeners by putting weapons where none actually exist, in other words.

Two minor hiccups.

First, obviously, if you had the right pictures loaded you could superimpose images in the opposite direction, covering up a real weapon with a purse.

Second, more problematically, it turns out that the software controlling TIP for a certain kind of Rapidscan machine is stupid-easy to hack. You need access to a supervisor's machine, which you may or may not be able to get over a network, but once you have that you can log in by dumping nonsense characters into the computer (technically it's a SQL injection exploit, but for our purposes we can understand it as a bunch of nonsense characters). Oh, and it turns out that for the Rapiscan machines in question, the password file is stored in plaintext, presumably to make it easier on the three hackers in the world who don't know SQL.

TSA says that it uses proprietary versions of the TIP software in question, and Rapidscan says the software vulnerability doesn't even exist. Our level of confidence in their assurances, suffice it to say, is not ironclad.

[Photo: rapiscansystems / YouTube]

Archived Comments: