The problem with the so-called "Threat Image Projection" (TIP) feature is that TSA mandates it be included in all TSA machines. This little bit of inspired software allows supervisors to log into scanning machines remotely and project the image of a threat - say, a gun - onto the screen (hence "Threat Image Projection"). It's designed to help supervisors test screeners by putting weapons where none actually exist, in other words.
Two minor hiccups.
First, obviously, if you had the right pictures loaded you could superimpose images in the opposite direction, covering up a real weapon with a purse.
Second, more problematically, it turns out that the software controlling TIP for a certain kind of Rapidscan machine is stupid-easy to hack. You need access to a supervisor's machine, which you may or may not be able to get over a network, but once you have that you can log in by dumping nonsense characters into the computer (technically it's a SQL injection exploit, but for our purposes we can understand it as a bunch of nonsense characters). Oh, and it turns out that for the Rapiscan machines in question, the password file is stored in plaintext, presumably to make it easier on the three hackers in the world who don't know SQL.
TSA says that it uses proprietary versions of the TIP software in question, and Rapidscan says the software vulnerability doesn't even exist. Our level of confidence in their assurances, suffice it to say, is not ironclad.
[Photo: rapiscansystems / YouTube]