Security Flaws in Rapiscan Full-Body Scanners

Security researchers have finally gotten their hands on a Rapiscan backscatter full-body scanner. The results aren't very good.

Website with paper and images. News articles and commentary.

Note that these machines have been replaced in US airports with millimeter wave full-body scanners.

Posted on August 27, 2014 at 7:38 AM • 21 Comments


kronosAugust 27, 2014 7:44 AM

What, more security theater??!! Who would have ever guessed (throwing hands up in air, looking shocked)....

seheAugust 27, 2014 8:43 AM

Ironic: "The response from the online certificate validation (OCSP) server was too old." when trying to access that site (meaning that my browser refuses to connect)

vas pupAugust 27, 2014 9:30 AM

@Bruce:"Note that these machines have been replaced in US airports with millimeter wave full-body scanners." Yes, Americans do right thing after they try all other ones. That is all result of not conducting analysis of competitive technologies first and develop the c o n c e p t (rather than knee-jerk reaction to bring sense of security versus real security) independent of the direct or indirect financial influence of manufacturers on those making decisions. Follow money!

PeterAugust 27, 2014 10:00 AM

They have been replaced in US airports, but didn't they move them to US prisons? And there are probably more people trying to smuggle things into prisons than onto aeroplanes...

NobodySpecialAugust 27, 2014 10:24 AM

"Millimeter" wave body scanners at US airports?
Is this part of a Commie (and/or French) plot to get metric stuff into the front line in the war on terror?

I demand inch-wave body scanners at all airports - it also means they wont be able to resolve my rude bits.

Alligator FrenzyAugust 27, 2014 11:04 AM

Did they bother doing this same sort of security testing on millimeter wave scanners before installing them?

DaveAugust 27, 2014 11:27 AM

It's OK: The backscatter machines have already fulfilled their primary purpose, namely enriching then-DHS Secretary Michael Chertoff.

Never mind that neither the backscatter scanners nor the millimeter wave scanners have managed to catch a single terrorist.

ChrisAugust 27, 2014 1:30 PM

I recall reading another airport subject not that long time ago about glass, and that a layer of morphed material is not easy to penetrate by these machines, have worked quite alot in airports and with airlines and flying alot, and there are so many things that comes to my mind during the checks that have failed during the years. So yes its a theater nothing more nothing less. However if you fly in and out of Ben Gurion you might grasp some real security that seems to work quite well.
Just a thought

ChrisAugust 27, 2014 2:11 PM

Forgot a link there is alot if one is intrested to read but this one is pretty much what its like and I was there in the 80:s just google Ben Gurion and Security

So very much layered security with humint, and background checks and ofcourse the "normal" security checks at "normal" airports are included.

If you havent gone through Ben Gurion its an eye opener to read it, if you have its a good read to remember why it took so long :-)


NobodySpecialAugust 27, 2014 2:13 PM

@Chris - what really must take time at security is stripping down every catering truck, tanker, DHL/Fedex/UPS truck, airline service vehicle, cleaner truck, and honeywagon going airside and checking there isn't 100ml of liquid hidden somewhere in the chassis to be passed to an accomplice and planted on a plane.

ChrisAugust 27, 2014 2:57 PM

Well yes and thats one point of the problem here, the TSA scanners, or these rules that you shouldnt have this and that or the nailclipper is too long or what ever, is a circus that is silly. And thats not how its solved at Ben Gurion at all, if you dont fit a profile they dont care less if you have a nailclipper or not.

The insider problem is a real threat, but for the passengers going in and out the real way to do it, but time consuming is profiling, humint and background checks, TSA scanners I dont buy into sorry. The problem cant be solved with tech, it might be a good thing perhaps but to blindly believe that a scanner xyz is going to solve all the problems its not going to work.

Now when you talk about the insider threat thats another story, and a more scary one infact.
I havent got the slightest clue how to tackle it to be honest and dont know how its done in high security facilities as some airports are nowadays.

Intresting question but I dont know the answer to that

vas pupAugust 27, 2014 3:51 PM

Chris • August 27, 2014 2:11 PM

Thank you fo the link: example of real proactive security versus theater.

Coyne TibbetsAugust 28, 2014 12:14 AM

This country has a real fascination with the idea that technology will solve every problem. People must not think: They must let the computer think.

Best expressed in that old technology manifesto, "Don't worry, our _____ solves every problem you have."

WinterAugust 28, 2014 2:09 AM

@Coyne Tibbets
"This country has a real fascination with the idea that technology will solve every problem."

No, the problem of the USA seems to be that the people there distrust each other at such a level that they will try to get rid of any human judgment at all.

This problem is quite old. Read the entertaining account of how this cultural distrust creates a dysfunctional legal system in "The death of common sense" by Philip K. Howard

fajensenAugust 28, 2014 4:47 AM

Whats the problem? It doesn't have to work! The people who make the laws, sells the equipment, provides the (minimum wage) security personel and so on, uses some ppm of the profit from the entire 3-ring circus to travel on private jets!

How does one go about getting a "decision-maker" to change something that works ... for he/she/it?

Mr ObviousAugust 28, 2014 8:19 AM

Just pointing out that the comment from 'imranawan' on the 28 August at 2:17 AM should have been caught by a spam filter. A URL as a name? A link to a commercial web-site in the body of the comment/advert? Apologies for STBO, but it had to be said... And double apologies if it was a Troll!

Wesley ParishAugust 28, 2014 7:45 PM

Of course, these vulnerabilities were discovered after the decision was made to phase the x-ray backscatter machines out of service at the TSA, and after the replacement millimetre machines were built and accepted.

So these vulnerabilities were never part of the operations specification of the new machines. So we can take it as read that they have not been addressed by the new machines.

Meanwhile new vulnerabilities will have been added in that time-honoured fashion ...

@Chris. Seeing as how the Israeli security system works - they prevented one Noam Chomsky from entering Israel via Jordan and the Occupied Palestine Territories a few years back, if I remember correctly - I have no doubt they would exclude me, since I am of much the same opinion as Noam Chomsky concerning Israel and Palestine. Of course, Israel's reputation takes a massive battering from the state-supported Kahanists in Hebron. Does Ben Gurion's security consciousness, aided and abbetted by those two most capable institutions MOSSAD and ShinBet, include the Kahanists and prevent them from travelling? Or is it a case of "profiling", security theatre by another name?

metalmickeyAugust 30, 2014 3:40 AM

Now get working metal detectors as none of my pins and plates show up at airports.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.