Detecting Explosives

Really interesting article on the difficulties involved with explosive detection at airport security checkpoints.

Abstract: The mid-air bombing of a Somali passenger jet in February was a wake-up call for security agencies and those working in the field of explosive detection. It was also a reminder that terrorist groups from Yemen to Syria to East Africa continue to explore innovative ways to get bombs onto passenger jets by trying to beat detection systems or recruit insiders. The layered state-of-the-art detection systems that are now in place at most airports in the developed world make it very hard for terrorists to sneak bombs onto planes, but the international aviation sector remains vulnerable because many airports in the developing world either have not deployed these technologies or have not provided rigorous training for operators. Technologies and security measures will need to improve to stay one step ahead of innovative terrorists. Given the pattern of recent Islamic State attacks, there is a strong argument for extending state-of-the-art explosive detection systems beyond the aviation sector to locations such as sports arenas and music venues.

I disagree with his conclusions -- the last sentence above -- but the technical information on explosives detection technology is really interesting.

Posted on May 20, 2016 at 2:06 PM • 25 Comments

Comments

DanielMay 20, 2016 2:41 PM

What is up with people these days, publishing information that can be read by terrorists?! I'm sure they will find the technical details "really interesting" too. It's as if people actually want more gag orders, secret courts, and parallel construction. Gosh Bruce, you are really asking for it...

(the above is 100% snark, for those who have their sarcasm meter broken.)

Milo M.May 20, 2016 3:12 PM

The authors' company could use a boost:

"In Monday, however, IMSC filed its report for the quarterly period ended March 31, 2016 and it contained the following numbers of prime interest.

cash: $280 thousand
current assets: $14.7 million
current liabilities: $99.66 million
quarterly revenues: $10.74 million
quarterly net loss: $4.09 million"

http://www.4-traders.com/IMPLANT-SCIENCES-CORPORAT-408772/financials/

JdLMay 20, 2016 4:17 PM

The layered state-of-the-art detection systems that are now in place at most airports in the developed world make it very hard for terrorists to sneak bombs onto planes...

Really? It's apparently very easy for auditors to sneak just about anything past TSA security. I'm trying to remember the percent of firearms, bombs, etc. that get through. 90%? 95%? Somewhere up there. So this one sentence makes me conclude that the writer of the abstract (and presumably the whole paper) is an idiot.

milkshakenMay 20, 2016 7:48 PM

I am doubtful we can ever have good security against motivated suicidal fanatics

WaelMay 20, 2016 8:10 PM

Detection alone isn't sufficient. Mitigation is also necessary. Disallow any carry on luggage and stow everything in a Bomb bag

ianfMay 21, 2016 1:49 AM


Sounds logical, as mice can get into tighter spots and are master sniffers when having munchies. Problem is, Jacob, once you've press-ganged them into the terminal service, and they are done, how do you get them back onto the funny pages? You'd have to implant small homing antennae into their skulls, and that, my friend, creates a vector for remote electronic misdirection, falsification, etc., in effect nullifying their utility.

Clive RobinsonMay 21, 2016 2:30 AM

@ ianf, Jacob,

Problem is, Jacob, once you've press-ganged them into the terminal service, and they are done, how do you get them back onto the funny pages?

You don't use them that way.

Apparently it's similar to the way they have suggested for bees. You put them in a cartridge, that fits in a machine like a portable vacuum cleaner. The operator moves the nozzle around and the air is drawn over the creature and it's reactions monitored for indications.

Having kept "fancy rodents" as pets, it strikes me as both cruel and problematic. Mice need to move around a lot and they are not easy to train (unlike rats and ferrets) and are very short lived so would only have a few months working life at best.

Jesse ThompsonMay 21, 2016 3:47 AM

Bomb detection? Really?

I'm with @JdL on this. I can open up a USB cell phone charge extender, remove it's battery and replace it with C4/Plastique, replace it's electronic bits with some home-brew to negotiate USB with a phone to figure out when to detonate the charge, and bring *that* with me onto a plane without an eyebrow being batted. I can even "forget" my phone and charger in the little pamphlet pouch in front of my seat when I get off the plane (or someplace more creative if that pouch is actually *checked* between flights..) in order to either remotely detonate once it's filled with passengers again, or failing that allow it to simply go off on an internal timer.

Takehome is that I would be absolutely stunned if they had tech which could detect C4 inside of a backup battery case. :/

DroneMay 21, 2016 3:57 AM

@anon,

Interesting paper on fingerprinting, thanks.

However, it is ironic that the Audio Fingerprinting demo site the Author put up requires ajax(dot)googleapis(dot)com to run. The paper itself lists ajax(dot)googleapis(dot)com as the third largest source of tracking (the other two largest, gstatic(dot)com and fonts(dot)googleapis(dot)com, are also Google spawn).

One thing is certain: Google = Evil.

Clive. RobinsonMay 21, 2016 5:14 AM

@ Jesse Thompson,

Takehome is that I would be absolutely stunned if they had tech which could detect C4 inside of a backup battery case.

You would be supprised then. Most of the time the problem with CAM units is not lack of sensitivity but to much sensitivity.

Whilst a plastic case may appear air tight, they are often not or permiable to certain light molecule chemicals. Further it's more than likely you would get "trace" on the outside of it whilst packing it.

This is an issue that drugs, arms and money smugglers come up against all the time, and they loose quite frequently.

Whilst their are ways using vacuum packing and certain solvents to reduce this, those who search are now also looking for the common solvents and masking agents (like "lamp oil" for money).

I suspect the next line of attack will be blocking or noise floor lift chemicals. Where the idea is to put the sensor out of whack thus making it falsey register etc. The overly obvious one would be to distill one or more of the sense chemicals and arange for all the luggage to get an aerosol misting, such that all surfaces are contaminated, thus the equipment whilst realy reading positive appears to the testers to be falsely reading positive thus they distrust them or turn them off. Even if they know what is going on, the testers are to few in number to manually check all luggage, thus they face a DoS type attack. Unfortunatly the sensible security thing to do is almost the oppsite of the sensible commercial thing to do.

However as I said it's an overly obvious thing to do, there are certainly other techniques that smugglers etc can use that are more covert, but it would not be sensible to talk about them (you never know I just might need them one day if I ever get bored with life and "break bad" or some such ;-)

SanMay 21, 2016 9:17 AM

@Clive Robinson

Or just swallow them in pelletjes like smugglers already do. Cant bodyscan everybody.

albertMay 21, 2016 10:51 AM

@anon, @Drone,

Blocking such scripts would eliminate the problem, would it not?

The question is, can the websites own script 'call' those scripts without your knowledge? I don't know the details of how, for example, NoScript works.

. .. . .. --- ....

Clive RobinsonMay 21, 2016 10:59 AM

@ San,

Or just swallow them in pelletjes like smugglers already do.

That only works for small packages, not for stacks of currancy or blocks of explosive.

Plus how do you get them out when you need them rather than waiting for nature to take it's course.

The main idea behind a bomb (till Bruce joked about "butt-bombers") was that you planted it somewhere it would do actual physical damage to the environment, rather than redecorate it with your blood and guts. To say the Sheikh "Was not amused" at the cleaning bill is a bit of an understatment.

albertMay 21, 2016 12:09 PM

@Clive, et al,

The preferred attack methods for 'islamic' groups (IGs) depends on killing and maiming -people-, not infrastructure. That's the way they roll, and it's probably 13th century tradition, like beheadings (though I do recall a certain European country using such techniques in the 1700s).

Fear of death has certainly been effective for the IGs. Luckily, they haven't yet figured out how much more effective (and easier) infrastructure attacks would be, even if they didn't kill or maim anyone!

Unfortunately for the world, reducing and even eliminating IG attacks can be done without any active programs at all. It's clear that the simple, obvious solutions are antithetical to the US Master Plan, so I don't look for any progress on the political front.

MIT can go ahead and design their detection systems. The only benefits will go to the War Machine contractors*. We'll continue to spend billions on Security Theatre, and keep stoking those fear fires.
---------------
* Those are the obvious(quantifiable) benefits. A made-to-order Police State is apparently not being considered by the US public.
It's a simple solution to population control, when propaganda fails.
. .. . .. --- ....

DroneMay 21, 2016 8:57 PM

@albert,

Script blockers like NoScript will not only prevent the script from running, they are typically a way to discover what scripts a Web site is trying to shove down your throat.

The problem is that unless you let the scripts run, the site hosting the scripts does not work. This is the point I was making in my post; it was ironic how a study of tracking through (e.g.) scripting, hosts a demo site that uses Google's nefarious scripting before it will work. It makes you wonder if the study and demo site is just a honeypot.

An increasingly common ploy to attempt to get you to give up on trying to block scripts selectively is to layer or cascade scripting. This ploy forces you to unblock a script which will then reveal a whole new layer of hidden scripts, which when selectively unblocked will reveal another layer of scripts, ad infinitum. There is no simple way to reveal what scripts underlie what scripts.

There was an Blog site I visited that was so loaded with third-party tracking scripts, it was almost impossible to use. I gave up counting scripting layers at around five or six. By then there were easily more than a hundred scripts trying to run, the vast majority of which were not required to make the site work. They were there to track me, and probably make the site owner some money.

BobbyMay 22, 2016 12:36 PM

If I read it right, they are struggling to detect what is IN the body, so the bad guys could easily use decent sized Dildos to bring on board whatever they want....

albertMay 22, 2016 2:28 PM

@Drone,

I believe I've seen this. Xyz.com won't run unless you temporarily enable xyzscripts.com, which then lists a half dozen 'new' scripts.

TV networks and cab/sat websites are the worst. I've counted 20 scripts on the first iteration of NoScript.

I usually abandon the site if the sites own script doesn't allow functionality.
. .. . .. --- ....

milkshakenMay 22, 2016 5:35 PM

@bobby Also these systems are tested against common and improvised explosives. But it is exceedingly easy to defeat them, by bringing some naughty material or device masked as a common object, if you have a suicide nut on board willing to go down with the plane. Remember the printer cartridge plot? The state of art detection equipment missed a pound-size charge of WWII era common explosive, because it was powdered rather than solid, despite of warning from intelligence services that the bomb is coming in the mail to be loaded on Fedex plane

oliverMay 23, 2016 10:20 AM

You're all doing it wrong!
Forget detection, do profiling.
When was the last time an El-Al airliner was hijacked or bombed out of the air?

Yes they do profiling right, nuff said.

ianfMay 23, 2016 1:51 PM


Listen, Oliver, we've been though this before… the Israelis do airport security right (and not solely psychosocial evaluation—not "profiling"—at boarding points), but their methodology doesn't scale up beyond their limited passenger volumes and few ingress points – not only at the Ben Gurion/Lod Airport, but at selected foreign airports with Israel-bound traffic. If it did, you can be sure it'd have been deployed at large by now, but there are no signs of that (and then hardly due to the "Not Invented Here" syndrome thinking).

Next bright idea, please.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.