
Security Analysis of a Full-Body Scanner - jakemask
https://radsec.org/
======
dangerlibrary
From the paper:

"To a degree that surprised us, our attacks benefited from testing on the
device itself. Our first attempts at implementing a new attack strategy were
often visible to the scanner, and reliable concealment was made possible only
by iteration and refinement.

[...]

The effectiveness of such a strategy depends critically on the difficulty of
obtaining access to the machine. In addition to the device we purchased, at
least one other Secure 1000 was available for sale on eBay for months after we
obtained ours. We do not know whether it sold, or to whom."

~~~
x1798DE
If the attack you are worried about is terrorism (which I imagine it must be,
since that's the thing these things purport to stop, I suppose), then I don't
think this is a big problem. Terrorists get about as much bang for their buck
whether or not they get caught, so they can presumably just try out their
strategies a few times and see if they get caught.

------
joshfraser
These machines are such a blatant violation of our Constitutional rights. We
shouldn't be searched like this without probable cause or a search warrant.
Whether they are effective or not is irrelevant.

~~~
jodrellblank
We don't have a constitution.

(Not everyone on the internet is American, and of those who are, none can do
anything about erosion of your rights. Complain to your local political
representative, who potentially can).

~~~
joshfraser
Sorry for the US-centric comment. All people are created equal with
unalienable rights, so we shouldn't be trampling the human rights of
foreigners either. It's just easier to point out the abuses when we have
governing documents that explicitly say we shouldn't be doing the thing that
we're doing.

~~~
wdewind
> It's just easier to point out the abuses when we have governing documents
> that explicitly say we shouldn't be doing the thing that we're doing.

Can you explain what part of it is unconstitutional? Because while I'm totally
against it, I think it is pretty much entirely constitutional because airlines
are a private business that no one is being forced to go through. But I
clearly don't know much about this and would welcome an education.

~~~
diafygi
Earlier this year, the ACLU won a case regarding the constitutionally of the
no-fly list[1]. Basically, their argument was that you can't give up your
Fifth Amendment rights (due process) when you travel internationally. Since
this argument won, it implies that Fourth Amendment rights (probable cause
searches) also cannot be forfeited.

Relevant quote:

"Accordingly, the Court concludes on this record that Plaintiffs have a
constitutionally-protected liberty interest in traveling internationally by
air, which is affected by being placed on the No Fly List." [2]

[1] - [https://www.aclu.org/national-security/latif-et-al-v-
holder-...](https://www.aclu.org/national-security/latif-et-al-v-holder-et-al-
aclu-challenge-government-no-fly-list)

[2] -
[https://www.aclu.org/sites/default/files/assets/latif_v_hold...](https://www.aclu.org/sites/default/files/assets/latif_v_holder_opinion_and_order.pdf)

~~~
tedunangst
The Fourth Amendment only protects against unreasonable searches without
probable cause. The Supreme Court could well decide that airport scanners are
reasonable and therefore do not require probable cause.

------
kmowery
Hi! Lead author here.

We'll be giving a talk on this work tomorrow at the USENIX Security, but I'm
happy to answer any questions you have here before then.

~~~
dangerlibrary
Theoretically, how many of these (or similar) techniques would work against
the millimeter wave scanners currently deployed in US airports?

~~~
iak8god
Don't the millimeter wave machines perform a 360 degree scan? That would at
least eliminate the really facepalm-inducing "put your gun on the side of your
body" attack.

~~~
ben1040
Doesn't seem that way. The sensor revolves around the subject being scanned,
but the images that have always been shown as coming from the machine are just
front and back images.

From L3's sales site for the ProVision MMW machine, sample images:

[http://storage.pardot.com/16582/23361/product_provision_L_3_...](http://storage.pardot.com/16582/23361/product_provision_L_3_composite_300dpi.jpg)

Their "ATD" model that includes image analysis to automatically flag
"anomalies" only seems to show front and back, too.

[http://storage.pardot.com/16582/23381/products_ait_ProVision...](http://storage.pardot.com/16582/23381/products_ait_ProVision_ATD_Mannequin_300.jpg)

In 2012, the "TSA Out Of Our Pants" guy previously documented the "conceal a
metal object on the side of your body" attack, and did so against the MMW
machines with the ATD software on them:

[http://tsaoutofourpants.wordpress.com/2012/03/06/1b-of-
nude-...](http://tsaoutofourpants.wordpress.com/2012/03/06/1b-of-nude-body-
scanners-made-worthless-by-blog-how-anyone-can-get-anything-past-the-tsas-
nude-body-scanners/)

~~~
iak8god
Interesting. I always assumed it was doing a 360 scan. The sample images do
seem to hint at a 2D scan, though the ATD front & back cartoon should be
enough to highlight anomalies anywhere on the traveler's body.

It's too bad the "TSA Out Of Our Pants" guy didn't have a hidden camera
accomplice to film his entire trip through security.

------
ck2
As everyone knows, they aren't there for security.

They are there for theater.

Meanwhile the number of TSA "officers" arrested continues to grow each month
[http://tsascandals.wordpress.com/](http://tsascandals.wordpress.com/)

~~~
jkestner
I always opt out for this reason, even when I'm risking missing my plane.
Paying contractors a lot of taxpayer money for a public placebo is offensive,
and this makes me feel true to myself, but I wish I knew a more effective
method of protesting. Currently no one really wonders about the odd out-out.

------
devindotcom
They removed these machines from airports in 2013 but are still using them
elsewhere - prisons, gov't offices. So while you may not be able to bomb a
plane, you can still take a gun into court. Lovely!

~~~
nardi
The airports I frequent (in particular San Jose International) are very much
still using full-body scanners.

Edit: Do you mean this particular model is no longer in use? If so, are newer
models not susceptible to these attacks?

~~~
SomeCallMeTim
Backscatter x-ray technology was removed from airports. [1]

All airports now use millimeter wave technology. [2]

[1] [https://en.wikipedia.org/wiki/Backscatter_X-
ray](https://en.wikipedia.org/wiki/Backscatter_X-ray)

[2]
[https://en.wikipedia.org/wiki/Millimeter_wave_scanner](https://en.wikipedia.org/wiki/Millimeter_wave_scanner)

~~~
jamoes
Millimeter wave scanners still subject the body to radiation, even though they
don't have the work "X-Ray" in the name. Radiation damage to your body is
cumulative throughout your life, so if you care about your longevity, you'd be
wise to opt-out of subjecting your body to this radiation whenever possible.

~~~
drostie
So you've got a bunch of responses, but as a guy with a Master's in applied
physics I wanted to chime in with a bit more of a long explanation.

The word "radiation" just means that something _radiates_ \-- it travels off
to infinity. In this case we're talking about electromagnetic radiation, which
spans a vast continuum from radio waves through microwaves to infrared and
red, across the visible spectrum to deep blue, then on into ultraviolet,
X-ray, and gamma light. It turns out that this radiation is _quantized_ \--
meaning it comes in lumps of a certain energy E = hf where h is a fundamental
constant and f is the frequency of the light (equivalently, f = c / L where L
is the wavelength). Light also comes with a certain "kick" or momentum p = E /
c. We knew the latter formula from classical electromagnetism but the former
formula was awarded two Nobel prizes, one to Max Planck and one three years
later to Albert Einstein.

It is presently thought that the blue side of the non-visible electromagnetic
radiation spectrum (UV, X-rays, Gamma rays) is cancer-causing, while the
visible and red-side of nonvisible is not. This comports with the
Planck/Einstein law for the energy of the photons, which approaches the bond
energies for several common atomic bonds in the visible spectrum and exceeds
it as we go into the ultraviolet. (We essentially see light by having the
light excite these bonds, but not so much that it tears them apart, so as they
"relax" to their starting configuration they release the energy and activate
neurons.)

Microwaves are about 1mm or 1cm long, on the red side. They are emitted by
microwave ovens, cell phones, wifi hotspots, and millimeter-wave detectors.
Right now it's not thought that these are "dangerous" radiation any more than
white light is, because their "kicks" don't excite the atomic bonds but are
instead absorbed by proteins as a whole, in a process we presently think is
indistinguishable from any other sort of heat transfer. That is, they heat you
up, but don't do much else.

If they did something else, probably very large changes would have to be made
to our modern scientific understanding, which I of course would totally
support if experiments bore it out. At present there are no good experiments
which show any other effects of microwaves on biological tissue, other than
the heating thing.

~~~
thinkling
I like this response a lot and am going to adapt it to explain this to my
radiation-paranoid family.

The concept of wavelength as the sole distinction between these types of
radiation is probably abstract to most non-science-educated people. Can you
(or anyone else) think of a good concrete real-world analogy of different
types of X that vary only in Y and some X are harmless but those with Y are
not? Maybe an analogy of throwing sand at someone vs. shooting a bullet?

~~~
drostie
The sand/bullet one is probably apt, if indirect. The issue is that different
"kicks" get absorbed in different ways by the stuff which makes up your cells.
One gets absorbed by the chemical bonds and tears them apart; one gets
absorbed by the molecule as a whole.

I think maybe the best way to give the idea is to contrast a car crash with a
bullet at the same energy. According to Wikipedia, a really strong rifle
cartridge (in this case, the .220 Swift) fires its bullet with at most 2.4 kJ
of kinetic energy, which is about the energy of me moving at 15 mph. So you
can imagine me, getting shot, flying backward at ~10 mph. But also there's the
exact same energy and momentum transfer as is in me falling asleep and veering
into a tree while driving at 10 mph. So why do I think that the 10mph crash is
survivable as long as I don't get thrown from the vehicle, while the bullet
would likely be fatal?

The difference is that the seat belt distributes the force over most of my
upper torso, whereas the rifle distributes all of its kick in a particular
place. Similarly, the "smaller" photons distribute all of their kick on
particular atoms, while the "bigger" photons tend to distribute their kick on
the protein as a whole. One "rips the stuff apart", the other causes it to
bump into its surroundings more.

~~~
thinkling
Thanks.

What's your take on the possibility of damage suffered from exposure to RF
radiation? There are reports from credible institutions (/u/jamoes mentions
one above) that RFR, despite causing "only heating", may have detrimental
impacts.

When I see lists of studies like this [1], it's hard to know what to think.
Are most of these weak studies or unsettled science?

I know this is a really broad question; I'm obviously not asking for comments
on specific studies listed those tables. I'm curious about comments on the
seeming contradiction between the observation that at a theoretical level RF
radiation at moderate intensity is thought to be known to be provably
harmless, and the large number of reports of observed non-trivial(?) effects.

[1] [http://www.bioinitiative.org/rf-color-
charts/](http://www.bioinitiative.org/rf-color-charts/)

~~~
drostie
That's really hard for me to answer, because while I can address the physics
side pretty well the physiology side is not really my forte. More importantly,
you have to have someone who knows the studies _holistically_ rather than
piecemeal, because of the numbers.

What I mean is -- and I'm not necessarily accusing bioinitiative.org; I'm just
stating that it's something we have to watch out for -- it's possible for a
lot of reports from credible institutions that have good, correct studies
warning about X, even if X is totally harmless.

One of the easiest ways for this to happen is the simple fact that at least
one in twenty journal results should be wrong, because that's how 95%
confidence intervals work. If a thousand 95% studies are done on a safe thing
then you should ideally have 50 studies which can't make that conclusion.

Let me speak about a case which is related which I _do_ know a little about;
the Interphone study. This was a massive international case-control study on
the effect of mobile phone radiation (also microwaves) on various forms of
brain cancer. You can see one of the full articles reporting the data here:

[http://ije.oxfordjournals.org/content/39/3/675.long](http://ije.oxfordjournals.org/content/39/3/675.long)

In this case, bioinitiative.org released a press release stating "Today’s
release of the final results of the ten-year long World Health Organization
INTERPHONE Study confirms previous reports showing what many experts have
warned – that regular use of a cell phone by adults can significantly increase
the risk of glioma by 40% with 1640 hours or more of use (this is about one-
half hour per day over ten years). Tumors were more likely to occur on the
side of the head most used for calling."

I will state that _that press release_ \-- not necessarily the whole
bioinitiative.org project; I don't know enough to say that, but _that press
release_ in particular -- is cherry-picking the data _significantly_. Lots of
bloggers picked up this headline too, but I don't think they read the
scientific study that they were blogging about (as a rule).

If you _actually look_ at that study you'll see -- to take table 2 as my
example -- that there is a table of 50 results presented with 95% confidence
intervals. Of those 50 results, a shocking twenty of them result a
statistically-siginificant observed _preventative_ effect of cell phone
radiation on meningioma and glioma while only one of them (the glioma case
that they cite) showed a statistically observed damaging effect. The authors'
actual conclusion was much more meek, "Overall, no increase in risk of glioma
or meningioma was observed with use of mobile phones. There were suggestions
of an increased risk of glioma at the highest exposure levels, but biases and
error prevent a causal interpretation. The possible effects of long-term heavy
use of mobile phones require further investigation." (There may even be simple
correlations which would cause cell-phone users to have less cancer -- maybe
strong social bonds protect against cancer and cause cell phone use; or maybe
people who use their brains more find the distraction of cell phones harder to
resist and also have a higher turnover in brain cells, making it harder for
cancer cells to find purchase, or something.)

As far as I know, that is the largest study that has ever been done on cancer,
but there may be other "detrimental impacts" (as you call them) which are not
cancer, of course. You would need to consult someone who has a holistic view
of the info, not a physicist who happened to read that one study when it came
out in 2010.

~~~
thinkling
Thanks. I very much appreciate your substantive response.

------
tehwebguy
From the FAQ:

> _Q. Isn’t it bad to publish details of possible attacks?_

> We have omitted a small number of sensitive details from our attacks in
> order to avoid providing recipes that would allow an attacker to reliably
> defeat the screening process without having access to a machine for testing.

------
jakemask
And the USENIX page:
[https://www.usenix.org/conference/usenixsecurity14/technical...](https://www.usenix.org/conference/usenixsecurity14/technical-
sessions/presentation/mowery)

