The U.S. Department of Homeland Security Office of Inspector General (DHS OIG) released their report on safety of airport backscatter machines on February 29. The report has received criticism from ProPublica among others for what it says as well as what it doesn’t, mostly focusing on issues of incremental risk to the traveling public, the large number of repair services, and the lack of data analyzing whether the machines serve their claimed purpose. (The report does not address millimeter wave machines, which most scientists believe are safer.)
But what’s surprising in both the report and the critiques about it is that they have only discussed the radiation aspects when used as intended, and not the information systems embedded in the devices, or what happens if the scanners are used in unintended ways, as could happen with a computer system malfunction. Like any modern system, the scanners almost certainly have a plethora of computer systems, controlling the scanning beam, analysis of what the beam finds, etc. It’s pretty likely that there’s Windows and Linux systems embedded in the device, and it’s certain that the different parts of the device are networked together, for example so a technician in a separate room can see the images without seeing the person being scanned (as TSA has done to head off the complaints about invasion of privacy).
The computer systems are the parts that concern me the most. We should be considered about security, safety, and privacy with such complex systems. But the report doesn’t use the word “software” even once, and the word “computer” is used twice in reference to training but not to the devices themselves.
On the safety front, we know that improperly designed software/hardware interaction can lead to serious and even fatal results – Nancy Leveson’s report on the failure of the Therac-25 system should be required reading for anyone considering building a software-controlled radiation management system, or anyone assessing the safety of such a system. We can hope that the hardware design of the scanners is such that even malicious software would be unable to cause the kind of failures that occurred with the Therac-25, but the OIG report gives no indication whether that risk was considered.
On the security and privacy front, we know that the devices have software update capabilities – that became clear when they were “upgraded” to obscure the person’s face as a privacy measure, and future planned upgrades to provide only a body outline showing items of concern, rather than an actual image of the person. So what protections are in place to ensure that insiders or outsiders can’t install “custom” upgrades that leak images, or worse yet change the radiation characteristics of the machines? Consider the recent case of the Air Force drone control facility that was infected by malware, despite being a closed classified network – we should not assume that closed networks will remain closed, especially with the ease of carrying USB devices.
Since we know that the scanners include networks, what measures are in place to protect the networks, and to prevent their being attacked just like the networks used by government and private industry? Yes, it’s possible to build the devices as closed networks protected by encryption – and it’s also possible to accidentally or intentionally subvert those networks by connecting them up using wireless routers.
Yes, I know that the government has extensive processes in place to approve any computer systems, using a process known as Certification and Accreditation. Unfortunately, C&A processes tend to focus too much on the paperwork, and not enough on real-world threat assessments. And perhaps the C&A process used for the scanners really is good enough, but we just don’t know, and the OIG report by neglecting to discus the computer side of the scanners gives no reassurance.
Over the past few years, Stuxnet and research into embedded devices such as those used in cars and medical devices have taught us that embedded systems software can impact the real world in surprising ways. And with software controlled radiation devices potentially causing unseen damage, the risks to the traveling public are too great for the OIG to ignore this critical aspect of the machines.