This post is also available in:
עברית (Hebrew)
Written by Or Shalom
Airport inspection is an essential component in ensuring the safety of passengers and crew. This process is designed to identify and detect potential dangers, such as the risks of terrorism, infiltration, smuggling of weapons, trespassing, etc.
The U.S. Transportation Security Administration (TSA), which maintains transportation and airport security, reported that more than 300 inspection bypassing incidents occurred in the past year, including about 200 on the way out of the airport [1]. As part of that, two women were arrested at Sky Harbor International Airport in Phoenix, Arizona, after entering the airport through an unsecured exit gate. At another event, at Palm Springs Airport, a passenger passed through the unmanned physical inspection station. In another incident, which took place at Nashville Airport, a passenger boarded a flight after evading the entire inspection process and without having a ticket.
To address and reduce such incidents, it is necessary to understand the challenges of enforcing the inspection process and the possible difficulties in preventing bypassing the security and inspection measures. These are mainly due to a combination of the following: Technological security gaps, large crowds, lack of coordination among field operators, human manipulations, lack of passenger awareness, and enforcement difficulties. These challenges require integrated solutions that include technological efficiency, team training, improved procedures, and increased awareness among passengers.
Reduction of Cyber-Induced Inspection Bypass:
Cyber-attacks on airport inspection systems pose a significant threat to airport security and the functioning of the airports themselves. Airport operations largely depend on advanced technologies and diverse computing systems. These systems include not only IT (Information Technology) networks designed to manage and support business operations, but also OT (Operational Technology) networks and systems that manage physical operational processes at the airport. For example, systems such as luggage conveyor management, building management systems (such as climate control or electricity), and security systems (for surveillance and protection). All these systems are connected, which means that many users (different teams at the airport) operate on them. These functions create risks and attack opportunities in the eyes of the adversaries. The results of the attack may impact security levels, delays in takeoffs and landings, and privacy violations of passengers and crew. A classic example of this is the attack by hackers on Atlanta International Airport systems. The attack included penetration of the airport’s computing systems in a way that disrupted the inspection process and led to many delays in flights [2].
A different kind of cyber risk was yielded from a study by researchers Sam Curry and Ian Carroll. The researchers discovered a major security breach in the FlyCASS system, a system used to manage access to aircrews on known Crewmember (KCM) and Cockpit Access Security System (CASS) systems. In the study, they identified that SQL injection could be performed on the log-in page, allowing them to bypass authentication mechanisms and connect as managers of Air Transport International. After entering the system with administrative access, the researchers found that anyone can be added as an authorized employee of KCM and CASS systems without further verification. This means that access to restricted areas can be granted to uncontrolled unauthorized persons, which significantly compromises security [3].
Events such as these demonstrate the complexity of airport cyber protection in light of the need for connectivity, user convenience, flexibility in entering information of changing teams, and more. However, this complexity also emphasizes the importance of mapping and finding opportunities based on existing weaknesses and web-based communication [4].
Practice to prevent the organizational stages and a process of bypassing inspection using anomaly-based analytics:
The ability to track suspects within a large crowd, such as in a train station or airport, is complex. Movement within a crowd allows the adversary to assimilate both during the preparation stage and after carrying out the action itself. In such events, where unusual activity needs to be detected in densely packed environments, there is a significant advantage to the use of analytics, especially with AI integration.
The implementation of a User Behavior System at airports and border crossings can help identify suspects by identifying abnormal patterns and behaviors that indicate suspicious intentions. Calibrating the systems will allow for alerting when different behavioral patterns or combinations of behaviors are observed, such as prolonged stay in the area of border crossings, returning to the same border crossing in a relatively short period of time (as part of the organizing and learning stages), and actions to avoid interaction with security guards, scanners or the inspection process.
Quite a few piggybacking events at crossing points have been detected due to the alertness of security personnel. Therefore, cameras must be calibrated to adapt to the security plan and to the threats associated with the area, with the goal of identifying this pattern. The system should be calibrated in a way where an alert pops up if it detects attempts of piggybacking (setting up a rule against squeezing into someone else for example), as well as an alert for behavior that indicates the physical bypass of an obstacle (defining a law against crawling or jumping over it, or stalling for a long time near it). This is a classic example of regaining control even without continuous human supervision. The alert also helps when the monitoring process requires paying attention to multiple issues at the same time. It is also possible to implement an automated mechanism that gives instructions to the suspect with a speaker in order to delay him in his place. Such a system can also be used during times when passenger traffic decreases and human supervision is reduced, which allows the adversary freedom of movement in reaching the systems themselves in order to tamper with them or detect opportunities for attack. In formulating the security plan and using the cameras and analytics, the environmental conditions should be examined against the adversary’s possible MO and define characteristics of suspicious behavior in the radius, in relation to the circumstances of the time and the action itself, when the goal is to avoid the harassment of innocents. Therefore, the more comprehensive the information extraction will be and rely on information from different layers, the better the ability will be to assess and score the level of threat, and avoid harassment of innocents [5].
For example, there are quite a few specialized technologies for collecting information regarding directing terror attacks using the internet. These processes are based on the analysis of connections and social media posts, and then cross-referencing names in various databases in the context of terror activity. Another capability, which I have also reviewed in the past, is meta-data analysis. This capability allows for a retrospective look at a sequence of events, connections between entities on social networks, information on financial transactions (such as the unusual purchase of plane tickets), and more. Increasing the amount of information will enable better cross-referencing in the different layers and in general, raising the level of reliability in relation to the scenario and situation. Here, too, rule-setting and calibration must be carried out from the perspective of an attacker, and after learning from global events and extracting new insights.
Manipulation of technology systems:
The use of technological systems (including analytics, biometric systems, scanning systems, X-RAY, etc.) increases the attempts (and the studies) to manipulate the systems (via cyber, but not only). In this way, manipulation is sometimes carried out on the system itself or in its vicinity. I will present 3 different cases from different angles that exhibit the methods of manipulation:
- Bypassing inspection by manipulating a facial recognition system:
In a 2018 study conducted at Ben Gurion University, an interesting manipulative ability to bypass inspection was demonstrated. This ability relies on fooling the facial recognition system using makeup. By analyzing and pointing out the weaknesses of the software in an Adversarial Machine Learning (AML) process, it was discovered that natural-looking makeup can be applied in order to fool the system and bypass it. This is interesting because the system did not flag the black-listed individual once they wore makeup, despite makeup being commonly used in the airport and in everyday life [6]. This event illustrates the need to use additional, independent areas for testing, random questioning, and more. - Use of common biometrics Markers to bypass biometric systems:
Most fingerprint recognition systems scan specific biometric sections in the fingerprint during the examination. This is mainly for ergonomic reasons in the interface between man and machine and in order to significantly reduce the time of the test. A wide-cover test undergoes a lengthy comparative process with the samples present in the database and therefore can cause longer waiting, negatively affecting the experience of the subject. Additionally, although fingerprints are unique, there are common features and areas that are similar in most of the population. In other words, from an attacker’s perspective, using them will reduce the amount of attempts needed to bypass the system. This was also demonstrated by a University of Michigan study that used AI-based software to generate the most common prints, which reduced the number of possible guesses. This means that brute force can be used by including these common patterns and prints. Another attack can be implemented by physically attaining and using fingerprint data, if it is known to be used by the same system at the border crossing, or as part of the Brute Force reservoir [7]. There are numerous studies regarding the manipulation of biological markers, and this one emphasizes the need for livelihood testing (which aims to determine that it interacts with a human being rather than with an object, bot, or spam). This is based on measuring pulse, blood flow analysis, and more. You can also use systems that sample a number of areas, such as placing your hand over a scanner in a way that checks multiple fingerprints and provides an excellent response to the user experience and a high level of security. This fingerprint scanning is carried out without physical contact with the system but as a hover over the scanner. Another protection can be implemented by reducing the amount of allowed failed guesses, or alternatively alerting when unable to verify the test that was done. - Body Scanners Manipulation [8]:
A study by the name of Security Analysis of a Full-Body Scanner, which was conducted by the University of San Diego and the University of Michigan, analyzed full-body scanners used at border crossings and airports to identify hidden objects on the passenger’s body and tested with trial and error the ability to manipulate it and damage its accuracy in various ways (such as resolution impairment). Here, too, the study’s conclusion raises the risk of trial and error from an attacker’s perspective. Therefore, the systems and software should be recalibrated in accordance with threats and capabilities published in research, and events that happen on the ground. The study also offers recommendations for upgrading security to address changing threats. This event also demonstrates how to think about protecting the security systems themselves as end stations, especially as some of them are separate from the network and unmonitored or controlled, enabling risks such as shutdown, changing functionality, and so on. For example, it allows attackers to gain access to a scanning system at times when there are no flights and to schedule a shutdown or change parameters and settings. This method requires the process of better protecting the system as an end station (including disabling interfaces and connections and preventing the ability to replace sockets), physical controls for anti-tamper, but also placing monitoring equipment, such as a sensor security camera, or alternatively, physical supervision, etc. [9]
The attacks, knowledge, and accumulated experience, alongside the enemy’s motivation, require the use of red teams to examine these advanced scenarios. In the face of the methods and threats of inspection bypassing, the working assumption should ensure that each security layer is a separate layer, unrelated to the previous layer. That is, this layer will perform the work process and tests regardless of the test results of the layer that preceded it. Even though the rationale for us is the opposite, it serves the opponent in the opposite way, according to which each layer they pass is like overcoming another obstacle. In this method, the process of questioning must be professional, understanding that sometimes it is the last resort. For example: A passenger who has passed all security layers, but during the questioning process gave false statements or had forged documents (even if not used), and more.
The author is a security, cyber, and HLS technology expert and consultant to government ministries and defense industries. He holds a master’s degree, as well as civil and national qualifications in the realm of HLS and Cyber Security. He has experience in consultation and business development for security companies and groups in matters of planning and building defense, innovation and security technology, exercises, and training in security and cyber.
[1] https://www.youtube.com/watch?v=8lO36l3RQGk
[2] https://www.youtube.com/watch?v=gDbfFUPACoI
[4] https://i-hls.com/he/archives/99316
[5] https://i-hls.com/he/archives/107457
[6] https://i-hls.com/he/archives/117079
[7] https://arxiv.org/pdf/1705.07386
[8] https://cseweb.ucsd.edu/~kmowery/papers/secure-1000.pdf
[9] https://www.kth.se/social/files/59102ef5f276540f03507109/hardware_security__2017_05_08.pdf
