Rapiscan: Default Password
Rapiscan has improved its security posture in recent years. Following an ICS-CERT advisory (ICSA-15-169-01) in 2015 that highlighted multiple hardcoded credentials in their Itemiser DX detection systems, Rapiscan began:
However, hundreds (if not thousands) of legacy units remain in service. Airports and government agencies often run equipment for 10–15 years due to the high cost of replacement. A Rapiscan 518 X-ray unit installed in 2007 is likely still running its original firmware – and its original default password.
Before we discuss passwords, it is vital to understand the variety of systems involved. Rapiscan produces several product families, each with its own operating system and authentication method: rapiscan default password
Leaving a default password active on security screening equipment is not merely poor practice—it can violate multiple regulatory frameworks:
| Regulation | Requirement | Consequence of Default Password | |------------|-------------|--------------------------------| | TSA 1542.303 (Airport Security) | Access control to screening systems | Up to $10,000/day fine | | C-TPAT (Customs-Trade Partnership) | Secure IT systems for cargo scanners | Loss of trusted trader status | | GDPR (if scanning personal baggage) | Appropriate technical measures | 4% of global turnover | | ISA/IEC 62443 (Industrial Security) | No default credentials | Failed certification | Rapiscan has improved its security posture in recent years
In 2022, a regional airport in the Midwest was cited by the TSA after an inspection revealed the Rapiscan baggage scanner in the checked luggage area still had the factory admin:admin credentials active. The airport was given 30 days to remediate.
Under the Aviation and Transportation Security Act (USA) and EU Regulation 300/2008, failing to change default passwords on security equipment can result in fines or revocation of security clearance. However, hundreds (if not thousands) of legacy units
You do not need to be a master hacker. The information is surprisingly accessible:
Newer Metor models feature an optional web-based management interface (IP-based). The default web login is: