If you are responsible for Rapiscan equipment, perform this audit immediately.
The issue of default passwords in Rapiscan systems—specifically the Rapiscan 622XR X-ray scanner—came to prominence in 2020 following a vulnerability disclosure by security researcher Billy Rios. The discovery highlighted a critical and persistent failure in the "security by obscurity" model: relying on hidden, hardcoded credentials to protect sensitive operational technology (OT). While the vulnerability allowed for significant system manipulation, the vendor’s initial response sparked a wider conversation about the balance between device security and physical safety regulations in critical infrastructure.
Some models have certain "backdoor" accounts that cannot be deleted or have passwords changed. For example, the Rapiscan 632DV food inspection scanner (used in agricultural security) had a documented hidden account debug with password debugmode that persisted across password changes. Rapiscan released a patch in 2019 to disable this, but many buyers never applied it.
Based on leaked service manuals, reverse engineering reports, and vulnerability disclosures from the past decade, the most frequently cited Rapiscan default passwords fall into several categories:
| Role / Access Level | Common Username | Common Default Password | Notes |
|---------------------|----------------|------------------------|-------|
| Operator (Basic scan review) | operator | ops or pass | Often no password at all on older units. |
| Supervisor (Image storage, threat image projection) | supervisor | super123 or 9999 | Widely documented on 600-series X-ray units. |
| Administrator / Service (Full system control, calibration) | admin | admin | The most dangerous default. |
| Service Engineer | service | service or 0000 | Grants access to X-ray power adjustments. |
| Windows Embedded Login | Administrator | rapiscan or P@ssw0rd | Since many run Windows, the OS password is often weak. |
| Web Interface (older models) | root | root or rtt | For network-enabled management portals. |
| Rapiscan 632DV (specific) | user | user | Documented in 2015 ICS-CERT advisory. |
Critical Note: Rapiscan frequently changes defaults for different product lines and firmware versions. One of the most infamous default passwords—rumored in security circles but never officially confirmed—was a hardcoded backdoor:
rapiscanwith no username. However, modern units (post-2018) typically force password changes during initial commissioning.
Manufacturers install default credentials for two primary reasons:
Rapiscan’s official stance has evolved. In a 2020 security advisory (RSSA-2020-01), the company stated:
"Rapiscan Systems strongly recommends that customers change all default passwords prior to deployment. The company provides password management guidance in Appendix D of each product’s Installation and Configuration Guide. Failure to do so may void certain warranty provisions related to unauthorized access."
However, critics note that Rapiscan still ships some refurbished units with factory defaults and does not enforce a "first-boot password change" wizard—an industry standard for consumer routers, let alone airport security gear.
Enable audit logging. Monitor for:
Rapiscan has improved its security posture in recent years. Following an ICS-CERT advisory (ICSA-15-169-01) in 2015 that highlighted multiple hardcoded credentials in their Itemiser DX detection systems, Rapiscan began:
However, hundreds (if not thousands) of legacy units remain in service. Airports and government agencies often run equipment for 10–15 years due to the high cost of replacement. A Rapiscan 518 X-ray unit installed in 2007 is likely still running its original firmware – and its original default password.