Threat modelling airplane explosive detection

| Comments (20) |
In response to a British airplane terrorism plot which reputedly involved liquid explosives, the TSA has adopted some new screening procedures:
NO LIQUIDS OR GELS OF ANY KIND WILL BE PERMITTED IN CARRY-ON BAGGAGE. ITEMS MUST BE IN CHECKED BAGGAGE. This includes all beverages, shampoo, suntan lotion, creams, tooth paste, hair gel, and other items of similar consistency.

Note that you're allowed to bring this stuff in your checked luggage, just not in your carry on. Does this make any sense? As usual, we need to consider the threat model.

There are (at least) two reasons why checked luggage might be different from carry-on. The first is that there's a difference in terms of the level of possible screening. Checked luggage is in the possession of the airline for quite some time and so could in theory be subjected to more substantial analysis (e.g., neutron activation explosive scanning) than is routinely done for carry-on baggage (which is merely x-rayed). A related issue is that anything on your person just gets carried through the magnetometer, not x-rayed. Sometimes you get subjected to some kind of trace analysis, which basically doesn't work.

The second reason is that you have access to your carry-on while you're on the aircraft. Since setting off any bomb on an airplane in flight pretty much means you're going to die, this eliminates the inconvenience of having to have any kind of automatic detonation system. You just need something you can set off manually, which tends to be a bit easier to hide, especially on x-ray. That said, I've been thinking a bit about how to do undetectable automatic detonators and I don't think it's that hard.

Of course, all this assumes that (1) you can produce an accurate inventory of the kinds of items that need to go through extra screening/be checked (2) stop people from bringing them on their person through the magnetometer (3) you actually have the capability to detect explosives in checked luggage. I'm pretty skeptical that all these obtain, especially (1) and (2). In particular, as Perry Metzger has pointed out it's fairly easy to make explosives look like commercial materials.

None of this is to say that this sort of restriction isn't useful as a temporary measure. If you know that some criminal drives a white car, you look for people in white cars, even though you know that eventually he'll switch to another color. However, it does mean that the restrictions should probably be temporary and that once the terrorists have had time to adapt their tactics the cost/benefit tradeoff will probably reverse.


One other part of the threat model:

There are reportedly recipies for separate oxydizer/explosive recipies. In such case, liquid can be mixed to create a final (perhaps VERY delicate) explosive on demand.

But it really does seem to be a short term response.

At least Richard Reed didn't strap C4 to his crotch, I'd hate to see what that would have done to the airport lines.

"A related issue is that anything on your person just gets carried through the magnetometer, not x-rayed."

-- well, not quite true; typically (in the UK anyway) they ask you to take anything metallic off and put it in a bucket to go through the X-ray. If the magnetometer goes off then you get frisked and the bloke examines whatever is found. But of course the sorts of things that bombers were supposed to be using in this case wouldn't necessarily have been metallic anyway, so this doesn't matter from that point of view.

To Nicholas: Yeah, there's bound to be a pants bomber sooner or later. That'll be so much fun. The government does a great job of doing the terrorist's work for them, and spreading irrational fear.

Nice analysis, but there are actually several other differences between carry on and checked luggage.

* Checked luggage is depressurised, so materials which rely on the presence of air (e.g. an FAE, or some incendiaries) are less likely to work;

* Checked luggage is depressurised, so a small explosion which causes a partial breach of the fuselage is less likely to result in catastrophic failure;

* If detected in time, fires in the luggage hold can be extinguished by flooding with fire suppressing gas. Fires in the passenger compartment are very difficult to control and have been the cause of many serious air accidents;

* Checked luggage is not heated, so materials which need to be at room temperature (e.g. some liquid explosives) are less likely to work;

* Checked luggage has no immediate access to passengers, so poisons will kill only one or two baggage handlers instead of hundreds of people;

* There are a couple of others I can't mention.

I also think you underestimate the simplifications available through having access to the materials. For example, imagine a binary explosive composed of two materials which are difficult to detect as being an explosive, but within seconds of mixing become so sensitive they can be detonated with a mild shock--thus eliminating the need for an actual detonator, something AQ has attempted to do several times. The terrorist wants to detonate this at an optimal point on the flight, regardless of take-off delays, variations to flight profile, etc; and to coordinate the detonation with several other terrorists. It is possible to imagine an automatic apparatus to do all this but it would require a good deal of engineering skill, and would be very difficult to slip past an x-ray screener. However doing it manually makes the entire process trivial, and the terrorist, once informed of what materials to obtain, requires no particular skills.

Having said all that, I think the real issue here is that we are dealing with a specific attack plan, not a hypothetical one. The authorities have rounded up most of the gang but apparently fear that one may have slipped through the net. This guy may well try to immediately carry out his attack before he gets caught but he is unlikley to have the time or ability to completely redesign his bomb.

Checked luggage is NOT depressurized. It is simply not air conditioned the same way that the rest of the cabin is, hence why it generally feels colder at the end of a long flight.

Roger's assessment is a good one. From all reports, it looks like this was a binary attack in which parties would combine ingredients and then ignite the mix using an iPod or equivalent mechanism. ABC is reporting:

"...The suspected terror plotters arrested in Britain had planned to conceal their liquid or gel explosives inside a modified sports beverage drink container and trigger the device with the flash from a disposable camera.

ABC News has learned exclusively that the plotters planned to leave the top of the bottle sealed and filled with the original beverage but add a false bottom, filled with a liquid or gel explosive. The terrorists planned to dye the explosive mixture red to match the sports drink sealed in the top half of the container.

This, they thought, would ensure that they would be able to pass through security -- even if they were asked to unseal and drink the beverage.

The flash in a disposable camera has enough electrical power, they apparently believed, to set off the homemade explosive.

There are any number of homemade or modified commercial liquids that would have made effective explosives, with enough energy to damage or destroy a plane..."

Well this is certainly going to kill the sales of duty free.

Drug traffickers have long been known to smuggle drugs in their back orifice so a couple of co-conspirators can easily bring the materials even if they are to board the plane naked - tackling this would produce even more surreal scenes than the pants bomber Nicolas imagined. Taking it further, the women among us can become a single-person binary bomb (due to extra orifice) and this is even without considering extra 'patents' for making a special construction with a pool string that someone would just pool out of the orifice to create the explosion. Luckily this can be solved with a mere PET scan or an ultrasound...

Bottom line is, in my opinion, that stopping threats on this side of the equation is not effective and, by itself, imposes the penalties on the people and societies we wish to protect. The solution lies elsewhere.

Why bother trying to get on board an aircraft ? the departure lounges are full of people at this time.
A cordinated multiple target detonation would have the desired impact for the terrorists.

Roger said:

For example, imagine a binary explosive composed of two materials which are difficult to detect as being an explosive, but within seconds of mixing become so sensitive they can be detonated with a mild shock--thus eliminating the need for an actual detonator, something AQ has attempted to do several times.

I don't remember reading anything about this. Have you any references?

Don't you think you're missing the point a little here. I believe the British authorities have already established that the intended method of attack was that they would carry on the device.

These things are planned in advance, and any change to this plan to stash the material in checked luggage would require a complete rework of the their plan.

I also suspect some of these characters aren't the "sharpest knives in the draw" and would require re-training if the plan were changed.

The directive vis a vis hand luggage is directly aimed at the immediate planned attack and as such WILL deter them.

As for "imposing penalties" as Drorh was suggesting..... Well I'd rather have my life and have to check in all of my travel items, than have total freedom and die!

Isn't that the kind of "chop logic" that leads these chaps to their course of action in the first place..... i.e. they value freedom, religion or whatever it is that they're fighting for more than life itself!

For me my life is more important than any principal or personal affront. You fight these things to make your life better, not die for them!

I think not; at least, not specifically. Going back to Drorh's comment:
"Bottom line is, in my opinion, that stopping threats on this side of the equation is not effective and, by itself, imposes the penalties on the people and societies we wish to protect. The solution lies elsewhere."

Yes, in the immediate context, the new carry-on restrictions might effectively deter this particular coordinated attack effort. (Of course, we'll never know what it actually prevented in terms of hostility...)

However, history teaches that there is no security measure ever devised for which circumvention was not eventually achieved. Moreover, American's in particular are historically not long-suffering of any kind of oppression or control, and have been (and I believe remain) committed to principle over life itself. "Live Free or Die" is how I remember it worded, in stark contrast to Andrew's closing sentence.

The essence of "American Spirit" is often characterized by our spirit of open-transit, and the Supreme Court has maintained that transportation in America should remain as unencumbered as possible.

Those are values I still cling to, and I choose to not give in to terror. Until my risk of death by air-travel becomes even remotely close to my risk of death by automobile [especially if I'm driving] or even lightening strike, I'll welcome my Powerbook inflight, thank you very much.

I would rather see the long-term effort in this matter focus on continued research and information dissimination, and practical instruction and preparedness for citizens, instead of increasing the internal erosion of liberty.

So, I managed to get on a plane this morning while "accidentally" carrying a potent solution of 100% dihydrogen monoxide in a Nalgene bottle.

So, the screening seemed to be pretty much useless. I had first emptied out the bottle for purposes of going through the X-ray machine, just in case they were anal about it--although I've heard that X-ray machines can't "see" liquid anyway, so perhaps this doesn't matter. The empty bottle passed through with no complaints. Nobody seemed to be getting hand-searched either.

Okay, so now what?

Next, the TSA has these great signs posted directly at the gates (and at all of the food establishments) which state that all beverages need to be discarded before boarding the aircraft... even your fancy venti blended-no-foam crapuchino, but there did not appear to be any secondary screening. People still board planes as usual, which means that you wave a piece of paper at the scanner and it lets you onboard.

So, I carefully refueled my dihydrogen monoxide at the fueling station in the airport, and I was merrily able to go on my way.

If the X-ray can't really detect liquid, then this is presumably a big problem. (If it can, then I guess this is no different than the "someone smuggled a knife into the magazine store and then I picked it up" threat model.)


I have a license to manufacture high explosives and make over 1000 pounds a year for recreational purposes. Current technology isn't up to the task of detecting at least some simple improvised explosives.

I'm fairly certain it is relatively easy to use the materials found in most everyone's kitchen to make a low grade explosion of sufficient size to take down an airplane. Just think of the false positive rate if you are looking for residues that show up if someone has been in a kitchen recently.

Lots of liquids and gels show up on X-ray. Your friendly radiologist has you drink a suspension of barium sulfate so your digestive track will show up on the X-ray.

Knives are trivial to get pass security and handguns are only slightly more difficult. It's time to investigate other security measures for air travel.

Joe, I was just thinking how it would be nice if somebody with the proper facilities, training and licenses could actually *conduct the experiment* and see if the hypothesized "binary bomb" (actually trinary, acetone + hydrogen peroxide + sulfuric acid) would really work as claimed.

Like everyone else in the world who follows the news with even a modicum of technical curiosity, I've now read the published synthesis steps for acetone peroxide. They speak at length of the need for careful cooling and extreme patience, but only because they assume you want to make the stuff for later use, not cause an immediate explosion. So even knowledgeable chemists can only speculate about whether mixing the stuff quickly would have caused a quick and large explosion.

But why speculate if you can find out the actual answer? Follow the scientific method. If it turns out that this scheme would simply not have worked, the world really needs to know...

I understand the issue wrt binary explosives.

I observe that over 50% of my laptop case's contents are taken up with batteries, which not only are rather well sealed, but actually look rather opaque on x-ray machines. I further note that my laptop already has all of the required features needed to be a remote-controlled detonator and/or place/altitude:

a) wake-on-lan. Someone of them do this on bluetooth too and 802.11 too.
b) trivial to insert cardbus GPS receiver (will it receive inside hold? I don't know)
c) wake-up timer.
d) batteries.
e) a very complicated control system (aka CPU)

My laptop will operate with as few as three cells in the battery, leaving me space of 6 cells space.
Yeah, that's hard to engineer something in that space. Yeah, it's not as effective in the hold.

Maybe they should ban all batteries, and provide everyone with DC outlets. (And room to use them!)

I have flown El-Al a number of times in the 1970s and 1980s, as a kid. They never left on time. Sometimes, it the flights were *HOURS* late leaving Mirabel. I later learnt that they did this on purpose to make sure time-based bombs went off at the "wrong time".

Tom said:

I don't remember reading anything about this. Have you any references?

Plenty. Google for Operation Bojinka. The Richard Reid shoe bomb was also designed to be ignited with a match instead of requiring a detonator.

Generally, commercial and military explosives are broken down into primary (very sensitive, can be detonated with a spark) and secondary (require a powerful blow to detonate). This is for safety:

  • you have only a tiny amount of primary, so if it goes off accidentally it just mangles your hand instead of killing everyone in the room; and
  • the secondary can cause immense damage but is relatively safe to handle.

Terrorists however have been increasingly using materials like TATP, which are of intermediate sensitivity. They can then be initiated without the inconvenience of a proper detonator. This is at the cost of occasionally detonating early and killing the bombers, but they are apparently prepared to accept that risk (or else the chemists don't explain it to the bomb mules).

Phil, I have no interest in dealing with TATP even in the interest of science and/or airplane security. It's called "Mother of satan" for a reason.

If I were interested in blowing up a plane I'd approach the problem entirely different. But since I'm not interested in blowing up a plane I don't really see the point in developing that technology to the point I know it would work. Essentially everyone already knows existing airplane security is a joke so what's the point of further demonstrating it?

All you people have NO IDEA what screening goes on. At my airport, we get alarms on people's shoes who use nitroglycerine heart meds. If you try to smuggle a knife, you lose it, if it's big enough, you go to jail. Forget a fucking gun. If you want to have organs removed and TATP put in your body to detonate, sure, you might get thru the mag, unless you detonate in the cab.

It is indeed a crazy situation that x-ray scanners at passenger security search check-points (SSCPs) do not have the capability to detect explosives detonators, this despite the technology being low cost and evident; there is even an FAA requirement published back in 1998.

Hopefully, someone in Government will wake up to this vulnerability before a Sympathetic IED walks aboard some poor bar stewards aircraft...

It is now entirely possible to up-grade existing x-ray screening machines at SSCPs through the low cost migration from the laboratory of a proven British invention to provide a layer of technology that would achieve element specific X-Ray detection of at least the commonly available lead azide explosives detonators. (see attached Materials World, Feb 2005 or Institute of Explosive Engineers Journal, June 2005).

Leave a comment