Security: Airport: January 2008 Archives


January 31, 2008

In what is probably not the most astute PR move ever, the TSA has decided to start a blog. It's sort of weirdly earnest and self-justifying. For example:

There is no time to talk, to listen, to engage with each other. There isn't much opportunity for our Security Officers to explain the 'why,' of what we ask you to do at the checkpoint, just the 'what' needs to be done to clear security. The result is that the feedback and venting ends up circulating among passengers with no real opportunity for us to learn from you or vice versa. We get feedback verbally and non-verbally at the checkpoint and see a lot in the blogs, again without a real dialogue.

Our ambition is to provide here a forum for a lively, open discussion of TSA issues. While I and senior leadership of TSA will" participate in the discussion, we are turning the keyboard over to several hosts who represent what's best about TSA (its people). Our hosts aren't responsible for TSA's policies, nor will they have to defend them -- their job is to engage with you straight-up and take it from there. Our hosts will have access to senior leadership but will have very few editorial constraints. Our postings from the public will be reviewed to remove the destructive but not touch the critical or cranky.

Truth be told, they really haven't censored the comments much, and the comments thread on the first post seem to be split about 20/20/60 (this is just a rough estimate, it's not like I actually counted all of them) between:

  • I'm a TSA employee and this is really great.
  • Could you please explain the following baffling TSA security practice?
  • I fly a lot and the TSA sucks, as do their policies.

Unsurprisingly, I don't see a lot of real engagement with the points being raised by commenters. It's mostly the same sort of vague defensiveness you see in the TSA's more formal communications with the public. For instance, this post wants to be a justification of the shoe policy:

It's not all about Richard Reid when it comes to the screening of shoes. Post all of your thoughts about shoes in this blog post. To learn more about how the shoe fits in with the TSA, check out our web page on "why we screen shoes". Then come back here and let's talk.

The article this is referring to is here and transitively these "recently declassified" (nothing like that to give the air of authenticity) photos of x-rays of shoes with explosives in them:

Wow, that's totally convincing, except for the fact that (1) you can get hard (machinable) explosives which you could form into the whole sole of the shoe, pretty much making this sort of contrast technique useless and (2) there are lots of ways to conceal the explosive (non-magnetic, remember) parts of a bomb on your body [*].

People of course point this out in the comments section, but the TSA people don't respond, so the whole exercise is kind of pointless. Do they really expect this to make anyone have a more positive opinion of TSA?


January 5, 2008

Check out this Wired article and the FAA Report on which it is based about how the Boeing 787 control network is connected to the in-cabin entertainment network, which is probably not the design your average security guy would have chosen:
These special conditions are issued for the Boeing Model 787-8 airplane. This airplane will have novel or unusual design features when compared to the state of technology envisioned in the airworthiness standards for transport category airplanes. These novel or unusual design features are associated with connectivity of the passenger domain computer systems to the airplane critical systems and data networks. For these design features, the applicable airworthiness regulations do not contain adequate or appropriate safety standards for protection and security of airplane systems and data networks against unauthorized access. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing standards.

The FAA imposes the following requirement:

The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software, and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain.

Obviously, this specifies a goal rather than a design, but it's pretty hard to see how this goal could be met without at minimum an airgap between the ACD/AID, and the PIED. I'm unaware of any networking technologogy which allows you to connect two networking domains together which can also guarantee that computers in the untrusted domains can't negatively impact computers in the trusted domains. The classic solution that falls short of airgaps is of course firewalls, but then you have to worry about vulnerabilities in the firewall, so this certainly doesn't prevent all attacks.

The more interesting question is whether an airgap is enough? An airgap provides good protection against logical attacks from the PIED network, but not against physical ones. Even if the ACD/AID cables are physically separate from the PIED cables, do they run through areas which are potentially accessible from the passenger cabin (especially the lavs!)? Do they use cryptography so that an attacker who accessed them couldn't directly talk to the ACD/AID network? Note that this isn't perfect protection, but it could substantially lower the attack surface.

Two other things worth noting here:

  • The Air Line Pilots Association (ALPA) comments suggest that: "a backup means must also be provided for the flightcrew to disable passengers' ability to connect to these specific systems.". This is enough to protect against some attacks (e.g., traffic flooding) but obviously doesn't help against subversion of the flight control systems, since it's not clear that once they have been subverted any plausible in-flight mechanism will allow you to regain control.
  • Airbus also provided several comments which seem mostly oriented towards covering their own future designs. For instance:
    AIRBUS Comment (b): Airbus stated that in the sentence ``The design shall prevent all inadvertent or malicious changes to, and all adverse impacts * * *'', the wording ``shall prevent ALL'' can be interpreted as a zero allowance. According to the commenter, demonstration of compliance with such a requirement during the entire life cycle of the aircraft is quite impossible because security threats evolve very rapidly. The only possible solution to such a requirement would be to physically segregate the Passenger Information and Entertainment Domain from the other domains. This would mean, for example, no shared resources like SATCOM (satellite communications), and no network connections. Airbus maintained that such a solution is not technically and operationally viable, saying that a minimum of communications is always necessary. Airbus preferred a less categorical requirement which allows more flexibility and does not prevent possible residual vulnerabilities if they are assessed as acceptable from a safety point of view. Airbus said this security assessment could be based on a security risk analysis process during the design, validation, and verification of the systems architecture that assesses risks as either acceptable or requiring mitigations even through operational procedures if necessary. Airbus noted that this process, based on similarities with the SAE ARP 4754 safety process, is already proposed by the European Organization for Civil Aviation Equipment (EUROCAE) Working Group 72 for consideration of safety risks posed by security threats or by the FAA through the document ``National Airspace System Communication System Safety Hazard Analysis and Security Threat Analysis,'' version v1.0, dated Feb. 21, 2006. Airbus said such a security risk analysis process could be used as an acceptable means of compliance addressed by an advisory circular.

I don't know that much about how this kind of in-flight network is usually designed or how much security analysis usually goes into it, but to the extent to which we're concerned about passenger subversion of flight control systems, this seems like an unusually hostile threat environment. In particular, if the plane is completely fly by wire, does that mean that someone who controlled the computers could potentially fly the plane where (or into) anything they wanted? What features are provided for regaining manual control in the case of such subversion?