Of Cockpits And Phone Encryption: Tradeoffs And Probabilities
from the think-this-through dept
However, Ross notes, there are scenarios in which those in the cockpit need to leave the cockpit (usually to use the bathroom), and therein lies an interesting security challenge for those designing the security of the planes. How do you let that pilot (or another crew member) back in, but not a bad guy? Here's the solution that airlines have come up with, as described by Ross (or you can read the NY Times version, which is a little drier):
And as Ross notes, this is a pretty reasonable tradeoff in nearly all circumstances. It's quite difficult for someone bad to get in, and yet those in the cockpit can mostly be okay with leaving and getting back in even if a pilot remaining in the cockpit suddenly drops dead. But, there is still one scenario in which that security gets totally messed up -- and it's with Germanwings Flight 9525 almost a year ago, in which a mentally ill co-pilot locked the captain out of the cockpit and then deliberately crashed the plane into a mountain.
- When the pooping pilot wants to reenter the cockpit, he calls the flying pilot on the intercom to buzz him in.
- If there’s no answer, the outside pilot enters an emergency keycode. If the flying pilot doesn’t deny the request within 30 seconds, the door unlocks.
- The flying pilot can flip a switch to disable the emergency keypad for 5 to 20 minutes (repeatedly).
Like Asimov’s three laws, these checks and balances try to approximate safety while accounting for contingencies. If the flying pilot risked Delta’s gefilte fish and passed out, you want to make sure the other pilot can still re-enter. But add all the delays and overrides and backstops you want; you still have to make a fundamental decision. Who controls entry: the people on the inside, or the people on the outside?
Governments decided that allowing crew members to fully override the flying pilot using a key code would be insecure, since it would be too easy for that code to leak. Thus, there is nothing the outside pilot can do — whether electronically or violently — to open the door if the flying pilot is both conscious and malicious.
As Time Magazine noted, this is the tricky part of security systems: "sometimes it’s important to keep people out; sometimes it’s important to get inside."
And, of course, there's a little of that in the Apple v. FBI fight. The FBI is arguing that it's important to let people in, because 14 people died after a husband and wife killed 14 people and wounded more. But lots of other people are pointing out that there are much bigger security benefits in keeping people out. And that's why this is really a debate about "security v. security" rather than "security v. privacy."
Strong encryption on devices is like that locked cockpit door. Under most scenarios, it keeps people much safer. It's a useful and powerful security feature. But, yes, in some cases -- such as that of the suicidal Germanwings co-pilot -- it is less secure. And, there do seem to be ways to mitigate that kind of risk without harming the wider security (many airlines now require that even if someone leaves the cockpit, a second crew-member must be present in the cockpit). But, in the end, we look at the likelihood and probability of the need for such security solutions. And it's not hard to realize that, in the grand scheme of things, locking people out protects many, many, many more people from the rare instances of suicidal co-pilots (and or quasi-terrorist attacks).
And that's the real issue here. Strong encryption on our devices is much more likely to lead to much more protection and security for many more people than without such encryption. Nearly all of us are likely to be safer because of strong encryption. But, that might not include everyone. Yes, there will be some instances -- though likely few and far between -- where such encryption allows someone to secretly plan and (potentially) get away with some sort of heinous act. And it will be reasonable and expected that people will whine and complain about how the security feature got in the way of stopping that attack. But the likelihood of that is much, much smaller, than the very real possibility of attacks on weak phones affecting many of us.
Or, as Ross concludes (in a way that makes even more sense if you read the whole piece...):
Unfortunately it’s not that complicated, which means it’s not that simple. Unbreakable phones are coming. We’ll have to decide who controls the cockpit: The captain? Or the cabin? Either choice has problems, but — I’m sorry, Aunt Congress — you crash if you pick 2.But when you have people like the technically ignorant San Bernardino District Attorney Michael Ramos insisting that he needs to be able to get into that iPhone, just recognize that he's arguing that we should unlock cockpit doors just in case there's a suicidal co-pilot in there, without recognizing how frequently such unlocked cockpit doors will be used by others who wish to do even more harm.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, blake ross, cockpits, congress, doj, encryption, fbi, security, tradeoffs
Companies: apple, germanwings
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Oh dear - I'd better make up for that one!
It's a bit like the seat belt argument. Most of the time it is safer to wear a seat belt - however - very occasionally the seat belt is a liability - for example when there is a fire and you can't get out!
[ link to this | view in chronology ]
You still don't get it!
So all this crap about "balancing", "trade-offs", etc. is a waste of time -- much like how many angels can fit on the head of a pin.
The only question that remains is: are govt's going to deny their own citizens the right to defend themselves against criminals (and bad govt's) using strong encryption?
Are democratic govt's going to be able to force corps like Apple to become unwilling SS officers, as fascists states have done?
[ link to this | view in chronology ]
Re: You still don't get it!
Let's say you want to buy something on Amazon.com. This involves various web pages, and the whole transaction can involve a fair amount of data, several MB at least. To keep it private, you'd need several MB of OTP key data from Amazon. But how did you get it? (Remember, Amazon can't send it to you over the Internet without you already having an OTP key of equal length to the key being sent, which must be discarded once it's used!) Maybe you could order one and they could ship it to you, but then it's not secure anymore, since the existence of a chain of couriers opens your key up to a literal man-in-the-middle attack.
Spies dealt with this by preparing their pads ahead of time, or having a highly trusted diplomatic courier deliver them. This isn't a solution that will work for John Q. Citizen.
And anyway, how in the world do you get from that to paranoid libertarian ranting about government being inherently evil blah blah blah?
[ link to this | view in chronology ]
Re: Re: You still don't get it!
So all of this Apple ranting is *solely* for the purpose of inexpensive mass surveillance of non-terrorists.
Govt's want to be able to monitor the thoughts of their own citizens, because politicians fear being kicked out of office more than they fear outside threats.
[ link to this | view in chronology ]
Re: Re: Re: You still don't get it!
Luckily, nobody has access to perfect OTP key-exchange, so we're still safe!
[ link to this | view in chronology ]
Re: Perfectly strong (OTP) encryption already exists
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Backdoors
[ link to this | view in chronology ]
Objection....
Never.
It was never about finding accomplices.
It was never about covering up the fact that they f*****ed up by the numbers.
Apple v. FBI is, was, and evermore shall be about appearing to be doing something worthwhile.
Nothing more.
Nothing less.
[ link to this | view in chronology ]
Re: Objection....
[ link to this | view in chronology ]
Wrong. I've got a lot of respect for Bruce Schneier, but he's completely wrong on this point.
Sure, reinforcing the doors helps a little, but really the thing that stopped another 9/11-style plane hijacking is that the 9/11 hijacking was a trick that could only ever work once anyway.
Back in the day, conventional wisdom used to be, "cooperate with the hijackers and no one will get hurt," because that was the way it always happened. Hijackers wanted money and/or political concessions, and there was no good reason to needlessly endanger the lives of the people on board by resisting them. But 9/11 changed that forever. The terrorists exploited that, but in doing so, they broke it.
Now that people understand that planes can be used as giant bombs by suicide bombers, who's going to go along with the next attempt? And if you've got over 100 people on the plane actively resisting, literally fighting for their lives because they sincerely believe that they will die anyway if they don't stop the hijacker, how is anyone going to ever be able to hijack another plane?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
That is certainly true. But with an insecure cockpit door, it might be possible to get into the cockpit and do something awful before the passengers figure it out and stop it. With a secure door, the hijacker can't get into the cockpit whether the passengers are rioting or sitting quietly. So it seems to me the door is the more important security feature.
[ link to this | view in chronology ]
Re:
>Back in the day, conventional wisdom used to be, "cooperate with the hijackers and no one will get hurt," because that was the way it always happened. Hijackers wanted money and/or political concessions, and there was no good reason to needlessly endanger the lives of the people on board by resisting them. But 9/11 changed that forever. The terrorists exploited that, but in doing so, they broke it.
>Now that people understand that planes can be used as giant bombs by suicide bombers, who's going to go along with the next attempt? And if you've got over 100 people on the plane actively resisting, literally fighting for their lives because they sincerely believe that they will die anyway if they don't stop the hijacker, how is anyone going to ever be able to hijack another plane?
Yes and no. El Al has never had a successful hijacking, despite being the most tempting target... because they locked the doors and used sky marshals from day one. That is part of it.
However, you are right. The trick the hijackers exploited stopped working almost immediately - in fact, before the 4th plane could reach Washington.
But the Israelis recognized the fundamental basis of the equation that governs both aspects, that the USA has claimed but not usually followed through with - "no negotiations with terrorists". the locked door minimizes leverage, and the attempt to physically slaughter a planeload of passengers to get leverage will result in a revolt that will likely leave the hijackers overwhelmed; and then either dead or arrested with no accomplishments. (Or sucked out the side of the plane...)
[ link to this | view in chronology ]
Problem Solved?
[ link to this | view in chronology ]
Re: Problem Solved?
[ link to this | view in chronology ]
What if the government wants in the cockpit?
[ link to this | view in chronology ]
Re: What if the government wants in the cockpit?
[ link to this | view in chronology ]
Re: Re: What if the government wants in the cockpit?
When a card opens a door, s/he who has the card can get through the door. You now have the problem of preventing violent physical theft of the card.
[ link to this | view in chronology ]
Re: Re: What if the government wants in the cockpit?
I don't think that would be a major concern. They can just land the plane, get the passengers off, and then bring in a power saw and cut through the door. The plane will be out of service until the door is replaced, but nobody gets hurt.
[ link to this | view in chronology ]
good analogy
This isn't a new thing either- Garmin patented in the late 90's and the first production models where being installed in early-mid 2001...
-former pilot.
[ link to this | view in chronology ]
Re: good analogy
[ link to this | view in chronology ]
Re: good analogy
I can see it mattering if you are on autopilot, because in autopilot you've said "navigate to point X (or waypoints X, Y, Z, etc.) as provided by the SatNav". So if you change the SatNav remotely to change where point X is, I can see the autopilot taking you to a place you weren't expecting.
But if you turn off the autpilot and use another navigation method to determine what course to manually steer the plane in (either a portable SatNav, or visual navigation using a map, ruler, compass, visual waypoints, or just "hey, I see a mountain over there, I'll just fly into it"), then does it matter if they override the SatNav?
[ link to this | view in chronology ]
Re:Re: good analogy
...maybe "they" did. A better question might be who "they" are. maybe, maybe, maybe...
I don't care to speculate on such things. Whether or not it was a factor, being aware of potentials is important.
remote override is a feature then never should have happened in the first place. just like baseband architecture in cellphones, or intel vpro, or ME, or amd amt, TPM, uefi, secureboot...I could go on...
These models rely on a single point of failure, and a single point of trust, while ancillary features are often focused on which betray the understanding of foundation aspects each system.
IE: this door and switch system is ancillary to the navs ability to revoke local authority of the aircraft.
IE: OS security, encryption...etc is ancillary to processor subsystems which are not under the control of the former, but have access to the same resources. Search: hardware backdoors- this isn't tin hat stuff anymore.
[ link to this | view in chronology ]
Re: Re:Re: good analogy
...maybe "they" did. A better question might be who "they" are. maybe, maybe, maybe...
I don't care to speculate on such things.
Apparently you do.
[ link to this | view in chronology ]
So That Explains ...
[ link to this | view in chronology ]
Not just that
What really stopped another 9/11 is the passengers realizing that hijackings were no longer unscheduled Cuban vacations. The threat ended in a field in Pennsylvania. (see, e.g., the shoe bomber, the underwear bomber, etc.)
[ link to this | view in chronology ]
Re: What really stopped another 9/11
[ link to this | view in chronology ]
Re: Re: What really stopped another 9/11
Of course. But, then again, security isn't the purpose. The real purpose is to teach the general public to be compliant to authority. That's why those of the class who can afford to fly charter or private are exempt.
"Spend the rest of your money on intelligence, investigations, and emergency response."
Yeah, if security was your *real* concern (which, again, it isn't).
[ link to this | view in chronology ]
Re: Re: Re: What really stopped another 9/11
[ link to this | view in chronology ]
Re: Re: Re: Re: What really stopped another 9/11
I know you're joking but that got me wondering if anyone has researched how much airport security is costing the US.
http://www.bloomberg.com/news/articles/2012-11-18/airport-security-is-killing-us
[ link to this | view in chronology ]
Very few people have a concept of numbers as high as 14. To them the death of 14 in San Bernadino is infinitely more horrible than 14 murders on the streets of any city.
Yet we expect these same people to deal with risks that are on the order of one in a billion or one in a trillion. As a scientist who used to work with incredibly large and small numbers, I can not truly grasp a billion. I will still count pennies by twos and threes like almost everybody else.
[ link to this | view in chronology ]
What they need to do is to design new planes where the passenger compartment is completely self-contained and isolated from any part of the plane where a hijacker could influence the flight. The pilots would have their own mini-galley for food, a bathroom and access to the cargo compartment. They wouldn't be able to enter the passenger compartment, nor would any passengers be able to enter the cockpit or cargo compartment.
There would be a phone to the passenger compartment as well as video surveillance, but at the first sign of trouble, it would be strict airline policy to cut off all communication with the passenger section and divert to the closest airport. This would be made public knowledge and impressed upon the passengers before every flight. It would be pretty hard for a hijacker to threaten the pilots if they aren't listening.
I suppose there's a risk that something could happen in the cockpit that would incapacitate all the crew there, so maybe there should be a backup pilot in a separate, sealed compartment (complete with his own bathroom and food), in case of an emergency.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
That would be more expensive, because you would need to remove passenger seats to make room for another galley and bathroom, and also add an exterior door. Airlines are not going to be interested in that.
[ link to this | view in chronology ]
Re: Re:
I'm talking about new planes that are designed from scratch, not altering existing planes. Why would they need to sacrifice passenger seats? They could just make the body a little longer to accommodate the extra areas. If you're designing a plane from scratch, there's no rule that it has to be a certain length or have a certain number of seats.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Probably not, but the problem is it would be difficult to get rid of the security theater at this point, even if there was the separate sealed cockpit. We would just end up paying for both expenses.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: alleged terrorists who've been seen alive
[ link to this | view in chronology ]
Re:
We know this because there aren't any people who look like other people.
[ link to this | view in chronology ]
long ago
[ link to this | view in chronology ]
911 remote? & off switch...
Do I believe it? ...I think it's very unlikely, but not completely out of the realm of possibility. The nav systems have that much accuracy for landing- but only with the help of sensors and powerful ground radio beacons. I suspect it would need such to succeed, and that mean's there would have to be a whole other conspiracy on how someone got such a beacon into the buildings and functioning without being noticed...seams way too complicated at that point. Far easier then lacing the whole infrastructure with thermite, of course- lol (that's satire, in case it's not clear)... I have no clue to what extent such a beacon can be miniaturized- the standard ones are often the size of a large shed, and are visible from miles away.
To the other poster who said something to the extent of "why not just turn it off":
the nav IS the autopilot- it's all one integrated system. Jets are fly by wire.
[ link to this | view in chronology ]
Re: 911 remote? & off switch...
the nav IS the autopilot- it's all one integrated system. Jets are fly by wire.
If you're talking about this: https://www.techdirt.com/articles/20160306/22252833817/cockpits-phone-encryption-tradeoffs-probabili ties.shtml#c358
he's referring to turning off autopilot and flying manually.
[ link to this | view in chronology ]
Re: Nasch- on speculation.
[ link to this | view in chronology ]
Re: Re: Nasch- on speculation.
[ link to this | view in chronology ]
if I have some time later I'll dig a bit and see if I can find more info on it; was a long time ago now.
[ link to this | view in chronology ]
Re:
So a hacker might could take over an airliner from the ground and there would be nothing the pilots could do about it. No wonder they don't want to talk about it.
[ link to this | view in chronology ]
My programming childhood is pretty much the same as Mr. Ross'
I was probably one or two steps away from search suggestions.
[ link to this | view in chronology ]
Re:Re: Re: Nasch- on speculation.
[ link to this | view in chronology ]