There’s some vague stuff in the news about United airlines cockpit door protocol maybe being partially revealed. Short form: don’t worry.
Initially, I have to admit I had a brief moment of “Oh no, Uh-oh!” I know the doors are armored now and have better locks but it would not be unlike American IT specialists to design a pin-pad door, then use the same PIN for every plane. Fortunately, that’s not how it happened.
I’m boarding a Delta flight from Pittsburgh to Minneapolis at 6:45 this morning; you bet I’m going to linger and look around for pin-pads by the door. I won’t pull out my camera-phone, though, since I suspect that might result in me missing my flight.
Most cockpits are locked from the inside with a set of titanium deadbolts controlled by a master switch (or they’re manual) The doors on many airlines have been uparmored with kevlar cloth backing, and a fiberglass cover: you could shoot it or hammer on it with a fire-axe for several hours and probably wouldn’t get in.
I found this video somewhat depressing in that it looks to me like a propaganda piece about how the airlines were acting sensibly after 9/11. It’s not as if pilots hadn’t complained about cockpit door security prior to then, of course. This is a basic security paradigm of “chasing the last threat” – whatever it was that hurt you last, is what’s going to hurt you again, so freak out about it rather than stepping back and doing a complete risk assessment.
The Inside Edition piece above is kind of depressing after what happened when the GermanWings #9525 co-pilot locked the pilot out of the cockpit and crashed the plane. Now, in the pattern of chasing the last threat, there are some airlines that have a “2 people in the cockpit at all times” rule.
I suspect that the door opening protocol that leaked was probably ancillary details that are used to signal the people in the cockpit when it’s OK to open the door (or not). A commercial pilot I know once told me that there are a variety of such signals in aviation – if you taxi with the flaps down after landing it’s a signal that you’ve been hijacked. Apparently there are multiple such signals regarding opening the cockpit door and I suspect that one or more of them is what leaked. If you’re on a plane and you ever see the cockpit door open so that someone can come out to use the bathroom, you’ll notice that the cabin crew will conveniently block the front walkway with a drink cart. I assume there’s some verbal cues when the pilot informs the crew they are opening the door, then the crew either says something that indicates it’s OK, or something that indicates it’s not.
It’s this kind of thing that fascinated me with security, initially: it’s tradeoffs and tradeoffs and you have to think pretty carefully about all the possible failure modes surrounding any given problem. I fell into it naturally because I was always a very careful programmer: always trying to cover all the contingencies so that “unexpected” was not part of my world. Good code never encounters unexpected conditions, bad code crashes and burns when it does. That’s the first layer of security thinking. Then, after that, you start realizing that when you put something in place to prevent one thing, you may be creating a control channel that’s actually worse. Security flaws of that sort happen all the time: someone writes a flexible transport layer that negotiates encryption algorithms, and an attacker spoofs it into negotiating unencrypted transport. Whups.
“… use the same PIN on every plane…” That is a case study of the difficulty of key management. Key management is the same problem whether you’re talking about PIN codes for cockpit doors or an encryption key that is being used to store/unstore data: how do you get the keys transported around, how do you know the key is the right key, and how do you know you’re giving the key to the right person? There are a variety of techniques for attacking those problems, but imagine how it might work for airplanes – if you had a PIN lock on the cockpit door and the PIN was unique per plane, the gate agent would become the likely key distribution center. Is there any reason to trust the gate agent more than a pilot (since any gate agent would be able to access and distribute the key) If you don’t trust the gate agent then you need an external key management system that’s out-of-band: maybe the pilot gets an SMS with the PIN. What could possibly go wrong? Part of the fun, for me, of security system design is trying to figure out where is the sweet spot after which you’re not making the system any better you’re just making it more annoying which will result in people bypassing the security because that’s what people do.
Dan Geer once told me a funny story about when he was consulting on Wall St and convinced one particularly huge brokerage to use 2-factor authentication on certain trading terminals. At first there was a great deal of wailing and gnashing of teeth, but in about a week, it died down. He concluded that the exercise was successful, until he went in a few days later and discovered that all the big shot traders had given one of the executive assistants their ‘SecurID’ 2-factor tokens, their PINs, and their account information, and the executive assistant would come in 10 minutes earlier and log them all in to their terminals so they could walk in, sit down, and move billions of dollars around.
:Headdesk: There’s really no excuse for us. None.
It’s pretty easy to see how something like that happened, and is often the result of top-down security implementation. The executive assistant learned how to use the system so they could help the users, and, very quickly, everyone realized it was just easier to have the executive assistant log everyone in ahead of time.
It’s also why social engineering works so well as a hacking tool. People want to be helpful.
Caine@#1:
There’s really no excuse for us. None.
Well, it’s one of the reasons I don’t think humans are very good at most of what we do. I always get a laugh when someone pretends to be rational and wants to talk about consequentialism or risk management: humans are ridiculously bad at predicting cause and effect, or planning long-term.
Kengi@#2:
It’s pretty easy to see how something like that happened, and is often the result of top-down security implementation. The executive assistant learned how to use the system so they could help the users, and, very quickly, everyone realized it was just easier to have the executive assistant log everyone in ahead of time.
Normally I would approach that incident by thinking of it as management failing to communicate the intent of the procedure, which caused the people involved to not understand its importance, and then to want to bypass it. Humans do that all the time.
On my most recent flight (this morning!) the passenger next to me was complaining that the cabin crew had given her a hard time about getting her giant rollaboard under the seat in front of her. She looked over to me for support and instead I said “it’s so if there’s a fire in the cabin you and I won’t stumble over it, and we’ll possibly be able to get off the plane before the smoke kills us. Oddly, she didn’t try to talk to me after that. We humans have a tendency to think that everything will work out right – which makes sense to me given the apparent relationship between imagination and intelligence.
Addendum: on the flight this morning, I noticed a PIN pad tucked around the corner from the main door. I didn’t ask the crewmember what it was for but I can’t think of much it’d do except signal the cockpit door to open. Now I’m really curious.
On the old side of the door, I remember reading an article many years ago (1970s?) where a Globe & Mail reporter (IIRC) described flying on China Airways. CA always kept the cockpit door locked.
There was a bit of consternation when the pilot met the copilot in the aisle. The story ends with pilot and copilot attacking the door with fire axes.
From today’s Boston Globe (page C3, credited to the Associated Press), “United Changes Cockpit Codes After Accidental Posting Online”. It would seem that at least one airline is using a single code for cockpit access. The last line reads “United changes the access codes periodically.” — but there’s no mention of the periodicity.
Some Old Programmer@7:
The periodicity is “we just changed it!”
The way it works is that the PIN does not instantly unlock the cockpit door. There is an alarm interval in which the flight deck crew can look out the little viewport and override the unlock with a deadbolt.
I’ve had better luck with getting users to participate in the decision process rather than just pushing the new procedure down the chain, no matter how well explained. The users may agree the security is important, but still won’t bother to take the time to learn the new procedure when it’s pushed down. They probably aren’t thinking about the cost/benefit analysis of their own time.
If you get them together and talk about solutions, then get them to agree on one, they tend to embrace it and want to help make it work, rather than just fight it. In the example with the executive assistant, that would almost certainly be a small enough group to get in a room with some whiteboards and flip charts easily for an hour,
Scaling this up for large organizations is more problematic, but can still be accomplished with some level of interaction before the procedure is introduced. Guiding the meetings is the crucial part, but you can often learn from the users in ways you don’t anticipate when doing so, which is a beneficial side effect.
So yes, still a management problem.