There’s some vague stuff in the news about United airlines cockpit door protocol maybe being partially revealed. Short form: don’t worry.
Initially, I have to admit I had a brief moment of “Oh no, Uh-oh!” I know the doors are armored now and have better locks but it would not be unlike American IT specialists to design a pin-pad door, then use the same PIN for every plane. Fortunately, that’s not how it happened.
I’m boarding a Delta flight from Pittsburgh to Minneapolis at 6:45 this morning; you bet I’m going to linger and look around for pin-pads by the door. I won’t pull out my camera-phone, though, since I suspect that might result in me missing my flight.
Most cockpits are locked from the inside with a set of titanium deadbolts controlled by a master switch (or they’re manual) The doors on many airlines have been uparmored with kevlar cloth backing, and a fiberglass cover: you could shoot it or hammer on it with a fire-axe for several hours and probably wouldn’t get in.
I found this video somewhat depressing in that it looks to me like a propaganda piece about how the airlines were acting sensibly after 9/11. It’s not as if pilots hadn’t complained about cockpit door security prior to then, of course. This is a basic security paradigm of “chasing the last threat” – whatever it was that hurt you last, is what’s going to hurt you again, so freak out about it rather than stepping back and doing a complete risk assessment.
The Inside Edition piece above is kind of depressing after what happened when the GermanWings #9525 co-pilot locked the pilot out of the cockpit and crashed the plane. Now, in the pattern of chasing the last threat, there are some airlines that have a “2 people in the cockpit at all times” rule.
I suspect that the door opening protocol that leaked was probably ancillary details that are used to signal the people in the cockpit when it’s OK to open the door (or not). A commercial pilot I know once told me that there are a variety of such signals in aviation – if you taxi with the flaps down after landing it’s a signal that you’ve been hijacked. Apparently there are multiple such signals regarding opening the cockpit door and I suspect that one or more of them is what leaked. If you’re on a plane and you ever see the cockpit door open so that someone can come out to use the bathroom, you’ll notice that the cabin crew will conveniently block the front walkway with a drink cart. I assume there’s some verbal cues when the pilot informs the crew they are opening the door, then the crew either says something that indicates it’s OK, or something that indicates it’s not.
It’s this kind of thing that fascinated me with security, initially: it’s tradeoffs and tradeoffs and you have to think pretty carefully about all the possible failure modes surrounding any given problem. I fell into it naturally because I was always a very careful programmer: always trying to cover all the contingencies so that “unexpected” was not part of my world. Good code never encounters unexpected conditions, bad code crashes and burns when it does. That’s the first layer of security thinking. Then, after that, you start realizing that when you put something in place to prevent one thing, you may be creating a control channel that’s actually worse. Security flaws of that sort happen all the time: someone writes a flexible transport layer that negotiates encryption algorithms, and an attacker spoofs it into negotiating unencrypted transport. Whups.
“… use the same PIN on every plane…” That is a case study of the difficulty of key management. Key management is the same problem whether you’re talking about PIN codes for cockpit doors or an encryption key that is being used to store/unstore data: how do you get the keys transported around, how do you know the key is the right key, and how do you know you’re giving the key to the right person? There are a variety of techniques for attacking those problems, but imagine how it might work for airplanes – if you had a PIN lock on the cockpit door and the PIN was unique per plane, the gate agent would become the likely key distribution center. Is there any reason to trust the gate agent more than a pilot (since any gate agent would be able to access and distribute the key) If you don’t trust the gate agent then you need an external key management system that’s out-of-band: maybe the pilot gets an SMS with the PIN. What could possibly go wrong? Part of the fun, for me, of security system design is trying to figure out where is the sweet spot after which you’re not making the system any better you’re just making it more annoying which will result in people bypassing the security because that’s what people do.
Dan Geer once told me a funny story about when he was consulting on Wall St and convinced one particularly huge brokerage to use 2-factor authentication on certain trading terminals. At first there was a great deal of wailing and gnashing of teeth, but in about a week, it died down. He concluded that the exercise was successful, until he went in a few days later and discovered that all the big shot traders had given one of the executive assistants their ‘SecurID’ 2-factor tokens, their PINs, and their account information, and the executive assistant would come in 10 minutes earlier and log them all in to their terminals so they could walk in, sit down, and move billions of dollars around.