Of Cockpits And Phone Encryption: Tradeoffs And Probabilities
from the think-this-through dept
Blake Ross (boy genius Firefox founder and later Facebook product guy) has written a somewhat bizarre and meandering — but totally worth reading — article about the whole Apple v. FBI fight, entitled (believe it or not): Mr. Fart’s Favorite Colors. There are a few very good points in there, about the nature of programming, security and the government (some of which even make that title make sense). But I’m going to skip over the farts and colors and even his really excellent description of the ridiculousness of TSA security theater in airports, and leap forward to a key point raised in the article, focused on airplane security, which presents a really good analogy for the iPhone encryption fight. He points out that the only thing that has truly helped stop another 9/11-style plane hijacking (as Bruce Schneier points out repeatedly) is not the TSA security theater, but reinforced, locked cockpit doors that make it impossible for people in the cabin to get into the cockpit.
However, Ross notes, there are scenarios in which those in the cockpit need to leave the cockpit (usually to use the bathroom), and therein lies an interesting security challenge for those designing the security of the planes. How do you let that pilot (or another crew member) back in, but not a bad guy? Here’s the solution that airlines have come up with, as described by Ross (or you can read the NY Times version, which is a little drier):
- When the pooping pilot wants to reenter the cockpit, he calls the flying pilot on the intercom to buzz him in.
- If there?s no answer, the outside pilot enters an emergency keycode. If the flying pilot doesn?t deny the request within 30 seconds, the door unlocks.
- The flying pilot can flip a switch to disable the emergency keypad for 5 to 20 minutes (repeatedly).
Like Asimov?s three laws, these checks and balances try to approximate safety while accounting for contingencies. If the flying pilot risked Delta?s gefilte fish and passed out, you want to make sure the other pilot can still re-enter. But add all the delays and overrides and backstops you want; you still have to make a fundamental decision. Who controls entry: the people on the inside, or the people on the outside?
Governments decided that allowing crew members to fully override the flying pilot using a key code would be insecure, since it would be too easy for that code to leak. Thus, there is nothing the outside pilot can do???whether electronically or violently???to open the door if the flying pilot is both conscious and malicious.
And as Ross notes, this is a pretty reasonable tradeoff in nearly all circumstances. It’s quite difficult for someone bad to get in, and yet those in the cockpit can mostly be okay with leaving and getting back in even if a pilot remaining in the cockpit suddenly drops dead. But, there is still one scenario in which that security gets totally messed up — and it’s with Germanwings Flight 9525 almost a year ago, in which a mentally ill co-pilot locked the captain out of the cockpit and then deliberately crashed the plane into a mountain.
As Time Magazine noted, this is the tricky part of security systems: “sometimes it?s important to keep people out; sometimes it?s important to get inside.”
And, of course, there’s a little of that in the Apple v. FBI fight. The FBI is arguing that it’s important to let people in, because 14 people died after a husband and wife killed 14 people and wounded more. But lots of other people are pointing out that there are much bigger security benefits in keeping people out. And that’s why this is really a debate about “security v. security” rather than “security v. privacy.”
Strong encryption on devices is like that locked cockpit door. Under most scenarios, it keeps people much safer. It’s a useful and powerful security feature. But, yes, in some cases — such as that of the suicidal Germanwings co-pilot — it is less secure. And, there do seem to be ways to mitigate that kind of risk without harming the wider security (many airlines now require that even if someone leaves the cockpit, a second crew-member must be present in the cockpit). But, in the end, we look at the likelihood and probability of the need for such security solutions. And it’s not hard to realize that, in the grand scheme of things, locking people out protects many, many, many more people from the rare instances of suicidal co-pilots (and or quasi-terrorist attacks).
And that’s the real issue here. Strong encryption on our devices is much more likely to lead to much more protection and security for many more people than without such encryption. Nearly all of us are likely to be safer because of strong encryption. But, that might not include everyone. Yes, there will be some instances — though likely few and far between — where such encryption allows someone to secretly plan and (potentially) get away with some sort of heinous act. And it will be reasonable and expected that people will whine and complain about how the security feature got in the way of stopping that attack. But the likelihood of that is much, much smaller, than the very real possibility of attacks on weak phones affecting many of us.
Or, as Ross concludes (in a way that makes even more sense if you read the whole piece…):
Unfortunately it?s not that complicated, which means it?s not that simple. Unbreakable phones are coming. We?ll have to decide who controls the cockpit: The captain? Or the cabin? Either choice has problems, but???I?m sorry, Aunt Congress???you crash if you pick 2.
But when you have people like the technically ignorant San Bernardino District Attorney Michael Ramos insisting that he needs to be able to get into that iPhone, just recognize that he’s arguing that we should unlock cockpit doors just in case there’s a suicidal co-pilot in there, without recognizing how frequently such unlocked cockpit doors will be used by others who wish to do even more harm.
Filed Under: backdoors, blake ross, cockpits, congress, doj, encryption, fbi, security, tradeoffs
Companies: apple, germanwings
Comments on “Of Cockpits And Phone Encryption: Tradeoffs And Probabilities”
It’s sometimes difficult to distill (seemingly?) complex security issues into terms that are easier for the lay person to relate to. I think this is an excellent example of doing that very well. Nicely done to Blake Ross, and to Mike for spreading the word.
Finally! An analogy that works, and doesn’t involve a car engine.
Re: Re:
Or Hitler!
Re: Re:
Finally! An analogy that works, and doesn’t involve a car engine.
Oh dear – I’d better make up for that one!
It’s a bit like the seat belt argument. Most of the time it is safer to wear a seat belt – however – very occasionally the seat belt is a liability – for example when there is a fire and you can’t get out!
You still don't get it!
Perfectly strong (OTP) encryption already exists; spies have used it for nearly 100 years. That horse has already left the barn.
So all this crap about “balancing”, “trade-offs”, etc. is a waste of time — much like how many angels can fit on the head of a pin.
The only question that remains is: are govt’s going to deny their own citizens the right to defend themselves against criminals (and bad govt’s) using strong encryption?
Are democratic govt’s going to be able to force corps like Apple to become unwilling SS officers, as fascists states have done?
Re: You still don't get it!
OTP is theoretically perfect encryption, but it’s completely impractical as a generalized Internet encryption solution for a number of reasons. Unlike a public/private key pair, which you can generate once and reuse (theoretically) forever, for everyone, with a OTP you and the person you’re communicating with need to have a pre-exchanged key pad of length identical to or longer than the message.
Let’s say you want to buy something on Amazon.com. This involves various web pages, and the whole transaction can involve a fair amount of data, several MB at least. To keep it private, you’d need several MB of OTP key data from Amazon. But how did you get it? (Remember, Amazon can’t send it to you over the Internet without you already having an OTP key of equal length to the key being sent, which must be discarded once it’s used!) Maybe you could order one and they could ship it to you, but then it’s not secure anymore, since the existence of a chain of couriers opens your key up to a literal man-in-the-middle attack.
Spies dealt with this by preparing their pads ahead of time, or having a highly trusted diplomatic courier deliver them. This isn’t a solution that will work for John Q. Citizen.
And anyway, how in the world do you get from that to paranoid libertarian ranting about government being inherently evil blah blah blah?
Re: Re: You still don't get it!
Terrorists already have access to perfect (OTP) encryption.
So all of this Apple ranting is solely for the purpose of inexpensive mass surveillance of non-terrorists.
Govt’s want to be able to monitor the thoughts of their own citizens, because politicians fear being kicked out of office more than they fear outside threats.
Re: Re: Re: You still don't get it!
Luckily, nobody has access to perfect OTP key-exchange, so we’re still safe!
Re: Perfectly strong (OTP) encryption already exists
Ah, I see the snake-oil sales crew have arrived.
I had to clap my hands at this analogy. Comparing Apples with planes successfully must be some sort of record.
Backdoors
My concern is that someone is going to twist that analogy and say “See, the airlines DID leave a back door, we just need Apple to do the same for us.”
Objection....
Apple v. FBI was NEVER about security.
Never.
It was never about finding accomplices.
It was never about covering up the fact that they f*****ed up by the numbers.
Apple v. FBI is, was, and evermore shall be about appearing to be doing something worthwhile.
Nothing more.
Nothing less.
Re: Objection....
I’ll, agree, to a point. But, I argue, that the FBI, is after the wrong horse. There are laws already to cover what they want. They should use those laws. Such as wiretap, and search laws. The phone, wiretap, phone records are included in wiretap. Search? It’s a handheld computer, and recording device. That may take more warrants to do, but you get the idea. I still wonder, has the FBI sent a rep to China yet. Or is the China deal still secret from everyone?
Wrong. I’ve got a lot of respect for Bruce Schneier, but he’s completely wrong on this point.
Sure, reinforcing the doors helps a little, but really the thing that stopped another 9/11-style plane hijacking is that the 9/11 hijacking was a trick that could only ever work once anyway.
Back in the day, conventional wisdom used to be, “cooperate with the hijackers and no one will get hurt,” because that was the way it always happened. Hijackers wanted money and/or political concessions, and there was no good reason to needlessly endanger the lives of the people on board by resisting them. But 9/11 changed that forever. The terrorists exploited that, but in doing so, they broke it.
Now that people understand that planes can be used as giant bombs by suicide bombers, who’s going to go along with the next attempt? And if you’ve got over 100 people on the plane actively resisting, literally fighting for their lives because they sincerely believe that they will die anyway if they don’t stop the hijacker, how is anyone going to ever be able to hijack another plane?
Re: Re:
Easily. Just lock the reinforced cockpit door from the inside.
Re: Re:
And if you’ve got over 100 people on the plane actively resisting, literally fighting for their lives because they sincerely believe that they will die anyway if they don’t stop the hijacker, how is anyone going to ever be able to hijack another plane?
That is certainly true. But with an insecure cockpit door, it might be possible to get into the cockpit and do something awful before the passengers figure it out and stop it. With a secure door, the hijacker can’t get into the cockpit whether the passengers are rioting or sitting quietly. So it seems to me the door is the more important security feature.
Re: Re:
Problem Solved?
So is the takeaway that we are supposed to put backdoors in airplanes? Unless they are D.B. Cooper—and maybe even then—the hijacking problem will be solved.
Re: Problem Solved?
What’s joining the mile-high club got to do with this?
What if the government wants in the cockpit?
What if air marshal or FBI or other government agents want in the cockpit and the pilots won’t let them in? Should the airlines have to furnish backdoor cockpit codes to the government? Should law enforcement access trump general public safety?
Re: What if the government wants in the cockpit?
There’s one aspect nobody considers: if the locks are “fail secure” nobody can unlock them if the lock malfunctions! Including those with authorization to access. In this case it’s not the lock but the system design that’s flawed, as cited by the flight whose copilot kept locking out the pilot. An electronic proximity card access control system would be better, but the logistics – specifically programming authorized accessors – likely are scaring folks away.
Re: Re: What if the government wants in the cockpit?
When a card opens a door, s/he who has the card can get through the door. You now have the problem of preventing violent physical theft of the card.
Re: Re: What if the government wants in the cockpit?
There’s one aspect nobody considers: if the locks are “fail secure” nobody can unlock them if the lock malfunctions! Including those with authorization to access.
I don’t think that would be a major concern. They can just land the plane, get the passengers off, and then bring in a power saw and cut through the door. The plane will be out of service until the door is replaced, but nobody gets hurt.
good analogy
Especially since, much like the cell phones baseband co-processor, the nav systems on modern planes have remote override. un?surprisingly no one likes to talk about these things. The facts are out there for those willing to look.
This isn’t a new thing either- Garmin patented in the late 90’s and the first production models where being installed in early-mid 2001…
-former pilot.
Re: good analogy
So, they could have just overridden the Germanwings co-pilot if they had wanted to? I read a lot of articles on that incident but don’t remember reading anything about that aspect. Interesting.
Re: good analogy
But doesn’t that only matter if you are on autopilot? If you are in manual flight mode, what relevance does the sat nav system have if you are not navigating by it?
I can see it mattering if you are on autopilot, because in autopilot you’ve said “navigate to point X (or waypoints X, Y, Z, etc.) as provided by the SatNav”. So if you change the SatNav remotely to change where point X is, I can see the autopilot taking you to a place you weren’t expecting.
But if you turn off the autpilot and use another navigation method to determine what course to manually steer the plane in (either a portable SatNav, or visual navigation using a map, ruler, compass, visual waypoints, or just “hey, I see a mountain over there, I’ll just fly into it”), then does it matter if they override the SatNav?
Re:good analogy
quote: “So, they could have just overridden the Germanwings co-pilot if they had wanted to?”
…maybe “they” did. A better question might be who “they” are. maybe, maybe, maybe…
I don’t care to speculate on such things. Whether or not it was a factor, being aware of potentials is important.
remote override is a feature then never should have happened in the first place. just like baseband architecture in cellphones, or intel vpro, or ME, or amd amt, TPM, uefi, secureboot…I could go on…
These models rely on a single point of failure, and a single point of trust, while ancillary features are often focused on which betray the understanding of foundation aspects each system.
IE: this door and switch system is ancillary to the navs ability to revoke local authority of the aircraft.
IE: OS security, encryption…etc is ancillary to processor subsystems which are not under the control of the former, but have access to the same resources. Search: hardware backdoors- this isn’t tin hat stuff anymore.
Re: Re:good analogy
quote: “So, they could have just overridden the Germanwings co-pilot if they had wanted to?”
…maybe “they” did. A better question might be who “they” are. maybe, maybe, maybe…
I don’t care to speculate on such things.
Apparently you do.
So That Explains ...
… how the First Officer got in here.
Not just that
He points out that the only thing that has truly helped stop another 9/11-style plane hijacking (as Bruce Schneier points out repeatedly) is not the TSA security theater, but reinforced, locked cockpit doors that make it impossible for people in the cabin to get into the cockpit.
What really stopped another 9/11 is the passengers realizing that hijackings were no longer unscheduled Cuban vacations. The threat ended in a field in Pennsylvania. (see, e.g., the shoe bomber, the underwear bomber, etc.)
Re: What really stopped another 9/11
Bruce Schneier is way ahead of you:
Re: Re: What really stopped another 9/11
He believes that the country would be just as safe as it is today if airport security were rolled back to pre-9/11 levels.
Of course. But, then again, security isn’t the purpose. The real purpose is to teach the general public to be compliant to authority. That’s why those of the class who can afford to fly charter or private are exempt.
“Spend the rest of your money on intelligence, investigations, and emergency response.”
Yeah, if security was your real concern (which, again, it isn’t).
Re: Re: Re: What really stopped another 9/11
I thought the real purpose of TSA security theatre was to line the pockets of friendly contracting companies? It’s good for the economy!
Re: Re: Re:2 What really stopped another 9/11
It’s good for the economy!
I know you’re joking but that got me wondering if anyone has researched how much airport security is costing the US.
http://www.bloomberg.com/news/articles/2012-11-18/airport-security-is-killing-us
Very few people have a concept of risk.
Very few people have a concept of numbers as high as 14. To them the death of 14 in San Bernadino is infinitely more horrible than 14 murders on the streets of any city.
Yet we expect these same people to deal with risks that are on the order of one in a billion or one in a trillion. As a scientist who used to work with incredibly large and small numbers, I can not truly grasp a billion. I will still count pennies by twos and threes like almost everybody else.
What they need to do is to design new planes where the passenger compartment is completely self-contained and isolated from any part of the plane where a hijacker could influence the flight. The pilots would have their own mini-galley for food, a bathroom and access to the cargo compartment. They wouldn’t be able to enter the passenger compartment, nor would any passengers be able to enter the cockpit or cargo compartment.
There would be a phone to the passenger compartment as well as video surveillance, but at the first sign of trouble, it would be strict airline policy to cut off all communication with the passenger section and divert to the closest airport. This would be made public knowledge and impressed upon the passengers before every flight. It would be pretty hard for a hijacker to threaten the pilots if they aren’t listening.
I suppose there’s a risk that something could happen in the cockpit that would incapacitate all the crew there, so maybe there should be a backup pilot in a separate, sealed compartment (complete with his own bathroom and food), in case of an emergency.
Re: Re:
Why would the pilots need to be able to enter the cargo bay? Sure, maybe the avionics bay, but not the cargo bay.
Re: Re:
The pilots would have their own mini-galley for food, a bathroom and access to the cargo compartment.
That would be more expensive, because you would need to remove passenger seats to make room for another galley and bathroom, and also add an exterior door. Airlines are not going to be interested in that.
Re: Re: Re:
I’m talking about new planes that are designed from scratch, not altering existing planes. Why would they need to sacrifice passenger seats? They could just make the body a little longer to accommodate the extra areas. If you’re designing a plane from scratch, there’s no rule that it has to be a certain length or have a certain number of seats.
Re: Re: Re: Re:
That would still be more expensive than a plane without such a feature. That’s not to say that such a plane wouldn’t become popular, but the extra costs associated with the build of the plane, not to mention the extra running costs from higher fuel use by the heavier plane and changes to aerodynamics, would have to be recouped somehow.
Re: Re: Re:2 Re:
Would the surcharge be higher than the one we’re paying for all the extra airport pseudosecurity? When I consider the totality of the expense for that, in the ticket surcharge, reduced service level, additional taxpayer expense, and the ephemeral but real cost in terms of the hassle and humiliation to the passengers, it seems unlikely.
Re: Re: Re:3 Re:
Would the surcharge be higher than the one we’re paying for all the extra airport pseudosecurity?
Probably not, but the problem is it would be difficult to get rid of the security theater at this point, even if there was the separate sealed cockpit. We would just end up paying for both expenses.
Or just put an extra bathroom inside the cockpit. And I hope my encryption key doesn’t ever need to urinate.
Re: Re:
Or a bucket….
AC 13, do you think it’s possible that the remote override could have been used to send the planes into the towers rather than alleged terrorists who’ve been seen alive years after they supposedly died in the attacks?
Re: alleged terrorists who've been seen alive
Were they with Elvis?
Re: Re:
rather than alleged terrorists who’ve been seen alive years after they supposedly died in the attacks?
We know this because there aren’t any people who look like other people.
long ago
I could actually go into the cockpit, I got a pin and one time I think they gave me a plane model, not once did they ever send me to a turkish prison, good time good times I miss those times.
911 remote? & off switch...
That’s one of many conspiracy theories which focus on the system. I was never able to confirm those specific planes actually had those systems installed. They did start installing systems on that type of plane several months prior- rollout of new avionics doesn’t always happen quickly though.
Do I believe it? …I think it’s very unlikely, but not completely out of the realm of possibility. The nav systems have that much accuracy for landing- but only with the help of sensors and powerful ground radio beacons. I suspect it would need such to succeed, and that mean’s there would have to be a whole other conspiracy on how someone got such a beacon into the buildings and functioning without being noticed…seams way too complicated at that point. Far easier then lacing the whole infrastructure with thermite, of course- lol (that’s satire, in case it’s not clear)… I have no clue to what extent such a beacon can be miniaturized- the standard ones are often the size of a large shed, and are visible from miles away.
To the other poster who said something to the extent of “why not just turn it off”:
the nav IS the autopilot- it’s all one integrated system. Jets are fly by wire.
Re: 911 remote? & off switch...
To the other poster who said something to the extent of “why not just turn it off”:
the nav IS the autopilot- it’s all one integrated system. Jets are fly by wire.
If you’re talking about this: https://www.techdirt.com/articles/20160306/22252833817/cockpits-phone-encryption-tradeoffs-probabilities.shtml#c358
he’s referring to turning off autopilot and flying manually.
Nasch- on speculation.
I was attempting to point out that a single points of failure, could be exploited by multiple parties, for multiple reasons. This is not the same as speculating on who those parties might be, or why they might do so. >>the “such things”
Re: Nasch- on speculation.
I see, you like speculating about whether someone remotely crashed the plane (you clearly did that), just not who or why.
as I recall the system could take over control of the plane from the ground. There is no override, It was designed with a malicious pilot scenario in mind.
if I have some time later I’ll dig a bit and see if I can find more info on it; was a long time ago now.
Re: Re:
as I recall the system could take over control of the plane from the ground. There is no override, It was designed with a malicious pilot scenario in mind.
So a hacker might could take over an airliner from the ground and there would be nothing the pilots could do about it. No wonder they don’t want to talk about it.
My programming childhood is pretty much the same as Mr. Ross'
Eventually my input routines were such that they’d highlighting and refusing input segments mid-entry.
I was probably one or two steps away from search suggestions.
Re:Nasch- on speculation.
I feel my subsequent explanation was clear enough not to warrant such a disrespectful response. Perhaps you just don’t like me…