Security Risks of Airplane WiFi

I've already written about the stupidity of worrying about cell phones on airplanes. Now the Department of Homeland Security is worried about broadband Internet.

Federal law enforcement officials, fearful that terrorists will exploit emerging in-flight broadband services to remotely activate bombs or coordinate hijackings, are asking regulators for the power to begin eavesdropping on any passenger's internet use within 10 minutes of obtaining court authorization.

In joint comments filed with the FCC last Tuesday, the Justice Department, the FBI and the Department of Homeland Security warned that a terrorist could use on-board internet access to communicate with confederates on other planes, on the ground or in different sections of the same plane -- all from the comfort of an aisle seat.

"There is a short window of opportunity in which action can be taken to thwart a suicidal terrorist hijacking or remedy other crisis situations on board an aircraft, and law enforcement needs to maximize its ability to respond to these potentially lethal situations," the filing reads.

Terrorists never use SSH, after all. (I suppose that's the next thing the DHS is going to try to ban.)

Posted on July 14, 2005 at 12:02 PM • 48 Comments

Comments

RobJuly 14, 2005 12:15 PM

I don't see what the problem is if they have a court order to install the wiretap. Don't they already have the ability to eavesdrop on communications with a court order?

KytheJuly 14, 2005 12:25 PM

In joint comments filed with the FCC last Tuesday, the Justice Department, the FBI and the Department of Homeland Security warned that a terrorist could use on-board internet access to communicate with confederates on other planes, on the ground or in different sections of the same plane -- all from the comfort of an aisle seat.
---

The real issue, of course, is that we don't want the terrorists to be comfortable while they communicate :)

(I, for one, prefer a window seat)

Ian MasonJuly 14, 2005 12:52 PM

@Rob

I suspect that it's the "within 10 minutes" that's the issue. This would require infrastructure ready to perform the wiretap and, to meet that timeframe, infrastructure that could be remotely activated by the agency concerned. They need the powers to force the service providers concerned to install (and probably pay for) that infrastructure. As running ISP networks is my line of business I can authorativately say that the average ISP network is not organized in a way that makes this 'instant' wiretap practicable and reorganizing a network to make this practicable would be expensive and difficult.

But my concern here is: if they have a remotely managed wiretap facility ready to go at any time what will prevent the misuse of this capability? Wiretaps usually require intervention by the telco/ISP involved and they will *insist* on seeing (and possibily validating) the warrant before activating a tap to protect themselves from the associated liabilities, both criminal and civil. If this step involving human oversight is removed there may be little to stand in place of an illegal wiretap being activated or detected.

ShinyJuly 14, 2005 12:57 PM

I highly doubt that communiques between air-terrorists will ressemble anything overt, such as "Okay, let's detonate on the count of three."

Even if they are using SSH or another encrypted tunnel. Network-side encryption doesn't deter "shoulder-surfing." Which occurs in crowded environments such as, say, a flight cabin.

Idea: allow the wi-fi connection on the flight to be "inadvertently" left open, and arrest the terrorirsts for stealing the air-carrier's internet!

Davi OttenheimerJuly 14, 2005 1:09 PM

@Bruce

With regard to cell use, Europe seems to be headed in the opposite direction:

http://www.theregister.co.uk/2005/07/04/germany_airborne_mobiles/

"The German Federal Ministry of Transport, Building and Housing will next year lift the ban on the use of mobile phones on commercial flights. The German Aerospace Centre says that mobile phone signals do not interfere with onboard electronics. Several European airlines are also considering the removal of the in-flight ban on GSM phones."

And as you point out, the simple fact is if you tap a line, the stream could be encrypted. And if you block encrypted protocols, the message itself could be encrypted...

Jura jvyy QUF ernyvmr gung gurl ner gnxvat gur jebat nccebnpu?

DarrylJuly 14, 2005 1:10 PM

@Shiny Yeah, i doubt they can just packet surf for the phrase "Somebody set us up the bomb." Chances are they are a little more sophisticated than that.

Bill McGonigleJuly 14, 2005 1:31 PM

>Even if they are using SSH or another
>encrypted tunnel. Network-side encryption
>doesn't deter "shoulder-surfing." Which occurs
>in crowded environments such as, say,
>a flight cabin.

So then what good are the wiretaps?

If they know they're going to wiretap and that's going to foil their evil plan, they'll encrypt.

Ari HeikkinenJuly 14, 2005 2:09 PM

I can't see why terrorists would communicate at all while executing their plot. That'd only risk their plot and leave traces and evidence for audit afterwards. They're likely just gonna plan beforehand and then execute their plot sticking to their original plan. And why'd they need WiFi or GSM's for detonating their bombs anyway? All they need is someone pointing a dish towards the plane from the ground or a timer.

IanJuly 14, 2005 2:10 PM

@Davi

Gurl'er tbvat va gur evtug qverpgvba. Gurl'er znxvat crbcyr srry fnsr naq guvax gung gur nqzvavfgengvba vf npghnyyl pbzonggvat greebevfz.

Ari HeikkinenJuly 14, 2005 2:12 PM

Just to add, my point was that they'll simply switch their tactics and use something else.

Brett TurcotteJuly 14, 2005 2:18 PM

No, they already have banning SSH covered, since high-grade encryption is already a munition, and you aren't going to allow people with live munitions on a plane...

Paul BallardJuly 14, 2005 2:43 PM

A wire tap (in 10 mins or any other timeframe) on a device used to detonate a bomb in flight is pointless. A tap is for eavesdropping, not stopping the communication. By the time the FBI got word to the ISP to shut down the connection the "bomb" would have exploded and that's even for terrorists stupid enough not to use encrypted channels. This is just another end-run around the Bill of Rights that the American people will swallow out of aimless fear.

NYCguyJuly 14, 2005 3:18 PM

More stupidity: Cellphone service has been deactivated in New York Tunnels (Lincoln, Holland, Queens-Midtown, etc.) for security reasons. Damn, now the bad guys have to turn to sophisticated devices like kitchen timers.

VasuJuly 14, 2005 3:21 PM

Why is this any different than any other secure architecture?
In my daily life, we ask for the same kind of things (audit history, ability to pipe the traffic to IDS etc), when new networks/devices are setup.
As much as I don't like being snooped on by government, why is it that we see this as conspiracy than good secure architectural requirement?

Gopi FlahertyJuly 14, 2005 3:28 PM

@Brett:

I keep reading about people being afraid of individual components being brought on and assembled on the plane.

Just give a few dozen "innocent-looking" source files to each person, and let them merge them on the plane...

Brent DaxJuly 14, 2005 5:50 PM

@Vasu: The difference is that all of the requirements you listed are there to benefit the network's owner, and the network's owner can choose if they want it. My home network doesn't have these things because I, the network owner, don't want them. Presumably the airline companies have no particular desire to spy on their passengers' porn site accesses. Thus, the government is forcing them to pay their own money to give the government--not the network's owner--a lot of access.

On the other hand, I wonder what the jurisdictional issues are. If I'm sitting on American Airlines flight 1337 from London to Cairo, take out my laptop somewhere over France, and use the plane's wifi (which bounces off two Japanese satellites and a Canadian one before entering the Internet in Australia) to attack a computer in Brazil, who has jurisidiction?

Real Solutions, for real peopleJuly 14, 2005 6:23 PM

We've said it before, we'll say it again.

To handle people flying,

1. Drug em
2. Strip em
3. X ray them
4. Put them in their box on the plane
5. Revive at other end

Anyone not willing to undergo the above is UNPATRIOTIC and probably a communist or terrorist.

Bruce SchneierJuly 14, 2005 7:36 PM

"I keep reading about people being afraid of individual components being brought on and assembled on the plane."

It's a real fear. Our systems are far better equipped to detect a competed bomb than bomb components.

It is believed that the Chechnian women got their bomb past security because, among other things, one carried the explosives and another carried the detonation mechanism.

Bruce SchneierJuly 14, 2005 7:41 PM

""The German Federal Ministry of Transport, Building and Housing will next year lift the ban on the use of mobile phones on commercial flights. The German Aerospace Centre says that mobile phone signals do not interfere with onboard electronics. Several European airlines are also considering the removal of the in-flight ban on GSM phones.""

For completely non-security reasons, I dread the day that cellphones are allowed on airplances. I'll get no peace.

Bruce SchneierJuly 14, 2005 7:45 PM

"I don't see what the problem is if they have a court order to install the wiretap. Don't they already have the ability to eavesdrop on communications with a court order?"

The "ten minute" requirement will force the providers to add technology to facilitate this wiretapping.

Thomas SprinkmeierJuly 14, 2005 7:49 PM

"There is a short window of opportunity in which action can be taken to thwart a suicidal terrorist hijacking"

What action?

Reconstitute the dehydrated emergency SWAT team?

Hand out nailclippers and other deadly weapons so that the passengers can overpower the terrorists?

Flood the cabin with Bat-Gas?

NickJuly 14, 2005 10:21 PM


Oooooh, they're using the internet to communicate between planes!

How about those terrorists using a nice, reliable watch?

Why is there the presumption that such communications will be glaringly obvious, and not, 'Will not make meeting, flight running late.'?

And for those onboard the same plane, gosh, do you think hand signals might work? (Or, again, synchronized watches.)

Making it possible to eavesdrop and/or blocking wifi access does not assure safety or significantly impact communications. Heck, how are you going to handle devices like a Nintendo DS or a Sony PSP that can establish ad-hoc wifi connections?

Of course! Ban handheld game devices. *slaps forhead*

Chung LeongJuly 15, 2005 12:32 AM

I think you guys have misunderstood the rationale behind the creation of the Department of Homeland Security. The main purpose of DHS is to create a sense of security in the public. Basically all they have to do is to show that "something" is happening. Bans on Wi-Fi and cell phone are inconvinient to a lot of people, and thus would guarantee publicity and discussions. And given that such policies can be put into place at practical no cost, I would say that they're very clever and efficient ways for the DHS to fulfill its mandate.

NickJuly 15, 2005 12:43 AM

@Chung

Micheal Chertoff (Director, DHS) has an odd way of instilling a sense of security in the public. He is being criticized for a comment he made regarding mass transit security, suggesting that a bomb on a train might kill 30 people, while a hijacked plane could kill 3000. While that may be true in a numerical sense, I'm sure the thousands of commuters who ride mass transit in any given city are relieved to know they don't matter to DHS, and they're someone else's problem.

java49July 15, 2005 1:00 AM

Bruce's anti-US Government is a lot to choke down on a daily basis. Keep in mind his criticism of the government is apparent on every blog he posts.

GrainneJuly 15, 2005 5:40 AM

@java49 - sometimes the truth is hard to 'choke down'

@Chung Leong - As a member of the public I would much rather see measures that make good security sense be put into place than to see bad plans like this get priority. It does not give me any sense of security - in fact I feel the opposite.

buddyJuly 15, 2005 7:57 AM

how is an agency going to know that there is activity happening on a plane to even get a warrant in the first place?

I'm sure a terrorist would have no problem calling at five dollars a minute from one of the phones on the plane to someone on the ground if they even needed coordination during their "mission"

I think a lot of people fail to grasp exactly how motivated and intelligent terrorists are....they think outside the box and are very, very good at it...they have no problems sacrificing anything to accomplish their goal (and in my opinion, that is one of their strongest assets)...

completely off topic, but I also heard the other day that missle defense systems are going to start being put on all commercial airliners, to defend against shoulder fired missles...

dmcJuly 15, 2005 8:51 AM

Bruce, care to comment/post on NYC's decision to block cell phone service in the tunnels, on the assumption that they could be used to detonate bombs?

I believe Raymond Kelly tried to get this reversed (as applied to the subway system?), saying he'd rather have riders have access to 911 in the event of an emergency.

glasserJuly 15, 2005 9:09 AM

Um, I thought that US planes currently told you not to use wi-fi anyway (for the same pseudo-technological reasons you can't use cell phones...)

BrianJuly 15, 2005 10:09 AM

"Bruce's anti-US Government is a lot to choke down on a daily basis. Keep in mind his criticism of the government is apparent on every blog he posts."
------
And for good reason..I for one think this country is the greatest, but due to the people, not the government and its own captialist profiteering agendas.

"This is just another end-run around the Bill of Rights that the American people will swallow out of aimless fear."
-----
I, for one, completly agree..
merely a psudo publicly visable attempt at security(see we are doing something to justify our 38 billion dollar budget), with no real added security, again..

ScottJuly 15, 2005 11:12 AM

My question is this though, how long would it take for them to actually activate something? Far less than 10 minutes me thinks, but that's just my opinion and I could be wrong.

ProbitasJuly 15, 2005 11:13 AM

"I can't see why terrorists would communicate at all while executing their plot. That'd only risk their plot and leave traces and evidence for audit afterwards. "

The fact that police are so quickly doscovering so much info about the bomb plot is not exactly testament to their powers of deduction. The fact is, flying under the radar is only important to the terrorists until they have the bomb mobile and in public. They do not care about audit trails and evidence left behind. You see, they're dead. After the fact detection does very little in terms of stopping this or any future attack, unless they are able to take down the entire organization. That is why they work in cells, to protect the larger organization.

Until we stop assuming our attackers will operate in the way we find most convenient, they will continue to have success, according to their definition of the term.

Pat CahalanJuly 15, 2005 2:02 PM

@ java49

Not sure what the point was of your post, unless you're just saying, "Bruce is a commie" or something equivalently inflammatory.

Remember that comments about examples of governmental stupidity aren't "anti-US government" posts. At best they'd be "anti-current administration" posts, but that assumes that the assessment is a political assessment, not a security one.

The security assessment is still valid.

NickJuly 15, 2005 2:09 PM


@java49

"Bruce's anti-US Government is a lot to choke down on a daily basis. Keep in mind his criticism of the government is apparent on every blog he posts."

Yet any criticism is always presented in terms of the security process, not obligatory pot-shots. If you choose to see this as anti-U.S. Government, I suppose that's your business; for my part, I'd prefer sensible thinking about security measures, even if this reveals failures in existing policies/procedures.

The label of 'government' does not sanctify security measures, anymore than claims of 'super-uncrackable 1138-bit hyperencoded foobar algorithms' makes an effective encryption product.

In other words, IF Bruce's assessments are accurate, THEN the criticism (stated or implied) of the government agencies implementing them is fair comment. On the other hand, IF the criticism was undeserved or a faulty analysis, THEN you could correctly call out his comments as being 'anti-U.S. Government'.

radioJuly 15, 2005 3:32 PM

If you had a battery-powered wireless transmitter in your luggage, and it were activated, how would anyone on-board even know it?

I think the technical assessments keep saying that it doesn't interfere with the aircraft's normal communication signals, so unless the cockpit is monitoring for low-power on-board signals in the WiFi band, how would they ever know?

Normal low-abiding passengers would never do such a thing, because they wouldn't want to be arrested and/or fined.

Suicide-bombers don't ever expect to get off the plane, so they literally have nothing to lose by surreptitious use of WiFi, Bluetooth, or anything else, as long as it can't be easily detected by someone on-board who could perhaps then stop them from carrying out their plans.

Regulations can't be effective if the perpetrator has nothing to lose.

--radio

Erik CarlseenJuly 15, 2005 3:50 PM

I can't believe that on a site populated by security-types I haven't seen anybody mention the most obvious law-enforcement use of packet sniffing - traffic analysis. You don't have to understand what's being said (although that can be helpful) - just the fact that Point A is communicating with Point B can be extremely interesting. For instance, if packets are exchanged between hosts on different aircraft (yes, you could use proxies, but more sophisticated analysis can defeat that countermeasure) that could send up a huge red flag and invite closer scruteny of the passenger lists, contacting the aircraft crew, etc.; if that turns up something, they can force the plane to land immediately, etc.

Erik CarlseenJuly 15, 2005 4:08 PM

Another comment - I see a lot of people being incredibly negative about seemingly every measure taken in counterterrorism. Now, some of them are flat out stupid and indefensible - I'm not saying that any criticism is invalid. But it's important to understand while there are ways to circumvent nearly every measure, a lot of prevention comes down to creating your own luck - not just with terrorism, but with nearly everything in life. You create circumstances where it is more difficult for things to go badly. You can't assume terrorists are idiots, but realistically they are not supermen either. They will make mistakes. You try to give them as many opportunities to make mistakes as reasonably possible, and you set yourself up to catch them if they do.

News flash to the ivory tower types: security will never be perfect. It may never even get close. But just because it's imperfect doesn't necessarily make a bad idea. Just because it's possible to defeat a countermeasure doesn't make the countermeasure worthless. Can we try to stick to more reasonable debates like comparative cost/benefit analysis (this turns up more real stupidity than anything else), and spend less time on "y0ur s3cur1ty 1$ t3h suxx0r - 1 c4n pwn y0u w17h my 1337 sk1llz!"

P.K. KoopJuly 15, 2005 4:22 PM

@Erik Carlseen

Traffic analysis is a statistical procedure, and such procedures require data for confidence. It is difficult to square this with the need for a warrant in 10 minutes.

In fact, it is difficult to square a 10-minute warrant with anything sensible. What is the scenario? We start with some potential terrorists. Up until now, we have had no suspicions about them; otherwise, we'd already have warrants. So after they get on planes, late-breaking news causes us to suspect they are planning an attack. Our response is ... to ask for a quickie warrant? That might help identify unknown allies, if any such exist, and if the suspects happen to contact them by wifi. But it would risk disaster if they aren't so courteous. Wouldn't it be more sensible to skip the warrant and just turn around the planes? Especially since we are apparently willing to do this if someone writes "BOB" on a magazine cover?

NickJuly 15, 2005 6:30 PM


@Erik:

So, based on a random packet sniff, we would conclude that the passenger manifest must be looked at, the cargo re-evaluated, and so on? Why are you presuming that terrorists MUST use WiFi to accomplish their goals? The objections are not ivory-tower idealism, but a simple question: how does this narrow approach significantly add to airline security? Are there measures that can be implemented further upstream that would confer similar benefits without the assumption that WiFi = Terrorist Tool, therefore WiFi = Bad?

As for your comment about security not being perfect, or never being perfect, that's a given - I don't think anyone here has ever made claims to perfect security, or that we can achieve perfect security. There are always new attacks, even if 'common sense' and cost/benefit analyses would dictate an attacker is simply wasting their time.

If a countermeasure is ineffective, no amount of fancy verbiage is going to make it more effective. You give me the impression that you believe we should be complimenting the Emperor on his daring fashion sense, rather than pointing out that he's naked.

The WiFi Warrant approach makes too many assumptions, the least of which is that all good terrorists use laptops to communicate.

Ari HeikkinenJuly 16, 2005 7:33 AM

"Another comment - I see a lot of people being incredibly negative about seemingly every measure taken in counterterrorism."

That's because most comments (not just here) are made on security measures that not everyone agree are worth the tradeoff (and are the ones that probably deserve to be debated about). It's likely that security measures that no one debate about are either worth the tradeoff or kept secret.

Ari HeikkinenJuly 16, 2005 8:02 AM

"They do not care about audit trails and evidence left behind."

Actually, they do care. Those masterminds behind attacks pretty much want to stay alive and undetected so that they can continue planning more attacks. The less they leave traces and the less they leak information the more likely they're going to avoid getting caught.

Ari HeikkinenJuly 16, 2005 8:47 AM

And you know, suicide bombers are a limited resource. They're going to optimize their use in any case. They're not just some mindless machines that go and blow themselves up for fun (those mindless lunatics get caught and the calm and reasoning ones will be the successful ones). You have to understand what they're up against and why they're doing it to be able to understand what security measures they might deploy. The attackers are going to optimize their attacks and make security decisions just like anyone else. After all, even when a suicide bomber dies they're not going to jeopardize their cause (they want to be able to continue their attacks indefinitely).

GaryJuly 18, 2005 4:33 PM

When is it ok for private citizens to "maximize their privacy options?"

Seems to me LE is always looking for more; and we're always expected to give something up to get it.

Too bad we've gotten so far away from the principle that the best goverment is the one that governs least.

RobertJuly 20, 2005 10:24 AM

What about the hostile aliens from Mars that are orbiting the planet so they can tap into Internet access and execute their world domination plot through Ebay?? Hmmm?

Don't you think we should be monitoring all airborne based internet access? After all, Aliens taking over the world via the Internet is a signifigant, high loss threat... given your basis of reality is in comic books.

I rest my case.

"Fear; if allowed free rein, would reduce all of us to trembling shadows of men, for whom only death could bring release." - John M. Wilson

Bruce SchneierJuly 20, 2005 11:03 AM

"What about the hostile aliens from Mars that are orbiting the planet so they can tap into Internet access and execute their world domination plot through Ebay?? Hmmm?"

Don't worry. We'll infect them with a Windows virus and crash their computers.

techjunkieOctober 23, 2007 2:58 AM

Someone said something about sniffing out packets going from one plane to another and pressing the panic button when that happens. I suppose encrypted messages should make grim-sounding alarms go off too?

Great, I send email to a colleague on the next plane over my company's VPN and both of our planes get turned back, or worse, both of us get arrested when we get off the plane. Boy, as hare-brained as the DHS can get, am I glad you dont work for them.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..