Schneier on Security
A blog covering security and security technology.
« Terrorism Risks of Google Earth |
| Military Secrets for Sale in Afghanistan »
April 11, 2006
Air Force One Security Leak
Last week the San Francisco Chronicle broke the story that Air Force One's defenses were exposed on a public Internet site:
Thus, the Air Force reacted with alarm last week after The Chronicle told the Secret Service that a government document containing specific information about the anti-missile defenses on Air Force One and detailed interior maps of the two planes -- including the location of Secret Service agents within the planes -- was posted on the Web site of an Air Force base.
The document also shows the location where a terrorist armed with a high-caliber sniper rifle could detonate the tanks that supply oxygen to Air Force One's medical facility.
And a few days later:
Air Force and Pentagon officials scrambled Monday to remove highly sensitive security details about the two Air Force One jetliners after The Chronicle reported that the information had been posted on a public Web site.
The security information -- contained in a "technical order" -- is used by rescue crews in the event of an emergency aboard various Air Force planes. But this order included details about Air Force One's anti-missile systems, the location of Secret Service personnel within the aircraft and information on other vulnerabilities that terrorists or a hostile military force could exploit to try to damage or destroy Air Force One, the president's air carrier.
"We are dealing with literally hundreds of thousands of Web pages, and Web pages are reviewed on a regular basis, but every once in a while something falls through the cracks," Air Force spokeswoman Lt. Col. Catherine Reardon told The Chronicle.
"We can't even justify how (the technical order) got out there. It should have been password-protected. We regret it happened. We removed it, and we will look more closely in the future."
Turns out that this story involves a whole lot more hype than actual security.
The document Caffera found is part of the Air Force’s Technical Order 00-105E-9 - Aerospace Emergency Rescue and Mishap Response Information (Emergency Services) Revision 11. It resided, until recently, on the web site of the Air Logistics Center at Warner Robins Air Force Base. The purpose is pretty straight-ahead: "Recent technological advances in aviation have caused concern for the modern firefighter." So the document gives "aircraft hazards, cabin configurations, airframe materials, and any other information that would be helpful in fighting fires."
As a February 2006 briefing from the Air Force Civil Engineer Support Agency, explains that the document is "used by foreign governments or international organizations and is cleared to share this information with the general global public…distribution is unlimited." The Technical Order existed solely on paper from 1970 to mid-1996, when the Secretary of the Air Force directed that henceforth all technical orders be distributed electronically (for a savings of $270,000 a year). The first CD-ROMs were distributed in January 1999 and the web site at Warner Robins was set up 10 months later. A month after that, the web site became the only place to access the documents, which are routinely updated to reflect changes in aircraft or new regulations.
But back to the document Caffera found. It's hardly a secret that Air Force One has defenses against surface-to-air missiles. The page that so troubled Caffera indicates that the plane employs infrared countermeasures, with radiating units positioned on the tail and next to or on all four engine pylons. Why does the document provide that level of detail? Because emergency responders could be injured if they walk within a certain radius of one of the IR units while it is operating.
Nor is it remarkable that Secret Service agents would sit in areas on the plane that are close to the President’s suite, as well as between reporters, who are known to sit in the back of the plane, and everyone else. Exactly how this information endangers anyone is unclear. But it would help emergency responders in figuring out where to look for people in the event of an accident. (Interestingly, conjectural drawings of the layout of Air Force One like this one are pretty close to the real deal.)
As for hitting the medical oxygen tanks to destroy the plane, you'd have to be really, really lucky to do that while the plane is moving at any significant speed. And if it's standing still and you are after the President and armed with a high-caliber sniper rifle, why wouldn’t you target him directly? Besides, if you wanted to make the plane explode, it would be much easier to aim for the fuel tanks in the wings (which when fully-loaded hold 53,611 gallons). Terrorists don’t need a diagram to figure that out. But a rescuer would want this information so that the oxygen valves could be turned off to mitigate the risk of a fire or explosion.
An Air Force source familiar with the history and purpose of the documents who asked not to be identified laughed when told of the above quote, reiterated that the Technical Order is and always has been unclassified, and said it is unclear how the document can be distributed now, adding that firefighters in particular won’t like any changes that make their jobs more difficult or dangerous.
"The order came down this afternoon [Monday] to remove this particular technical order from the public Web site,’ said John Birdsong, chief of media relations at Warner Robins Air Logistics Center, the air base in Georgia that had originally posted the order on its publicly accessible Web site.
According to Birdsong, the directive to remove the document came from a number of officials, including Dan McGarvey, the chief of information security for the Air Force at the Pentagon."
Muddying things still further are comments from Jean Schaefer, deputy chief of public affairs for the Secretary of the Air Force. "We have very clear policies of what should be on the Web," she said. "We need to emphasize the policy to the field. It appears that this document shouldn't have been on the Web, and we have pulled the document in question. Our policy is clear in that documents that could make our operations vulnerable or threaten the safety of our people should not be available on the Web."
And now, apparently, neither should documents that help ensure the safety of our pilots, aircrews, firefighters and emergency responders.
Another news report.
Some blogs criticized the San Francisco Chronicle for publishing this, because it gives the terrorists more information. I think they should be criticized for publishing this, because there's no story here.
EDITED TO ADD (4/11): Much of the document is here.
Posted on April 11, 2006 at 2:40 PM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Interesting, and strange - I mean, it doesn't really talk about the technologies involved, it doesn't talk (from the description posted here) about the radar guided missile jammers, countermeasure capabilities in terms of expendables (Which can easily be pyrotic in the form of flares) not threat warning equipment details ... so what's the point? Once people get onto the plane, it's very hard work to get'em back out anyway.
Must have been a slow news day in San Francisco. Sure - it probably doesn't need widest dissemination but its nothing to lose sleep over.
A security expert I know is fond of saying that "Security is a tradeoff." The tradeoff itself is the real story here. Which is more likely, terrorists attacking Air Force One, or Air Force One being involved in an accident? Which has greater negative consequences to be protected against? I'm sure you can think of a few other things, but it seems to me that not having the information available is a worse idea than having it available.
The reporting of a non-story is itself an interesting story. So the air force got embarassed, did not stand their ground, and pulled the site off from public gaze.
What endures is this line from the news report linked to:
"We can't even justify how (the page) got out there," Reardon told the Chronicle. "It should have been password-protected."
Documents mirrored on cryptome:
The only semi-interesting things here are that the AF1-747s carry two APUs,the lack of mention of any radhaz area associated with a radar jamming system, and the absence of any guidence on dealing with pyrotechnic-based countermeasures (chaff, flares, etc).
As for the, oxygen tanks, they're in the same place as those on a civil 747.
I guess the trade off went this way. Do we try to explain the security trade off to the people we have been manipulating on security trade off or we just not worry about the firefighters, etc since it is very unlikely that they will actually have to deal with AF1?
Nah, we already have a large investment in stupid people. If AF1 ever goes down we will make heroes of those valiant firefighters that die trying to save the president.
"Guidence on dealing with pyrotechnic-based countermeasures (chaff, flares, etc)."
For that, you would need to go to Technical Order (T.O.) 11A-1-46, Fire Fighting Guidance, Transportation and Storage Management Data and Ammunition Complete Round Chart.
Besides, if you wanted to make the plane explode, it would be much easier to aim for the fuel tanks in the wings (which when fully-loaded hold 53,611 gallons).
I don't watch TV, but a little web research shows Mythbusters did a couple segments on this:
Exploding gas tank: a car can explode when the gas tank is shot (original episode summary). They redid this with tracer rounds and confirmed that tracer rounds can ignite a gas tank. This doesn't contradict their original result that ordinary (legal) bullets cannot.
Degree of difficulty causing an airplaine gas tank to explode using tracer rounds left as an exercise for the reader.
Oh no, there *IS* a story here.
It's the story of how unclassified information that would be useful for emergency response personnel is yanked from a public web site as soon as a Boy Cries Wolf.
The follow-up story will also be interesting.
It will be the story of how the information that was yanked will finally end up in the hands of emergency responders, only delayed, complicated, or with silly admonitions emblazoned on it against sharing it with unauthorized personnel.
I predict that the latter story will be very quiet, and the Air Force will simply reissue the docs, perhaps slightly edited, in something like 4-6 months, and there won't be any story written about it.
"Degree of difficulty causing an airplaine gas tank to explode using tracer rounds left as an exercise for the reader."
I'm not quite sure about kerosene (jet fuel), but gasoline isn't explosive when in a can/tank/whatever. You have to dispurse it, then ignite it, then it blows up.
I believe that kerosene doesn't explode in quite the same was as gasoline, but I could be wrong.
Working from memory, I'm pretty sure that avtur (kerosene) has a similar flashpoint to diesel, and is harder to ignite than mogas/avgas. In all cases, getting the right fuel/air mixture is critical to creating a decent explosion.
What I would have been expecting to see would be annotations showing the location of flare launchers and so forth. For obvious reasons, it's generally a good idea to pay particular attention to flares and other pyro when dealing with an aircraft that's on fire.
@Dave: All USAF aircraft use JP-8, which is specified to have flashpoint and autoignition temperatures of 38 and 210 degrees C respectively. For comparison, #2 diesel has a flashpoint of around 50C.
Of course, the fuel in any aircraft that's just landed is going to be well below zero anyway, making the flash point moot in most circumstances. And I wouldn't be surprised if the AF1-747s have a nitrogen inerting system, either.
Is it just me or is cryptome.org down?
Conspiracy-theories to the front: DoS, Smartbombs, EMP - or just heavy load?
Put secrecy between you and a firefigher coming to rescue you?
Reminds me of the old song we used to chant when dead drunk in a bar:
The house, the house is on fire!
Let the motherf* burn,
burn motherf*, burn!
@Paeniteo: It's really slow, but it's not down for me. Just try again.
The problem is that after their completely over-the-top approach on minor things such as people taking photos of public buildings they now have to be seen to be doing something
I don't watch TV, but a little web research shows Mythbusters did a couple segments on this
So it's important an important opsec violation and must not be disclosed for AF1...but it's okay for Navy fighters?
...are they making coherent risk based decisions or reflexive knee jerks. Kind of a neat document. I'm glad someone is thinking clearly. I'd say flares/chaff are of less interest to an assaliant then which parts of the airframe are fiberglass and which are titanium.
I remember watching on the history channel an hour long movie about Air Force One. It even had technical animations about some of the defenses.
I guess this video needs to be removed from the store.
Air Force One: A History DVD
> I'd say flares/chaff are of less interest
> to an assaliant then which parts of the
> airframe are fiberglass and which are
Early-generation 747? 100% aluminum. Boeing only started getting into composites in a big way with the 777.
Interesting that the Pres is up-front where first-class traditionally is, as far as possible from the press back in "coach". That sends the right status message, but is it the best safety choice? I seem to recall that the seats right at the back have a better survival chance in crashes. Anyone know?
These thing have keys to turn them on right? So its all about keeping the keys away from the bad guys (Bob, Alice, Mohammed, take your pick). Afterall, the vulernabilities of large aircraft are pretty well documented in the public domain. In particular, resistance to aircraft theft is only as good as the key management scheme (and some access controls). Imagine firing up 350,000 lbs of thrust from your key ring, click, click, beep, varooom. Of course some fool might find a way to use Quasars to cause trouble, but that has not been carefully analyzed and may be years away from practicality.
"These thing have keys to turn them on right?"
I would bet money that they don't.
Standard projectile design in WWII, for purposes of setting the other plane alight (and note we're dealing with gasoline here) was incendiary or armor-piercing incendiary. Both relied on a compound that flashed on impact, in the nose of the round or, in the pure incendiary, through its center as well. Since it was right under the copper jacket, the flash would most likely happen upon impact, outside the fuel tank. The idea was that if you hit the gas tank (or in the case of a self-sealing tank design, hit it a lot) some gas would leak, and the later incendiaries would set it afire.
"These thing have keys to turn them on right?"
I would bet money that they don't.
I would bet likewise. A good friend is an aviation insurance broker, and he carries what he calls the "universal airplane key" that has worked for him on everything from a Piper Cub on up to a 727. It's one of those flat four-tipped keychain screwdrivers that Sears sells for a buck.
Once inside, it's little more than mags on, fuel on, hit Start and off you go.
There's essentially no security on most aircraft - it's up to the airport personnel to control who's on the ramp. Post-9/11 saw the addition of actual locks to cockpit doors on commercial aircraft, but most civilian craft are secured by the hope that people that know how to fly are honest and that people who don't know how to fly won't be interested in getting in.
What's next, schematic diagram of Cadillac One?
the Air force 1 shoudnt be revealed and period!!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.