Schneier on Security
A blog covering security and security technology.
« GAO Homeland Security Reports |
| Security Screening for New York Helicopters »
April 3, 2006
It's a really clever idea: bolts and latches that fasten and unfasten in response to remote computer commands.
What Rudduck developed are fasteners analogous to locks in doors, only in this case messages are sent electronically to engage the parts to lock or unlock. A quick electrical charge triggered remotely by a device or computer may move the part to lock, while another jolt disengages the unit.
Instead of nuts and bolts to hold two things together, these fasteners use hooks, latches and so-called smart materials that can change shape on command.The first commercial applications are intended for aircraft, allowing crews to quickly reshape interiors to maximize payload space. For long flights, the plane may need more high-cost business-class seats, while shorter hauls prefer a more abundant supply of coach seats.
Pretty clever, actually. The whole article is interesting.
But this part scares me:
A potential security breach threat apparently doesn't exist.
"I wondered what's to prevent some nut using a garage door opener from pushing the right buttons to make your airplane fall apart," said Harrison. "But everything is locked down with codes, and the radio signals are scrambled, so this is fully secured against hackers."
Clearly this Harrison guy knows nothing about computer security.
EDITED TO ADD: Slashdot has a thread on the topic.
Posted on April 3, 2006 at 12:57 PM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Slashdot had comments - some of which were reasonably thoughtful - on this recently, with the conclusions that
1) There's no way that it can be made "secure", and if it is, a DoS is probably trivial
2) It can't possbly be cost effective.
Actually, there is a way to secure such a system from attacks over the network -- simply don't connect it to a public network in the first place!
As was asked by some when the concept of an "Internet toaster" was put forth, "Why would you need to reconfigure your aircraft while sitting in an Internet cafe?
Why not simply program the configuration in a portable PC, then connect the PC to the aircraft over a USB or other direct-connect method?
"NASA spent billions developing a pen that would write under all conditions in outer space. The Russians used a pencil."
My favorite comment from SlashDot:
"Don't worry they will design a nice obscure protocol for it."
> Actually, there is a way to secure
> such a system from attacks over the
> network -- simply don't connect it to
> a public network in the first place!
These fasteners respond to radio signals, presumably proprietary. Proprietary or not, radio signals can be cracked.
"Actually, there is a way to secure such a system from attacks over the network...Why not simply program the configuration in a portable PC, then connect the PC to the aircraft over a USB or other direct-connect method?"
Please tell me that EdT isn't involved in designing this thing!
"simply don't connect it to a public network in the first place!"
Perhaps that won't happen in the first place, but with "Ubiquitous Computing" or simply the merging of IP networks due to economic considerations.
I wonder if you could just record the transmitted signals and then retransmit them at an 'unfortunate' time?
What about EMP? If you fry the circuity, is everything locked down and you have to cut it off? What if you can bypass the receiver and send release signals to the actuator, or are they in one chip?
I saw this a few years ago, and then one of the issues that was raised is that it would allow manufacturers to lock down the ability to open up certain parts from the end user. Specifically the auto industry, which has been working over the years to make it harder and harder for people to work on their own cars, so that they take them to the dealers.
But I'd expect something like this to get hacked in short order...
I would hope--always the optimist--that these would be used in non-mission critical portions of the airplane. You wouldn't have a reason to bolt the wings on (not interchangeable), and if the seats start to slide around a little in flight, no one is likely to get killed.
If the seats suddenly unlock in heavy turbulence, there will be wounded on board.
And how would you prevent a joker who borrows a "screwdriver" (PC that an engineer uses to unlock the bolts) from engaging it in full flight? And there is the issue of hackers that reverse-engineer the protocol and publish the specs on the web.
But what if the fastener software mutates and the fasteners start re-assembling themselves into different configurations? These configurations may then start canabalizing other machinery to create yet more fasteners...
[This isn't a movie plot threat - it's a TV plot threat, and don't worry, the world was saved.]
Having the seats "slide around a little" on take-off or landing could be disastrous.
Could someone post the name of the manufacturer? Perhaps even a link?
I work with changeover in manufacturing plants (reconfiguring a line from 16oz to 20oz bottles for example) and I can think of some potential uses for my clients.
See www.changeover.com for more on what I do.
Neither the Slashdot or the original link seem to work.
BLP: "...if the seats start to slide around a little in flight, no one is likely to get killed."
Actually, having the weight and ballance change significatly during flight can cause a plane to crash quite spectacularly.
On cargo flights, if a heavy piece of cargo comes loose on takeoff, it will roll back to the back of the plane. Here's what it looks like when it happens on the ground:
(search for N806FT on the page)
When in the air, if that shifts the CG (center or gravity) so that it's to the rear of the CL (center of lift), then the plane will pitch up and stall, and since the CG is aft of the CL, it's in an unrecoverable state (won't pitch down again like in a normal stall) and will therefore crash.
What happens if all the seats in a commercial airliner become unbolted simultaneously on climbout.. all the people will slide to the back of the cabin. Quite a few will be hurt seriously by this, but if it shifts the CG enough, then it will also cause a crash just like the cargo plane.
I fail to see the point anyway - let's stay with the seat example. If you want to change the seat configuration, somebody has to physically lift the seats and move them to another place, or out of the plane. My car has removable seats as a feature - it takes about 30 seconds to remove a seat, using mere mechanical locks. No high-tech involved at all :-)
The first question is whether the system is technically secure. The second question is whether people panic when a nut with a garage-door opener phones the airline and makes some specific threats.
The quotes about securing an air-bag interested me:
"nstalling airbags with conventional screws is tedious and expensive, and it doesn't provide security. An estimated 50,000 airbags are stolen each year for resale, he said.
Intelligent fasteners only respond to radio signals that use appropriate codes. This would prevent removal of airbags by unauthorized people"
They would need to give an 'electronic opener' to every authorised air bag repairer; it would not be long before we see copies of these 'electronic openers'.
Hmm, some comments:
1. Why is a 1024 bit ID for each bolt, which has to be encoded in the protocol (proprietary or not) not secure? The possibility of someone scanning it is absured, and replay attacks can:
a. be defended against (simply diffie helman the protocol)
b. moving seats on a plane is not something done while usual passengers are around.
Sure, someone could still steal the codes, but I don't see that as that much different than someone sneaking into the plane and loosening the bolts slightly, so that they come off during flights.
Regarding EMP - if you blow up an EMP bomb inside a plane mid flight, seats coming off will be the least of your problems. Please keep in mind that navigational instruments are, today, confused by a simple cell phone.
A long individual ID for each bolt is necessary to make sure you always configure the right bolt. Imagine giving the command "Release bolt 34124" without noticing that there's more than one bolt 34124 on board...
Oooh, so there's code involved. Then surely there's nothing to worry about. Engh.
The difference between somebody stealing the codes and somebody loosening each bolt individually is the time it takes and the locality of where it's done. You'd need to be on the plan itself and spend a good few hours to release all the bolts, not to mention defeating security (okay we could discuss airport security all day, but there is at least some to defeat), the noise, the presence on the plane (ie. the longer you're there the greater the chance of your getting caught). Couple this with me sitting in the deaprtute lounge legitimately using my laptop to browse the internet whiole at teh same time sending the command to the seats fasteners to all release.
Yes there are ways to defeat this and secure it. However the difference in using this on your door / house / car and them being broken and them being used on the cabin door / cockpit door / seat fasteners on a plane are quite significant - you lose your TV when they break into your house - you lose a plane, the passengers, the crew and the location of where the plane comes down when they release those fasteners.
It's a stupid idea. A very stupid idea. The worst of it is "A potential security breach threat apparently doesn't exist." - that's like a red rag to a bull ....
"An estimated 50,000 airbags are stolen each year for resale, he said."
I wonder where you can buy a stolen airbag? And why?
If you are in a minor accident and your airbag goes off, you need to have it replaced. The shop that installs the new airbag may be installing a stolen airbag and charging you (or the insurance company) for a brand new one.
"I wonder where you can buy a stolen airbag? And why?"
As was noted, it does not take much of an impact to cause airbags to deploy so you will need a replacement part. Airbags are expensive to replace and easy to steal, much like the stereo systems used to be.
"1. Why is a 1024 bit ID for each bolt, which has to be encoded in the protocol (proprietary or not) not secure? The possibility of someone scanning it is absured, and replay attacks can:
a. be defended against (simply diffie helman the protocol)"
Do you realize the computing power required to do diffie-helman with a 1024 bit key? If it takes a normal desktop computer a few seconds, how are you going to get that computational power into a bolt and still be able to sell it for $1?
Anyhow, I'm not really convinced that commercial aircraft was the main market the makers had in mind. Remotely releasable fasteners are a huge issue for spacecraft. Ever wonder how they separate those different stages in midflight? In the past, they've commonly used things like exploding bolts (no kidding), but those have some obvious disadvantages, not least of which is that when they're released in orbit they create a lot of orbital debris. I imagine radio-controlled releasable fasteners would be quite useful for the space industry.
"NASA spent billions developing a pen that would write under all conditions in outer space. The Russians used a pencil."
@jvd, originally NASA thought pencils were just fine. I understood that after Apollo I toasted its crew on the launch pad in '67, they became paranoid & re-tooled everything to be non-flammable. That included pencils and even playing cards, replaced w. 52 metal foil "digital dexterity devices".
While they are interesting, I note the TZ video is pushing these fasteners as a way to ensure that only genuine car parts are used.
Oh, for the days of incompatible protocols, when avionics and military equipment all used their own specialized hardware and software communications standards (if they used standards at all). Now that everything is off the shelf, a typical installation of these gizmos will use USB or Bluetooth or 802.11xyz for some part of the physical layer and IP for the software stack and be almost instantly hackable.
Automobiles might be the only market big enough to justify custom development of nonstandard software and physcial connectors; dealerships will love the business advantage of yet another barrier to entry for independent mechanics. (If you want to see this arms race in action already, look at the fight over customization of digital engine controllers.)
"I wonder where you can buy a stolen airbag? And why?"
Someone famous once said "Burglary is not rational"...
Alas, in rational terms airbags are very expensive and so there's a grey/black market for them. Look for cheap car parts and you are bound to eventually find airbags as well.
"If you want to see this arms race in action already, look at the fight over customization of digital engine controllers."
I know I'm showing my age here, but I was thinking of the introduction of the torx screwdriver. I remember when GM started using those... I had to by a $15 screwdriver to change a headlight.
"Someone famous once said 'Burglary is not rational'..."
Either you're misunderstanding, or I'm not being clear. I believe that people who commit burglarly are completely rational within their own system of rationality. I'm actually working on a long essay that explains this, so I'd just as soon not get into it now. I definitely would like to send you a draft.
Bruce: I'd like to see that essay--even in draft format. I'm a student of ethics and game theory and a certain intersection of those two disciplines seem to indicate that unethical behavior is necessarily irrational. I'd like to see what your take is.
>> I understood that after Apollo I toasted its crew on the launch pad in '67, they became paranoid & re-tooled everything to be non-flammable. That included pencils and even playing cards, replaced w. 52 metal foil "digital dexterity devices".
Broken pencil points are an annoyance in gravity, they fall on the floor. In space they have the very real risk of winding up in eyes or in instuments. Not good.
"I believe that people who commit burglarly are completely rational within their own system of rationality."
I think I understand what you're trying to prove but since the concept of burglary (and murder, for that matter) can not exist solely within a single person's system (I can't burglar myself) it has to be seen as a "response-dependent" property (per Hume's writing). Thus, even if you end up proving that one single person has a completely unique and anomalous "system of rationality" then you still have the problem of explaining its relativity to the other systems that are impacted or at least involved, no? In other words, we all agree that time is relative (I live in a time zone different from your time zone) but we function with a measure of relativity that is workable (each zone apart represents one hour plus/minus, etc.).
This goes back to an earlier discussion on your blog about the impact of distance between philisopical axioms (I think it was about privacy regulation that time, but I'm feeling too lazy to look it up):
If we do not have enough common ground from which we can recognize each other's system, we will need another shared system of resolution to bridge or at least translate our frameworks. Even if we don't speak a single word in Finnish, for example, we could still try and identify a framework of nouns, verbs, and so on in the text that would at least show that it is a functional language and not just a series of random characters with no structure/meaning.
"I'd just as soon not get into it now. I definitely would like to send you a draft."
Oh, whoops. Sorry. I'd be happy to review your essay offline...my contact info is in my sig below.
@Bruce, Davi, Joe -
You might take a look at Kohlberg who proposed that the staged development of moral reasoning skills paralleled cognitive development. In essence, an experienced & intelligent person "should" be able to know what is right & wrong.
However comparively few people make it to the last stage of moral maturity, and even then, actual behaviour is liable to be over-ridden by social conditioning.
This may go some way to explain why petty rules are enforced at the expense of the overall result.
I'll third Davi and Joe, I'd love to see that.
My starting point in the irrationality/ethics discussion is Kant who states that "Act only according to that maxim by which you can at the same time will that it would become a universal law". This maxim is apparent in the payoff matrix of Prisoner's Dilemma-type games where, if both agents cooperated (or acted rationally) then they have a "win-win" payoff.
The problem occurs when an agent acts based on the notion that since other agents will act rationally, acting "irrationally" gives a "better-than-win" payoff (ie defect when the other agents all coperate). Some have even posited that this the "hyper-rational" behavior since it has a better payoff than acting rationally.
Anyway, I'm awaiting Bruce's paper, so I can see what he has to say.
for those of you that think Burglar's are less intelligent than the rest of us, WAKE-UP! not all Burglars are dumb! some very smart people. and for those of you who think encripted digital code Technology is going to stop thieves from gaining access to your Garage. please go take an IQ test. because if you believe that, you don't need to read the rest of this post.
when I went to locksmith School, we were taught to understand thiefs. Lockmiths play a mental game of chess with thiefs. and their are several things that you need to understand about thiefs! if a thief is driving down the street and see's a Garage that they would like to get into, if the garage door opener is undated to where a code grabber won't work. all they have to do is go to the internet a buy Vehicle entry tools, NO questions asked! then follow their Victims car to where ever they go, wait till their out of site and no more breaking windows to draw Attention! in fact, most people won't even know (until its too late) their remote is missing. digital Technology is not the answer! their are Digital thieves among us! and their is still the problem of the burglar being able to gain Access to the UL325 rope.
since I learned about Garage door burglary. I have been involved in Garage door security Access control R&D. I have made it my passion to develope Access control product that cannot be overidden by digital signals. and I have developed a product that completely Eliminates the UL325 rope. and it fits in the UL guide line. and allows the Carriage to be secured to the bar-link! meaning the thief will no be able to unlock the Carriage from the railing from the out side of your Garage door! and when the security part of this devise is not engaged, the door functions completely normal.
I know that these products sounds very compicated too some people. so complicated that a homeowner who not be interested. BUt in Fact, just the opposite is true! these products are very simple to understand and operate. they are very Homeowner friendly. But to a burglar,thief ,Crook, they are their worst-nightmare!
these proto-type product are installed on my garage door.and they work Exactly the way they are suppose too! I am planning too bring these products too the market in Early 2007,But it all depends on how the R&D goes from here on out. look for >The Easylock with SRL and Double-locking Technology, and NO-code.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.