Schneier on Security
A blog covering security and security technology.
« Conversation with Kip Hawley, TSA Administrator (Part 4) |
| Face Recognition Test Results »
August 2, 2007
Security Hole at Phoenix Airport
We've discovered a 4.5 hour time frame each night when virtually anything can be brought into the secure side of Phoenix Sky Harbor Airport. There's no metal detector, no X-ray machine, and it's apparently not a problem.
Afraid to show her face, one long time Sky Harbor employee talks about the security most people don't see.
Lisa Fletcher: "You're telling me Sky Harbor's not safe?"
Employee: "I'm telling you Sky Harbor's not safe and hasn't been for a long time."
It's what we discovered in the middle of the night -- TSA agents going away, and security guards taking over. It's 4.5 hours -- every night -- when an employee badge becomes an all-access pass.
I have mixed feelings about this story. On the one hand, it's a big security hole that not everyone knew was there. On the other hand, airport employees are allowed to bring stuff in and out of airports without screening all the time. So yes, the airports aren't secure -- but they never have been, so what's the big deal?
The real issue here is that people don't understand that an airport is a complex system and that securing it means more than passenger screening.
Posted on August 2, 2007 at 11:35 AM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Not only is it a huge vulnerability, but it is a significant one that has never been really closed:
I wish you asked Kip Hawley the question of:
Why did the TSA for so long resist scanning all ground crew, when this vulnerability has been responsible for both the PSA flight 1771 crash in 1987 and the terrorist hijacking in Algeria? If you are going to do CYA security, I think this is a critical one.
Phoenix Mayor Phil Gordon gave an interview shortly after this went public. His demeanor toward the reporter was very disturbing to say the least. In it, he staunchly defended the security measures in place as being more than adequate. He gave almost no straight answers to the questions about the lack of searches and attacked the security consultants as having a greedy agenda.
Since then they've taken steps to correct the measures. I don't know that he's given a public statement and even if he did I doubt you could hear anything over the sound of backpedaling.
I allways asked, how you could avoid smuggling "dangerous liquids" to duty-free shops.
It's more complicate without support from workers in the shop.
What's about airport services: Liquids to clean the airport, etc.?
Closing every hole is too expensive.
"Closing every hole is too expensive."
That is why the TSA tries to pass the expense off onto the travelers. How many hours are wasted each year at the airport?
Time is money.
Security is about the evaluation of threats and reducing their effectiveness.
What we have is cheap, reactive "security theatre".
This is utterly, utterly nothing new - it's a classic version of the idea that the best time to launch an attack is while the defenders are changing the guard, or "send out masses of spam while your ISP's abuse-desk is on night-shift".
I'd be most annoyed learning this if I was a scrupulous day-shift employee. I once (travelling lots, cannot recall the city) saw the TSA guys bringing a TV monitor and a bunch of office supplies fresh from the store thru their x-ray machine. The employee who brought the stuff to screening hung around, not interfering, while they were screened by other staff. Once passed, they deployed the pens and postits to be used (the TV was some secondary monitor for the X-ray machine also). Yes, they screened stuff to be used only inches inside the secure zone, because that's what the regs say to do.
Those TSA employees were at least trying. Too bad every other part of the system (and it continues to see, the system itself) is failing them.
I've been wondering for a long time what will happen when a baggage handler goes over to the Dark Side, adds a package of his own, and a plane blows up as a result.
Can I suggest.... part 6 to the 5 part series?
TSA knew about it for 2 years and did what?
This is all an artifact of the airlines being forced to pay for security, and not really caring what happens as long as someone else can be blamed for it.
I sympathize with the guards. What do you do, stay alert when you have authority to do NOTHING, or slink off and try to hide and curse the scheduler for sticking you on such a horrible post?
I have always found it interesting that banks and airports have such poor security, and many other non-regulated sites have excellent security. I think the poor security is an artifact of the level of regulation . . . the security rises to the level of regulation, and no further. Ridiculous levels of regulation are required for nuclear power plants, to achieve barely effective security. (Barely == cost effective, I might add, so blame the utilities for that one.)
I have wondered how restaurants in the "secure area" could work with full-size kitchen knives. I have seen them on several occasions.
@MathFox: "restaurants in the "secure area" (...) with full-size kitchen knives"
Well, they don't give them to you. Along with your meal, you get plastic knives.
I assume, once they discover theft of a knive, they will alert security which will evacuate the secure area so that everybody can be re-screened.
Temporaily grounding all aircraft and re-screening people that boarded shortly ago may be added for extra fun.
@MathFox: "full-size kitchen knives"
Good point, the knives are there and all you need is an accomplice on the kitchen staff. But, nothing is perfect and screening people for knives makes it harder (not impossible) to get a knife on board. Every time you need an accomplice for something it makes the plan more complicated, it makes it harder to execute the plan, it makes it more likely some honest person is going to find out about it and tip off the police, and more likely that the entire plot will fail.
The fact that a security technique (screening for knives) is not foolproof doesn't mean that its not a good security policy. Its a cost benefit analysis. Screening for weapons -- good (at least as far as my evaluation). Preventing me from carrying my 20 oz. Diet Mountain Dew -- not so good.
Burbank airport, some years ago: after the last flight departs for the night, the security check station is left unmanned.
You could bring in whatever weapons you want (wait until there's a late arrival unloading to help mask the op) and hide them in a locker/restroom/etc. for someone to pick up the next day.
Is it still that way? Beats me, but after this article I wouldn't be surprised at all.
For the most part TSA Officers are dedicated and efficient, they are crapped upon by piss poor management practices, they are stretched out so thin, that they operate below “Skeleton Crew Levels��?, causing a highly overworked security force that is fatigued, and then becoming inattentive and unaware of their surroundings.
Most units, specially at smaller airports, moral is very low due to an overworked security force caused by low man-power and extremely high requirements of performance and accountability, and that doesn’t include the “Harassment��? and “Constant Scrutiny��? by members of management that in reality don’t help at all since promotions, because the egotistical jerks feel they are now beyond the mission and they are now specialized in “Micro-Management��?.
Most loopholes in security programs are caused due to stipulations placed by "Bean-Counter" theories, cutting "man-hours" in order to lower operating expenses.
My main point is, "Don't blame the soldier", but instead, "Question the Generals and Officers in charge", while at the same time, investigate the Bean-Counters" that cut things short in order to lower expenses, hoping for a "Pat on the back while their boss says, "Attaboy", you know how to make the team work harder for less money��?.
Our government has developed a knack for higher paid politicians, directors and supervisors while those facing the real dangers and doing the actual manual labors are under compensated for their efforts, people on the front line are made to work odd shifts and bad hours while the pin-heads in management take the usual 9 to 5 with Saturday & Sunday off.
Worst of all, in TSA, most off those who are in charge of the operations have never worked as screeners; some have been place in supervisory positions without experience, because they knew some body.
If, T S A’s human resources department would attempt to have more knowledge of security and properly investigate operations around the country and at least reduce these issues by about 40%, our security would increase over 70% just by causing an improvement in the moral of the work force.
You can’t continue operating below the minimum required crew, in the field of law enforcement and security; it is a “Dangerous Risk��? to operate and cover a post with only one or two persons, when in all reality commonsense tell you that you need at least four.
If you want something done, you can do it. It doesn't matter if the hole is 4.5 hours or minutes. In just reading the last ten posts I heard a variety of items described that I could use to due horribly nefarious things with. The name of the game is conviction. If someone wants it done bad enough, it will happen. The idea is to get it closed up before something does happen. It is the reason the other 19.5 hrs of the day are watchdogged, not for some quasi-political, number-crunching nonsense.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..