Schneier on Security
A blog covering security and security technology.
« Me on Airport Security Profiling |
| TSA Logo Contest »
January 6, 2010
Breaching the Secure Area in Airports
An unidentified man breached airport security at Newark Airport on Sunday, walking into the secured area through the exit, prompting the evacuation of a terminal and flight delays that continued into the next day. This isn't common, but it happens regularly. The result is always the same, and it's not obvious that fixing the problem is the right solution.
This kind of security breach is inevitable, simply because human guards are not perfect. Sometimes it's someone going in through the out door, unnoticed by a bored guard. Sometimes it's someone running through the checkpoint and getting lost in the crowd. Sometimes it's an open door that should be locked. Amazing as it seems to frequent fliers, the perpetrator often doesn't even know he did anything wrong.
Basically, whenever there is -- or could be -- an unscreened person lost within the secure area of an airport, there are two things the TSA can do. They can say "this isn't a big deal," and ignore it. Or they can evacuate everyone inside the secure area, search every nook and cranny -- inside the large boxes of napkins at the fast food restaurant, above the false ceilings in the bathrooms, everywhere -- looking for anyone hiding or anything anyone hid, and then rescreen everybody: causing delays of six, eight, twelve, or more hours. That's it; those are the options. And there's no way someone in charge will choose to ignore the risk; even if the odds of a terrorist exploit are minuscule, it'll cost him his career if he's wrong.
Several European airports have their security screening organized differently. At Schipol Airport in Amsterdam, for example, passengers are screened at the gates. This is more expensive and requires a substantially different airport design, but it does mean that if there is a security breach, only the gate has to be evacuated and searched, and the people rescreened.
American airports can do more to secure against this risk, but I'm reasonably sure it's not worth it. We could double the guards to reduce the risk of inattentiveness, and redesign the airports to make this kind of thing less likely, but those are expensive solutions to an already rare problem. As much as I don't like saying it, the smartest thing is probably to live with this occasional but major inconvenience.
This essay originally appeared on ThreatPost.com.
EDITED TO ADD (1/9): A first-person account of the chaos at Newark Airport, with observations and recommendations.
Posted on January 6, 2010 at 6:10 AM
• 56 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Still I have been wondering if terrorist could exploit this phenomenon. Not by trying to to sneak past security with weapons but by exploiting the chaos that ensues. With all this passangers having to go through the screening again security personell may be under pressure to speed things up which might result in a lower level of screening. An even simpler exploit is to set off an exploision in the now overcrowded departure area or in the long queues at the security gates instead of targetting a plane.
Instead of simple doing a full search for something as big as a person, wouldn't they have to search for something as small as a knife?
Maybe the guy just went in to hide a weapon that some other terrorist would retrieve for a flight the next day.
The bigger the airport, the bigger the inconvenience. Perhaps the large airports (ex., O'Hare) should have some form of segmentation strategy so that this wouldn't involve shuttong down the whole place.
"Still I have been wondering if terrorist could exploit this phenomenon. Not by trying to to sneak past security with weapons but by exploiting the chaos that ensues."
It happens so rarely that any would be terrorist would die of boredom waiting for it to happen.
Bruce, re that reply, I think you're missing the idea that an ally of the bomb-detonating terrorist could *make* it happen.
I suspect exit lane monitors don't have the authority to physically prevent anyone from entering the sterile area the wrong way.
Many of the exits I've been through also have sensors detecting which way people are moving. Older ones use radar, while newer ones use ceiling-mounted cameras.
What's even more embarrassing is the fact that they couldn't find the guy who breached security. You'd think there'd be enough cameras to track him.
Schipol Airport has a secure area just like the US, and some flights, like those to the US, have additional screening at the gate. When I fly from Schipol to Sweden I don't have the gate inspection.
The same Schipol Airport screening that let the nigerian bomber on the plane and ruined traveling back into the states for the rest of us?
Or you could just install a one-way gate at the exit point, like turnstyles in a subway. That would probably eliminate most of the mistake entries and leave the security people to focus on what a probably more deliberate attempts.
"Instead of simple doing a full search for something as big as a person, wouldn't they have to search for something as small as a knife? Maybe the guy just went in to hide a weapon that some other terrorist would retrieve for a flight the next day."
"Bruce, re that reply, I think you're missing the idea that an ally of the bomb-detonating terrorist could *make* it happen."
I thought of that.
But aside from some dumb movie plots, I can't think of a way to make this work that would be better than using that compatriot for the real plot.
"Schipol Airport has a secure area just like the US, and some flights, like those to the US, have additional screening at the gate. When I fly from Schipol to Sweden I don't have the gate inspection."
"The same Schipol Airport screening that let the nigerian bomber on the plane and ruined traveling back into the states for the rest of us?"
Yes. Also the same Schipol Airport that serves the best smoked salmon plates I've found in any airport around the world.
I don't think either fact is relevant to where the airport places its scanning equipment.
The solution is simple ;)
When you arive at the airport your are shot with an anesthetic gun, striped but naked, all your cavities are searched, you are X-rayed, checked for various micro organisums etc.
It you pass you will wake up in your destination and may (if they've not be stolen or lost) put your cloths back on and leave the airport.
If you don't pass well you are not awake to complain about what happens next so that's not an issue..
Yup 99% secure, no problem there then...
If people don't like this they can always walk cann't they?
Seriously you cannot have 100% security so why try? Just accept the occasional breaches and punnish heavily irrespective under the "one rule for all doctrin".
I think that segmentation is the norm. You used to be able to take hallways to get from terminal to terminal in most airports without going through screening again. I see a lot of those have been closed in recent years. It's a hassle if you have to change airlines, but it gives containment. Even regional airports like BWI in Washington have concourse segregation.
What I don't understand is places like ATL or DFW where they have mass transit on the secure side. I hope they have an "off switch" for the people-mover if someone runs the wrong way. Otherwise you'd need to tell everybody to come back tomorrow. Anybody with first hand experience?
I'm not sure that your statement that its not worth the hassle is true. When you consider that closing a terminal of a major airport for 6-12 hours not only causes delays at that airport, but also many other airports that those planes are headed too, the cost is EXTREMELY high.
I personally like the idea of identifying the most common causes of faults, and then looking at them one by one to see if there is low hanging fruit with a relatively high pay off.
For instance, many of these security failures have been when people went "in the out". However, at least at the Milwaukee Airport, the ONLY thing stopping a person from doing that is a guard. Would a one way turn-style installed at the out serve as a relatively low cost solution?
Just like locking and securing cockpit doors is a relatively cheap anti-terrorism measure, there are probably similar measures that can be done at airport terminals.
One practice that might help, though not fool-proof, would be some kind of hand stamp for those clearing security on the way in. Time, date, and airport ID, and perhaps a graphic (bar-code or equiv) might be a way to resolve who's who if a search can be started quickly enough.
A liverwurst and onion sandwich might get you 10 years in Leavenworth ...
@ Clive Robinson:
You must have been listening to the president of the Dutch pilots' association, who in reaction to this incident called for stern new security measures and stated that security should principally always outweigh privacy! I wonder if he realised that he and his pilot buddies would of course have to be subjected to at least a similar level of scrutiny... (well, with a less powerful anaesthetic, I guess)
@Nick: The cost to whom is high? The TSA doesn't pay for all the delays, the airlines and passengers absorb all that cost. The TSA decision-maker will wind up paying some overtime, doubtless, but will look like he or she is doing something. It's the principal agent problem again.
Turnstiles aren't going to cut it for exiting the concourse. They have to accomodate large numbers of people leaving at one time, who will be carrying whatever luggage can fit in the passenger compartment. Somebody is likely to be in a wheelchair. The best idea I've seen so far is a fairly fast motorized walkway headed out, although that will require entry and exit areas.
Berlin-Tegel has the same sort of layout, with a security checkpoint at each gate. More expensive to employ more people, perhaps, but it's also considerably less stressful (for probably everyone involved) and quicker than the mass checkpoints at other airports.
The problem with an occasional overreaction is that as soon as someone has the desire to provoke it regularly, it becomes a denial of service attack.
Of course, terrorists really aren't interested in denying us the use of our airports, so they're not a likely candidate for ringing up false alarm after false alarm.
In order to be successful at it, you have to be able to be good at feigning innocence, anyway.
I've always wondered what happens around the back of the terminal. While all the security theater is going on at the front, at the back trucks are coming in all the time, delivering all the rubbish that you buy in the terminal and all the rubbish that you eat and drink on the plane. How keenly are those trucks and their crews screened? How easily can a driver bring an extra helper who just walks into the terminal and disappears in the crowd? Or can the driver and his sidekick deliver a box, put it in a store-room and leave, whereupon the person hiding in it gets out and walks into the terminal? Does anyone check that every bottle that comes in on a truck contains what the label says, not something special that an accomplice on the store staff can pick out and pass to a passenger? Does anyone here know how good is the security around the back?
What about a dead-space corridor with one way doors at each end and a trapdoor?
Should the outer door be breached the inner door locks and the trapdoor opens.
@scott: “terrorists really aren’t interested in denying us the use of our airports”
Good point. What _are_ terrorists interested in? What was Umar Farouk Abdulmutallab interested in? Has anyone asked him why (he claims) Al-Qaeda told him to blow himself up at Detroit, and how he thought it would serve their purpose?
No comment on the TSA freaking out over a jar of honey? (See link above).
@: "They can say "this isn't a big deal," and ignore it. Or they can evacuate everyone inside the secure area, search every nook and cranny: causing delays of six, eight, twelve, or more hours. That's it; those are his options. And there's no way he's choosing to ignore the risk; even if the odds are minuscule that it's a problem, it'll cost him his career if he's wrong."
Worse, if it costs him his career if he's wrong, it will probably have costs lives at this point.
I don't see much of a way around this either, without costs going up astronomically.
Saying "it's no big deal" is worse than it sounds on surface, even if the risk is miniscule. Unless terrorists just want to cause delays, which I don't believe is of much interest them, if the word gets out that we ignore people who dart past security and fade into the crowd because "the risk is minimal", you can bet that is what someone will do.
So, basically what I'm trying to say is this isn't just about the tiny risk of someone who slips through, it's about how it will be exploited in the future if would-be perpetrators know how we'll respond to it.
You don't need a full turnstile. A simple set of doors that only open in one direction, waist high or so, will serve to stop the majority of the ones who are just not paying attention (the most common examples I have seen were people on cells or listening to walkmen).
A second option (and this fits the design at most airports I have flown through) is to put the 'check person at the other end of a decent sized corridor. If someone goes through, they can be blocked at the other end before 'contaminating' the general population.
It won't stop them all, but both are low cost options that can help minimize disruptions.
Echoing Jim, above, we could install mechanical devices, e.g. "full body" one-way turn styles, perhaps with a subsequent dead space monitored by a guard to prevent/lessen the potential for "hand offs" through the turn style or whatever, as needed. Guards would also be needed to allow people with restricted mobility to exit through an alternative, closed-by-default exit.
But -- my main point -- big mechanical devices look scary. The absolute restriction of movement is scary/intimidating. So, while they are damned cheap in comparison to many of the alternatives (steel tubes or bars and a few heavy duty bearings, even when ergonomic, just aren't that expensive), we do not employ them.
Also, I used the plural: Guards. You need two, so that one can afford to be momentarily distracted without losing continuous monitoring. It also might provide them social interaction to help maintain alertness without becoming excessively distracted by a book or TV, or excessively bored by the need to avoid the risks of books and TV.
Outright mistakes in direction by clueless travelers would be greatly minimized. When you see a big barrier, with people coming through in the other direction, you have a pretty clear signal that you are not supposed to head in that direction.
P.S. In the event of an emergency evacuation, you open up the alternative exit. And are in physical design does need to be taken so that the device is incapable of physically trapping users either under normal use or in an evacuation.
I'm not expert in this. Maybe I'm missing weaknesses in what I propose. But, again, my point is that I suspect we are skipping some inexpensive, physical options because they appear intimidating.
I thought of that. ...
Why bother even blowing anything up? The terrorist's goal could be just to create massive delays and annoyance. As you have pointed out many times before there is no cost to the terrorist if he gets caught trying to breach security. Having some innocent looking white guy attempt to absentmindedly "wonder" the wrong way through security could create massive havoc with zero cost for failure.
@Caleb: Why bother even blowing anything up? The terrorist's goal could be just to create massive delays and annoyance. As you have pointed out many times before there is no cost to the terrorist if he gets caught trying to breach security. Having some innocent looking white guy attempt to absentmindedly "wonder" the wrong way through security could create massive havoc with zero cost for failure.
I doubt annoyance is their goal. Rather, I believe the point is that if this were more common then it would be worth the extra cost for prevention. If it remains rare, it's probably fine as is.
What's more, from a purely tough to measure psychological perspective, at least for a while, I would imagine security staff will be more dilligent in preventing this because they don't want to endure the embarassment.
Hell, if they managed to do it say half a dozen times at large airports within a relatively small time period, it would probably desensitize the system. Allowing for someone to really smuggle something in.
There is a difference between the Schengen Treaty side of Schiphol, where screening is only done at the entrance to the area and the International side where border screening is done at the entrance to the area, and physical screening is done at each gate.
There are a number of permanently 'secured areas', such as the EL Al gate and check in areas. And some semi permanent secured areas, such as was done in the past - before and after 911 - when there were threats against US airlines. Although with the heightened security over the whole airport these are seldom used unless there is a credible threat.
I read a short story in one of Dale Carnegie's books. The short version is a private airport worker mistakenly put the wrong kind of fuel in a plane, almost causing a deadly crash. When the plane's angry owner went to confront the man, he was unable to stop his sobbing. The plane's owner then said to the supervisor: "Sir, from now on, I only want this man to service my plane... I know he'll never make this mistake again."
The owner was probably right. There have been mistakens I have made, and the sheer embarassment and pain in the rear to clean it up was enough to ensure I never did it again.
I would imagine that a hefty dose of embarassment and the workload of searching, rescreenining, and dealing with infuriated delayed and inconvenienced passengers will provide quite an incentive to security staff to be more consciencious. And the public nature may cascade that incentive to other airports.
Sort of like how any would-be hijacker would have been beat senseless by nervous passengers shortly after 9/11. Psychologically, from the management level down to the staff, there will be a bit more attention paid at least for a while.
You assume the cretins that work at the gates are actually motivated to improve ...
There's a school of thought that says that the goal of Islamist terrorists is to establish a greater Islamic state.
The goal of their terror attacks is subsequently to elicit a violent/oppressive/unpopular response that will turn Arabs radical and build support for their movement.
If you're trying to build a movement, you need a story, and every story needs an enemy. The best way to get an enemy, of course, is simply to make one.
This article by the military historian Gwynne Dyer expresses it well:
My memory of Schiphol Airport is that they have screening at-the-gate in the international zone of the airport, but that the Schengen ("domestic") zone of the airport is a single secure area with screening when entering that zone. In other words, they're trusting security at the originating airport if that airport was within Schengen, but not if it's outside.
My memory of the one flight I took from Schiphol to the UK is a little rusty (that's my only flight from there to a non-US non-Schengen destination), but I *think* they screened at the gate.
However, I'm pretty sure they screened at the gate for US-bound flights, and that they have security screening right after passport control when you cross from the international area to the Schengen area for an international to Schengen transfer.
@ Odalchini, Scott,
"Good point. What _are_ terrorists interested in?"
It is a good question but... the answer is not easy in many respects.
In broad terms they seek furtherance of their aims and objectives.
But we actually don't know their real aims and objectives just their "stated" ones.
For instance the real aim may be to get increased visability for chosen candidates in elections.
The stated objective may be however to get at the infidels in their homes.
If you model your security on the wrong aim you will find it will just get circumvented by a small change by the terrorists.
It is why the first thing you need to do is make any response or security plan "broad" not "specific". The second is make it understandably by the majority of those you are going to apply it to, so there is little or no excuse for not complying.
The third have a set of penalties for transgrettion that makes it difficult for terrorists (that is get at manpower not financial or other resources).
This limits the options for attackers as they have to find "new classess" of attack as opposed to a different attack in the same class (ie a small bomb hidden in clothing that was not previously checked). The manpower limiting penalties (a year as "no fly" for instance) makes "testing" security harder or the organisation larger thus making it easier for authorities (belive it or not suitable manpower is an issue for attackers it takes a reasonable level of skill to test security and not get caught).
The fourth thing you need to do is get assets on the ground where the terrorists have their power base etc and try to discern their real intentions as these may be much easier and far cheaper to deal with than trying to come up with preventative security.
In effect you take the war to the terrorists on their home ground but importantly not with guns and bullets but "hearts and minds". It is a way they cannot easily fight back against.
The problem with "hearts and minds" is "false converts" a recent case of this killed six CIA agents. And the "ass bomber" is another example.
However if you assume that this is likley to happen you can design safe guards to limit the effectivness of any such action.
The most obvious being why on earth where seven intel bods in the same room as the most recent one, bassed on the near mis for the Saudi Prince just a short while ago.
Obvious mistakes are being made, a few less would make life a great deal more difficult for the attackers/terrorists.
The problem in this case, as in the attempted bombing at Christmas, was the human factors. There was a 'security' employee at the exit point and there were cameras available. Neither was doing their job. Will the person on the door loose their job? Will the video operator? There needs to be accountability in the TSA, not more inconvenience for the traveling public.
Whole body virtual strip searches will be just a vulnerable to human error. The first few weeks of staring at everyone crotch (that's where the bomb was, that's where they have to look) will probably be titillating enough to be incident free, but what about in 3 year's time when we're all numb to the indignity of standing with our arms raised while someone looks under our clothes and the person at the monitor is numb to the joys of looking at flabby breasts and stomachs..?
It will soon be so easy to trigger hours or days worth of delays without the need for any nasty chemicals that I wouldn't be surprised to see it become a deliberate tactic. What if 50 people went in through the exits at major hubs at the same time on the same day, or staggered by a couple of hours so that one had just got back to 'normal' when the next was hit? It wouldn't kill anyone, but it sure would have big ripple effects...
This problem could be easily reduced with cheap adjustments to the secure/nonsecure transition areas.
Large bright signs saying "wrong way".
Large turnstyles with a bypass gate operated by the guard for high traffic flow times.
Motion detecting video camera system that operates a buzzer and flashing light when someone walks the wrong way through the area.
Annual bonuses for guards in the area that are withdrawn if someone passes through the wrong way.
The should consider people coming from an aircraft where they were searched as safe. If somebody is searched at Paris and then go the wrong place at Chicago he probably does not have anything not permitted because he was already searched.
Evacuation should only be when someone came from a non secure zone
If you want a real incentive: the guard who let someone in the wrong way shouldn't have immunity from civil suits for damages.
I last went through Schiphol a couple of years ago, noted their security model and liked it; see http://blogs.sun.com/davew/entry/... .
However, it seems that their model for transfer passengers (which I wasn't) was deficient, owing to a matter of unjustifiable transitive trust of the security folk at the point of passenger embarcation.
I don't see a natural and obvious solution; there are a number of unnatural and contrived ones, of course, but that way, every airport worldwide would effectively need to be patrolled by the TSA.
" ... every airport worldwide would ineffectively need to be patrolled by the TSA."
There, fixed that for you.
You might not notice it, but most large European airports (including Schiphol) have separate Schengen and non-Schengen-area security protocols and areas. Flying from Amsterdam to Stockholm is basically comparable to a domestic flight. The non-Schengen area is completely segmented (also sub-areas with specific protocols, e.g. for the US).
Most American large airports are actually already segmented, with every terminal (for a large airline) having a completely separate building. This is less common in Europe and Asia.
Just as an update - ABC News is reporting the guard on duty left his post for a moment, and the cameras over the area were not operational (and not live monitored)
I've flown through Newark, and like the Calgary, AB airport, the large secure->insecure exits are also used as RFID cardpass service entries to the secure area.
In one airport (not going to specify) it was fully possible to simply walk through from the insecure to secure sides after a simple "call" button press.
The security guard at the service desk on the secure side (nothing but a button and RFID reader on the insecure side) had a monitor and large "OK" button behind her. A buzzer would sound and she wouldn't even look at the monitor; she'd reach back with a 2x2 length of wood to press the unlock button, and keep reading her magazine.
Isn't the "mass production lines" at airports the root of the problem ? You can't easily identify the bad part easily down the line, so you get back to the start. May be they need to look at "lean" ways of doing it. That may be too much to ask for, but the fundamental philosophy of efficiency at a mass-scale needs some rethinking.
According to the NJ Star-Ledger:
"All it took to breach security at Newark Liberty International Airport on Sunday night, stranding thousands of travelers and entangling flights around the world, was a simple stolen goodbye kiss."
Apparently there is a video so we will probably get to see security breach.
PB: When I was young such mechanical gates to enforce one-way traffic used to be standard equipment at swimming pools, the zoo, and other places families might routinely pay to enter.
I can't imagine why measures to protect a swimming pool from the loss of a few dollars when children sneak in (before liability lawsuits became trendy) can't also be used to prevent terrorism.
One of the advantages of such gates is that it permits having many more exits, this is good for public places like swimming pools in the case of an evacuation, and also good for convenience at airports.
OT @Clive Robinson
Please tell me you are (or already have done) writing an autobiography - obviously part one. I'd like, scratch that, I'd kill for a signed 1st ed.
All the best and hope you are well,
Clearly this is a more important issue than the 17,000 people in the USA killed by terrorists every day.
What, you don't think that murderers are terrorists? Prove me wrong.
Why can't they just use large turnstiles like they use in the NYC subway system or even at amusement parks?
They open only one way and do not need to be attended since once you get out, there is no way you can go back in through them. This might create a slight bottleneck at large airports like Atlanta, but you could just increase the number of turnstiles and manage this problem easily.
...or they could just install one-way doors like a million other places in the world, and the whole issue ends.
The idea of the whole system essentially breaking down 'cause of such an trivially idiotic crowd control issue is just nonsense.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.