The Lifehacker post "Open a Locked Suitcase without Leaving a Trace" linked to this video showing how to tamper with locked suitcases. A suitcase zip can easily be forced apart using a pen so that items can be inspected, added or removed. The insidious part of this hack though is that zippers are self-healing, by moving the locked-together zippers backwards and forwards along the zipper path, the zip can be re-closed leaving the suitcase appearing as though it has never been tampered with. This is a failure mode of luggage security that most people will not consider. Yes, we assume that a suitcase offers little security but we also, as a rule, assume that we would notice if our suitcase had been tampered with. We expect that either the lock will have been visibly tampered with or that the case will have been cut or damaged in some obvious way. We don't generally expect that we can close and lock our suitcases and that they are then quickly and trivially manipulated.
To give us our due, I think that most of us do not see suitcases as being particularly secure and would not place anything valuable into them unless forced to do so, so the risk of losing irreplaceable items is generally quite low. We also kind of expect that our suitcases will be inspected nowadays, at the very least using a non-invasive scan such as X-rays if not being opened up and pawed through. The big risk for most of us, especially if travelling to somewhere like Turkey or Thailand, is that something might be introduced into our suitcase which could make our trip through customs worse than usual. Generally we see having a lock on our suitcase as a check on the integrity of the suitcase but now we cannot be certain that our suitcase hasn't had something inserted into it without opening and going through it. This scenario not only gives a real world illustration of a physical man-in-the-middle attack but also illustrates an important element of security engineering, namely integrity. Schneier's definition of integrity [Applied Cryptography, second edition, (1996), pp. 2] is as follows:Integrity It should be possible for a receiver of a message to verify that it has not be modified in transit; an intruder should not be able to substitute a false message for a legitimate one.
If we consider the suitcase as our "message", one of the receivers of our message is the owner of the suitcase who wants to get it back containing only what it contained when it was checked as baggage, nothing more and nothing less. The owner desires that the message has integrity and ostensibly relies on the locks as a means of verifying that integrity. In a more general communication-oriented sense, integrity comes alongside two other elements, authentication and non-repudiation, defined thus (ibid.]:
Authentication It should be possible for the sender of a message to ascertain its origin; an intruder should not be able to masquerade as someone else.
Non-Repudiation A sender should not be able to falsely deny later that he sent a message.
Because in this case the sender and receiver are, in one sense, the same person, the owner of the suitcase, then authentication and non-repudiation have little bearing on the circumstances because the lack of integrity is sufficient to consider the system broken. Under these circumstances it is enough to state that the luggage owner can be authenticated as being the person that they identify themselves as, and they have not, and perhaps cannot because of other checks and balances, repudiate their ownership of the luggage, the big gaping hole in the system is that the integrity of the luggage cannot be verified.
So how can we verify the integrity of our luggage? Simple methods like securing the locks so that they cannot be moved would stop this attack. Some suitcases have a built in mechanism or tie down point to allow this. I am sure that other mechanisms could be created but perhaps the integrity of checked luggage within a major airport cannot be verified cheaply, easily, or reliably. Perhaps ulitmately we have to openly accept this and not hold a person at their destination responsible for the contents of their luggage. Notwithstanding different laws on importation and prohibited items, we could ensure that the checks done at the originating airport are sufficient that they provide the owner with a defense should anything be introduced once the luggage is out of their supervision.
No comments:
Post a Comment