TSA Drops Shoes, IoT and Roundup

Kyle Fox is back this week with a couple of writeups and the roundup. This week, we look at the current situation with changes to security measures at the TSA and what more needs to change. We also look at some ongoing problems with IoT long-term support.

TSA Drops Shoe Removals

For years, people in the United States have had to take off their shoes while going through security at the airport. A new policy was announced on July 8th that will no longer require people to take off their shoes. Unless they're me and travel wearing steel toe boots. This surprising reversal comes after 20 years of this policy enacted after shoe bomber Richard Reid attempted to blow up American Airlines Flight 63 in December of 2001 with PETN explosive smuggled in his shoes.

Often lambasted as security theatre, we have to remember that the TSA, or something like it, is mandated by Annex 17 to the Chicago Convention on International Civil Aviation, which states "4.4.1 Each Contracting State shall establish measures to ensure that originating passengers of commercial air transport operations and their cabin baggage are screened prior to boarding and aircraft departing from a security restricted area." (the PDF does not allow copying, so I had to type that all up) And we generally don't want explosives on planes or guns and dangerous knives making their way into the passenger cabin. So we still in-part need what the TSA is doing. The original intention of creating the TSA was to standardize what they do, which was also something we were in dire need of at the time.

So what measures are security theatre? According to Bruce Schneier, the coiner of the term, his top three are now: Liquid restrictions, body scanners and the Screening Passengers by Observation Techniques (SPOT) program now called Behavior Detection and Analysis (BDA). Lets start by first examining the liquid rule. The group was established after a 2006 plot to blow up planes using liquid explosives. The explosives would be made up using component liquids the plotters would bring onboard in innocuous looking containers. Since then, the ICAO has issued guidance on screening liquids and the results are the liquid restrictions. Since this is an international rule, it may be difficult to completely get rid of it without international cooperation, despite having holes.

The next item on the list is body scanners, these do not appear to be required by ICAO regulations and are not used in many countries. These devices, even when working optimally are capable of missing some very large weapon like objects. The scanners have improved. When they first started, they were x-ray backscatter units that would be exposing travelers to unnecessary ionizing radiation. The new ones use millimeter-wave radar technology that should not be a possible health risk. They still take up a lot of floor space and time in screening passengers.

Schneier's last item is the Screening Passengers by Observation Techniques (SPOT) program, which since 2016 has been called Behavior Detection and Analysis (BDA). This program is alleged to work by training TSA officers to observe passengers stress levels and behavior to spot passengers that are concealing something or otherwise being deceptive. From that description it seems to be a human lie-detector program. Like the polygraph lie-detector, its efficacy has been disputed quite a bit. With airports and air travel often a high-stress situation for most of the traveling public, it seems to lead to the individual officers' biases showing through. This one seems to be the most ripe for getting rid of, so I expect it to hang on for a long time.

Belkin, IKEA and Nest and the Struggle to Find Long Term Support in IoT

Several announcements have come through in the last few weeks, first Belkin announced it was discontinuing support for some Smart Home devices that it previously sold. Then IKEA announced that it was transitioning off Zigbee and to Thread, and finally Nest will discontinue support for some older devices. This has all highlighted the issues now surrounding a lot of IoT, mainly that as time goes on, support of these devices becomes an issue.

The first issue is that a lot of manufacturers want their IoT enabled appliances to link back to servers that they run. While this helps with allowing users to access the devices from anywhere and allows the manufacturers to push software updates to help improve the devices and deal with security vulnerabilities. However, this also adds ongoing costs to supporting the devices and ties them to the manufacturer's continued support.

The next issue is these devices contain software that needs to be updated periodically to resolve security issues. Often that still depends on the manufacturer to maintain the software and push updates. In some cases, this has been sidestepped by projects creating open firmware for discontinued devices. But as a rule, you'll only get updates till the manufacturer decides to shelve maintaining the code. While this would be perfectly fine if these were widgets that would last 5 years, it becomes a concern when your talking stuff installed in a house. For example, my house was built in 1978, my breaker panel is from that era, but I have a Emporia Vue panel monitor.

The last issue is that as time goes on, companies may change the basic rules that their devices work with. With IoT, this often means going from Zigbee to Wifi or Bluetooth or some other combination of changes. Once these changes are made, the manufacturer could maintain compatibility, if they use a system with hubs, or they can dump the entire previous ecosystem. The IKEA transition is an example of this issue. It's currently not clear how the future support model for their existing Zigbee devices will work, but I expect some level of support to continue.