|Quoting LovesCoffee (Reply 50):|
Germanwings should be a reminder that this can happen, albeit very, very rarely.
I believe the correct assumption is to trust no one but to trust everyone. You can't accurately predict what a single person can do in all cases it doesn't matter if they are a captain, first officer, flight attendant, office worker, terrorist, criminal, kidnapper, ... what you should be able to trust is that most of the people on the plane do not want to needlessly die (comes standard on life in general) and will do everything in their power if given the knowledge and ability to do so to ensure this simple objective is achieved.
The way the door works on planes post 9/11 placed all the trust on whoever or whatever was on the flight deck side of the door. It doesn't matter if they are a terrorist, suicidal crew member, revenge attacker, insane person, cat, dog, or even a stick. Get that lock switch switched while in flight and your locked out without any means to gain entry even if your both authorized to and must get past the door. (The lock control panel logic are you allowed to hold the lock switch down to make the timeout infinite such that the pin pad is always disabled or does it require you to release it and lock it again on the next entry request or pin entry)(If that is the case then that alone is terrible design that could be fixed with one line of code to at least make it impossible to dead man the momentary lock switch)
MH370's lack of action past the initial turn around and why no one could reverse the actions of whatever caused the plane to fly off into the ocean is very likely due to the door being very secure without any means of the cabin crew to unlock it even when they have hours to try. Nothing special, it is working as designed a truly secure door with no keyhole...
What would be terrible is that they discover the plane decades later and find clear evidence of a persistent attack on the door which failed to penetrate it. A pooled cabin crew electronic key system would at least offer a secure method of entry. This allows for the chance that those people in general could act appropriately. And even if there are terrorists amongst the passengers attacking crew members to obtain the multi-part key would cause a riot and since you design the keys so you can erase them in that situation it would be very difficult to get every crew member who has a key before they covertly erase it.
The numbers of keys and who has them can be adjusted for the plane, risk profile, and crew numbers. It would use basic cryptographic principles so that users would not have to remember key material in their heads so that there is no risk of them leaking it or being forced to reveal the secret. The temporary codes would be generated by the door lock system itself and would be loaded on every flight with the crew carding in as you would when you enter an office building so that copying override code would be impossible and a brute force attack would be impossible due to the time constraints. This would all run on bog standard smart cards which are direct contact interface only (no wireless technology) with standard RF shielding to prevent eavesdropping or interference.
Cards would use industry standard encryption with tamper detection with a chain of cryptographic trust built in and a duress erase mechanism built into the design to allow users to jumble their override code covertly in a terrorist attack scenario. These same cards can be used to authentic staff/crew at the airport and gate using centrally managed codes independent of the temporary override code, the duress erase mechanism would be applicable even if some is attacked outside the airport and is forced to give up their card as they can erase it which would flag the card for review.
To protect against accidental erasure the system can allow for n number of erases before the override cannot be used depending again on the crew number, plane, risk profile. On the ground if someone erases their override portion of the card by accident they would merely be flagged for extra screening to make sure their photo identification is correct and they are not posing as a crew member.
Crews would obviously need to be trained on the use of the card pool if someone has taken over the cockpit and when to erase their card in flight during a terrorist hijack attempt to break into the cockpit.
Obviously adversaries would be aware of this system and would either try to crash the plane quickly which airbus can mitigate and is out of the purview of this concept as it only is intended to offer a fighting chance and prevent attacks which take longer than a few seconds (9/11, GW, ...). Other attempts at abuse include having the terrorists attempt to obtain all the keys which is mitigated by the passengers reaction and the fact the would not be able to get all the crew keys before some are covertly erased in the struggle, all it takes is one or so to be erased.
For a cockpit lockout attempt an attacker would try to disable the override by either stealing or erasing other users cards covertly. The countermeasure to this is that by forcing the attacker out into the cabin you increase the chances they can be discovered and stopped without the protection of the secure cockpit door. And if detected they may try to force their way back into the cockpit and instead steal the remaining keys to gain override access. This is mitigated by both the valid erase procedure and the time it would take to use the keys together without being subdued.
And if anyone says the door lock method is too complex you should remember that it is just a dumb stand alone door lock controller and pales in comparison to the complexity of all existing flight control systems. It is both cheap, effective, and offers a balanced security so that either side of the door can be defended through the correct assumption that people in general don't want to die. You could put it on their staff badges and it is far better than having people remember secret pin numbers that are probably the same across many doors and don't change very often.
The invalid assumption the door lock design had was that it was impossible to have anything malicious in control of the flight deck. Just have a logical method to unlock the door when most of the crew is willingly cooperating with each other. It was design as a knee-jerk reaction to a totally insecure door but didn't consider the consequences of their rushed design.
Edit: Another defence that could be integrated is a poison pill pool system where two or more user's cards can be used to disable the override if used but the key part is that only that crew member knows and it is given at random that they are the poison pill (the pilots obviously can't have a poison pill card as they wouldn't be able to use it normally). In this manner a terrorist won't know which keys are good and which are bad and no crew member knows who else has a poison key and coupled with the fact you must still use a pool of keys it offers them plausible deniability people could claim to have a poison key when they really have a valid key that they just erased. There could even just be zero poison cards on the plane but it is all randomly controlled so there is no way to know prior.
The crew members with the poison cards could in theory together maliciously disable the override but this is unlikely as two or more random crew members in the cabin are not both insane inversely a totally insane crew could also pool their cards to take over the flight deck but this too is considered very unlikely. Also the two person system fails because it is just a 1v1 instead of a 0v1 the odds of who wins is not very easy to determine especially since the attacker has the opening advantage. In my proposed system it would all the cabin crew fighting back.
In a valid override scenario crew members would come forward to verify that the calling attendant is not under duress and each person could independently evaluate if the request is valid. If the entire poison pool thinks it is valid then they don't insert their cards when it is their turn and if they do think something is up they insert their card in the hope that other poison pill users have decided similarly. If the unlock group believes the request is valid they all insert their keys and if they do not believe the request is valid can abstain by saying they have a poison card and erase their code.
An optional improvement to security if crew numbers and the need arises. It's mere existence as part of the protocol would deter attack.
[Edited 2015-03-28 00:08:18]