Wireless Vulnerability Management
2008 AirTight Networks, Inc.
Wireless Vulnerability Assessment – Airport Scanning Report Part - II
A study conducted by: AirTight Networks, Inc.
www.AirTightnetworks.com
Page 2 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
About This Study
The Goal
To assess adoption of security best practices at Airport’s Wi-Fi networks
To assess information security risk exposure of laptop users while they are transiting through airports
Background
Airtight Networks released the results of its airport wireless vulnerability scan study on March 3, 2008
This follow-up expands the scope by adding vulnerability reports of more airports across the world
Page 3 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
Study Methodology
Visited 13 new airports world-wide (9 in US, 2 in Europe, 2 in Asia-Pacific)
• USA: New York (JFK), Washington (IAD), San Antonio (SAT), Fort Lauderdale (FLL), Dallas (DAL), Seattle (SEA), Omaha (OMA), Chicago (MDW), San Diego (SAN)
• Europe: Southampton (SOU), Dublin (DUB)
• Asia/Pacific: Bangkok (BKK), Pune (PNQ)
Scanned Wi-Fi signal for 5 minutes at a randomly selected location (typically a departure gate or lounge area)
Total number of APs found = 318 and Clients = 311
Page 4 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
Previous Study Key Findings & Implications
1 2 3
Critical Airport systems found
vulnerable to Wi-Fi threats
Data leakage by both hotspot and
non-hotspot users
‘Viral Wi-Fi’ outbreak continues
~ 80% of the private Wi-Fi networks at Airports
are OPEN / WEP!
Only 3% of hotspot users are using VPNs to encrypt
their data! Non-hotspot users found leaking network information
Over 10% laptops found to be infected!
Evi
den
ce
Stu
dy
Fin
din
gs
Page 5 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
New Study Findings
The same pattern of wireless vulnerabilities were found at all airports again
Vulnerabilities in the core systems at airports more wide-spread than previously assessed
• Several airports seem to be using WEP-based baggage tracking systems
Insecure configuration practices observed
• APs with out-of-the-box default configuration
• Open/WEP APs with hidden SSIDs
Page 6 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
Majority of APs are OPEN ~ 64%
A significant number of WEP installations are visible ~15%
Only 21% APs are using WPA/WPA2
The ideal break-up:•Hotspot APs– OPEN •Non-hotspot APs– WPA/WPA2
The ideal break-up:•Hotspot APs– OPEN •Non-hotspot APs– WPA/WPA2
Wireless Vulnerabilities Revisited – AP Encryption
Page 7 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
Wireless Vulnerabilities Revisited – Viral SSIDs
The spread of viral SSIDs is seen at European airports too
• Both SOU and DUB airports had viral SSIDs present
Free Public WiFi is the most common viral SSID
• Seen at 8 out of 13 newly scanned airports
An active ad-hoc network of 4 users was found at the DAL airport
• The users were security-conscious – they were using WEP!
Page 8 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
Viral SSIDs Spread to Europe
“Free Public WiFi” found at
all major airports!
Viral SSIDs spread to Europe!
Page 9 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
Airport’s Critical Systems are Vulnerable
Previous study reported one instance of baggage system using WEP (at SFO)
New evidence confirms that this occurrence is quite prevalent
Similar vulnerabilities spotted at JFK and IAD airports
• Wireless APs possibly used for baggage handling are using WEP. E.g. bagscanjfkt1 (JFK), bagscanlhiad (IAD)
Page 10 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
JFK Baggage Scan
Possible baggage handling system
Page 11 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
IAD Baggage Scan
Possible baggage handling system
Page 12 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
Bangkok Customs and Baggage Scan
Possible baggage handling system
Customs network!
Page 13 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
Clients Found Connected to Open Customs Network at Bangkok
2 Clients found connected to Customs
network
Page 14 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
Insecure Practices Observed
Continued reliance on Hidden SSIDs for security!
• Over 40% security conscious users still continue to use Hidden SSIDs instead of using WPA/WPA2
APs with default configuration in use!
• Over 30% airports have one or more APs with default configuration (which are always insecure)
• This not only suggests that security practices were overlooked but these APs can inadvertently also act as Honeypots
SSID Encryption Location
Linksys (1 Client connected)
OPEN JFK
Linksys WEP SAT
Default (2) WEP BKK
Linksys OPEN DAL
Linksys OPEN BKK
Page 15 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
Call for Action – Airport Authorities
Airport Authorities and Airlines need to secure their private Wi-Fi networks
• Secure legacy Wi-Fi enabled handheld devices being used for baggage handling
• Use at least WPA for Wi-Fi enabled ticketing kiosks
• Protect the Airport IT networks against active Wi-Fi attacks
Page 16 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.
Call for Action – Wi-Fi Hotspot Users
Do not connect to Unknown Wi-Fi networks (e.g. “Free Public WiFi”) while at the airport or any other public places
Be aware of your Windows Wi-Fi network configuration
• Periodically inspect your Windows Wi-Fi network configuration
• Remove unneeded Wi-Fi networks from your “Preferred” list
Do not use computer-to-computer (ad-hoc connectivity) while at public places such as airports
Business Travelers - Use VPN connectivity while using hotspot Wi-Fi networks
Turn OFF your Wi-Fi interface if you are not using it!