wireless vulnerability management 2008 airtight networks, inc. wireless vulnerability assessment...

Wireless Vulnerability Management

2008 AirTight Networks, Inc.

Wireless Vulnerability Assessment – Airport Scanning Report Part - II

A study conducted by: AirTight Networks, Inc.

www.AirTightnetworks.com

Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.

About This Study

The Goal

To assess adoption of security best practices at Airport’s Wi-Fi networks

To assess information security risk exposure of laptop users while they are transiting through airports

Background

Airtight Networks released the results of its airport wireless vulnerability scan study on March 3, 2008

This follow-up expands the scope by adding vulnerability reports of more airports across the world


Study Methodology

Visited 13 new airports world-wide (9 in US, 2 in Europe, 2 in Asia-Pacific)

• USA: New York (JFK), Washington (IAD), San Antonio (SAT), Fort Lauderdale (FLL), Dallas (DAL), Seattle (SEA), Omaha (OMA), Chicago (MDW), San Diego (SAN)

• Europe: Southampton (SOU), Dublin (DUB)

• Asia/Pacific: Bangkok (BKK), Pune (PNQ)

Scanned Wi-Fi signal for 5 minutes at a randomly selected location (typically a departure gate or lounge area)

Total number of APs found = 318 and Clients = 311


Previous Study Key Findings & Implications

1 2 3

Critical Airport systems found

vulnerable to Wi-Fi threats

Data leakage by both hotspot and

non-hotspot users

‘Viral Wi-Fi’ outbreak continues

~ 80% of the private Wi-Fi networks at Airports

are OPEN / WEP!

Only 3% of hotspot users are using VPNs to encrypt

their data! Non-hotspot users found leaking network information

Over 10% laptops found to be infected!

Evi

den

ce

Stu

dy

Fin

din

gs


New Study Findings

The same pattern of wireless vulnerabilities were found at all airports again

Vulnerabilities in the core systems at airports more wide-spread than previously assessed

• Several airports seem to be using WEP-based baggage tracking systems

Insecure configuration practices observed

• APs with out-of-the-box default configuration

• Open/WEP APs with hidden SSIDs


Majority of APs are OPEN ~ 64%

A significant number of WEP installations are visible ~15%

Only 21% APs are using WPA/WPA2

The ideal break-up:•Hotspot APs– OPEN •Non-hotspot APs– WPA/WPA2

The ideal break-up:•Hotspot APs– OPEN •Non-hotspot APs– WPA/WPA2

Wireless Vulnerabilities Revisited – AP Encryption


Wireless Vulnerabilities Revisited – Viral SSIDs

The spread of viral SSIDs is seen at European airports too

• Both SOU and DUB airports had viral SSIDs present

Free Public WiFi is the most common viral SSID

• Seen at 8 out of 13 newly scanned airports

An active ad-hoc network of 4 users was found at the DAL airport

• The users were security-conscious – they were using WEP!


Viral SSIDs Spread to Europe

“Free Public WiFi” found at

all major airports!

Viral SSIDs spread to Europe!


Airport’s Critical Systems are Vulnerable

Previous study reported one instance of baggage system using WEP (at SFO)

New evidence confirms that this occurrence is quite prevalent

Similar vulnerabilities spotted at JFK and IAD airports

• Wireless APs possibly used for baggage handling are using WEP. E.g. bagscanjfkt1 (JFK), bagscanlhiad (IAD)


JFK Baggage Scan

Possible baggage handling system


IAD Baggage Scan



Bangkok Customs and Baggage Scan


Customs network!


Clients Found Connected to Open Customs Network at Bangkok

2 Clients found connected to Customs

network


Insecure Practices Observed

Continued reliance on Hidden SSIDs for security!

• Over 40% security conscious users still continue to use Hidden SSIDs instead of using WPA/WPA2

APs with default configuration in use!

• Over 30% airports have one or more APs with default configuration (which are always insecure)

• This not only suggests that security practices were overlooked but these APs can inadvertently also act as Honeypots

SSID Encryption Location

Linksys (1 Client connected)

OPEN JFK

Linksys WEP SAT

Default (2) WEP BKK

Linksys OPEN DAL

Linksys OPEN BKK


Call for Action – Airport Authorities

Airport Authorities and Airlines need to secure their private Wi-Fi networks

• Secure legacy Wi-Fi enabled handheld devices being used for baggage handling

• Use at least WPA for Wi-Fi enabled ticketing kiosks

• Protect the Airport IT networks against active Wi-Fi attacks


Call for Action – Wi-Fi Hotspot Users

Do not connect to Unknown Wi-Fi networks (e.g. “Free Public WiFi”) while at the airport or any other public places

Be aware of your Windows Wi-Fi network configuration

• Periodically inspect your Windows Wi-Fi network configuration

• Remove unneeded Wi-Fi networks from your “Preferred” list

Do not use computer-to-computer (ad-hoc connectivity) while at public places such as airports

Business Travelers - Use VPN connectivity while using hotspot Wi-Fi networks

Turn OFF your Wi-Fi interface if you are not using it!

wireless vulnerability management 2008 airtight networks, inc. wireless vulnerability assessment...

Documents

airports wifi networks

dub airports

scanned airports

european airports

vulnerability reports

majority of aps

new airports worldwide

world slide