Wireless Vulnerability Management

Wireless Vulnerability Assessment Airport Scanning Report Part - II

A study conducted by: AirTight Networks, Inc. www.AirTightnetworks.com

2008 AirTight Networks, Inc.

About This Study

Background
Airtight Networks released the results of its

airport wireless vulnerability scan study on March 3, 2008

This follow-up expands the scope by adding

vulnerability reports of more airports across the world The Goal

To assess adoption of security best practices at Airports Wi-Fi networks

To assess information security risk exposure of laptop users while they are

transiting through airports

Page 2

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.

Study Methodology
Visited 13 new airports world-wide (9 in US, 2 in Europe, 2 in Asia-Pacific)

USA: New York (JFK), Washington (IAD), San Antonio (SAT), Fort Lauderdale

(FLL), Dallas (DAL), Seattle (SEA), Omaha (OMA), Chicago (MDW), San Diego (SAN)
Europe: Southampton (SOU), Dublin (DUB) Asia/Pacific: Bangkok (BKK), Pune (PNQ)

Scanned Wi-Fi signal for 5 minutes at a randomly selected location (typically a

departure gate or lounge area)

Total number of APs found = 318 and Clients = 311

Page 3

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.

Previous Study Key Findings & Implications

Study Findings

Critical Airport systems found vulnerable to Wi-Fi threats

~ 80% of the private WiFi networks at Airports are OPEN / WEP!

Data leakage by both hotspot and non-hotspot users

Only 3% of hotspot users are using VPNs to encrypt their data! Non-hotspot users found leaking network information

Viral Wi-Fi outbreak continues

Evidence

Over 10% laptops found to be infected!

Page 4

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.

New Study Findings

The same pattern of wireless vulnerabilities were found at all airports again

Vulnerabilities in the core systems at airports more wide-spread than previously

assessed
Several airports seem to be using WEP-based baggage tracking systems

Insecure configuration practices observed

APs with out-of-the-box default configuration Open/WEP APs with hidden SSIDs

Page 5

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.

Wireless Vulnerabilities Revisited AP Encryption

Majority of APs are OPEN ~ 64%

A significant number of WEP

installations are visible ~15%

Only 21% APs are using

WPA/WPA2

The ideal break-up: Hotspot APs OPEN Non-hotspot APs WPA/WPA2

2008 AirTight Networks, Inc. Proprietary & Confidential.

Page 6

Wireless Vulnerability Management

Wireless Vulnerabilities Revisited Viral SSIDs

The spread of viral SSIDs is seen at European airports too

Both SOU and DUB airports had viral SSIDs present

Free Public WiFi is the most common viral SSID

Seen at 8 out of 13 newly scanned airports

An active ad-hoc network of 4 users was found at the DAL airport

The users were security-conscious they were using WEP!

Page 7

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.

Viral SSIDs Spread to Europe

Viral SSIDs spread to Europe!

Free Public WiFi found at all major airports!

Page 8 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.

Airports Critical Systems are Vulnerable

Previous study reported one instance of baggage system using WEP (at SFO)

New evidence confirms that this occurrence is quite prevalent

Similar vulnerabilities spotted at JFK and IAD airports

Wireless APs possibly used for baggage handling are using WEP. E.g.

bagscanjfkt1 (JFK), bagscanlhiad (IAD)

Page 9

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.

JFK Baggage Scan

Possible baggage handling system

Page 10

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.

IAD Baggage Scan

Possible baggage handling system

Page 11

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.

Bangkok Customs and Baggage Scan

Possible baggage handling system

Customs network!

Page 12

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.

Clients Found Connected to Open Customs Network at Bangkok

2 Clients found connected to Customs network

Page 13

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.

Insecure Practices Observed

APs with default configuration in use!

Over 30% airports have one or more APs with default configuration (which are

always insecure)
This not only suggests that security practices were overlooked but these APs

can inadvertently also act as Honeypots SSID Linksys (1 Client connected) Linksys Default (2) Linksys Linksys Encryption OPEN WEP WEP OPEN OPEN Location JFK SAT BKK DAL BKK

Continued reliance on Hidden SSIDs for security!

Over 40% security conscious users still continue to use Hidden SSIDs instead of using

WPA/WPA2
Page 14 Wireless Vulnerability Management 2008 AirTight Networks, Inc. Proprietary & Confidential.

Call for Action Airport Authorities

Airport Authorities and Airlines need to secure their private Wi-Fi networks

Secure legacy Wi-Fi enabled handheld devices being used for baggage handling Use at least WPA for Wi-Fi enabled ticketing kiosks Protect the Airport IT networks against active Wi-Fi attacks

Page 15

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.

Call for Action Wi-Fi Hotspot Users

Do not connect to Unknown Wi-Fi networks (e.g. Free Public WiFi) while at the airport or any other public places

Be aware of your Windows Wi-Fi network configuration

Periodically inspect your Windows Wi-Fi network configuration Remove unneeded Wi-Fi networks from your Preferred list

Do not use computer-to-computer (ad-hoc connectivity) while at public places such as airports

Business Travelers - Use VPN connectivity while using hotspot Wi-Fi networks

Turn OFF your Wi-Fi interface if you are not using it!

Page 16

Wireless Vulnerability Management

2008 AirTight Networks, Inc. Proprietary & Confidential.