Wireless LANs: Trouble in the Air

Computerworld - As the airline industry scrambles to meet a Jan. 18 deadline to screen every checked bag for explosives, security experts, analysts and government officials are raising serious concerns about the security of wireless technology that's integral to the effort.

At issue is the adoption by airlines of industry-standard 802.11b, or Wi-Fi, wireless LANs operating in the 2.4-GHz band. These systems, which are widely viewed as inherently insecure, are being used to support such applications as bag matching and curbside and roving-agent check-in.

The concerns appear to be justified, based on two investigations that were conducted last week by professional security firms that analyzed airline wireless LAN systems at Denver International Airport and San Jose International Airport.

The analysis in Denver was conducted Jan. 9 by White Hat Technologies Inc., a Westminster, Colo.-based security firm. It revealed that American Airlines Inc. operated wireless LANs totally in the clear without any encryption in its portion of the DIA terminal.

The vulnerability of the American Airlines wireless LAN networks was highlighted by the fact that the security specialists witnessed an intrusion while conducting their monitoring. According to a report furnished to Computerworld, security of the wireless LANs supporting Fort Worth, Texas-based American's curbside check-in stands was further compromised by the fact that the IP address of the curbside terminal was prominently pasted on the monitor.

Except for an administrative network operated by the Denver International Airport authority itself, none of the networks monitored by the security specialists had turned on even the simplest form of encryption: the 40-bit Wired Equivalent Privacy encryption algorithm.

Thubten Comerford, CEO of White Hat Technologies, said airlines that operate unprotected 802.11b wireless networks "are putting themselves and our nation's security at risk." Even when encryption is enabled, wireless LANs "are a serious liability," Comerford added.

A scan of wireless networks at San Jose International Airport on Jan. 10 produced similar results. Jonas Luster, co-founder of D-fensive Networks Inc. in Campbell, Calif., which conducted the analysis in San Jose, said the wireless LANs there had few safeguards against intruders.

Luster said he was easily able to pick up signals and sensitive network information emanating from the wireless LANs belonging to American Airlines and Dallas-based Southwest Airlines Co. American's curbside check-in operations could be monitored, Luster said, and Southwest's networks were issuing information from back-end systems, including at least three Unix servers running the Solaris operating system.

RIP Weakness

"In a matter of minutes, you could sniff out whatever you wanted," said Luster, who added that the routing infrastructure at both airlines was open to exploitation. Routing Information Protocol (RIP), a high-level language that transmits routing updates at regular intervals, can be modified easily to assist a hacker, said Luster. "By injecting a wrong RIP response, I could declare myself a legitimate, authoritative, powerful node on the network," said Luster.