Airport WLANs lack safeguards

While U.S. airlines and airports have beefed up physical security during the past year, wireless LANs continue to be potential IT security problems for some airports, according to an informal audit done earlier this month by an executive at a wireless security firm.

Wireless LANs used at four major airports in applications such as passenger check-in and baggage transfers were operating without even some of the most basic forms of security protections, said Richard Rushing, vice president of technical services at Alpharetta, Ga.-based AirDefense Inc. Rushing checked the LANs as he traveled through the airports the week of Sept. 2.

Only 32 of the 112 WLAN access points (AP) detected by Rushing had the Wired Equivalent Privacy (WEP) protocol turned on, he said. WEP is an encryption technology that's built into all 802.11b, or Wi-Fi, WLANs. In addition, Rushing said, the Service Set Identifiers (SSID) hadn't been turned off on more than half of the APs he found with the help of a WLAN card and NetStumbler AP-detection software. Many of the APs were broadcasting plain-text SSIDs, he added.

Unencrypted Broadcast

At San Francisco International Airport, for example, Rushing picked up an unencrypted WLAN broadcasting the file directory of a Windows NT server and numerous PCs belonging to Northwest Airlines Inc. Rushing said the LAN was set up in such a way that a hacker could have used the available information to learn the network's topology and steal passwords.

Todd Spaude, Northwest's managing director of infrastructure for technology products and services, said the airline had been testing a self-service check-in system at the San Francisco airport that used a WLAN for network connections to a server at company headquarters in Minneapolis. But the LAN was shut down last Monday, he said.

Spaude acknowledged that Northwest didn't turn on WEP on the test system. "That was a mistake," he said, adding that Northwest will use hard-wired network connections if it offers self-service check-in capabilities in the future.

Theresa Wise, vice president of information services at Northwest, said she would be reluctant to use WLANs in any kind of production environment until the security issues related to the technology are resolved.

Rushing said that at Chicago's O'Hare International Airport, he detected several WLAN APs broadcasting an SSID of "X-ray" and transmitting unencrypted file requests. The APs appeared to be associated with systems used to support the airport's luggage X-ray machines, he added.

Rushing said he also detected unsecured WLANs at the airports in Atlanta and San Diego, including APs that were broadcasting Dynamic Host Configuration Protocols, or DHCP, in the clear. DHCP is used by network administrators to automatically assign IP addresses to users who are getting access to WLANs.

John Pescatore, an analyst at Gartner Inc., said the security holes uncovered by AirDefense are the result of "pure sloppiness" that could be easily remedied by following best practices guidelines developed by Gartner and other consulting firms. Securing WLANs "is not rocket science," he said.

But he added that the security shortcomings found at the four airports, particularly the DHCP broadcasts, could be easily exploited by hackers.

AirDefense CEO Jay Chaudry said that the informal audit didn't represent a hacking attempt on the part of Rushing. The company's executives routinely monitor the security of WLANs when they travel, Chaudry said.

Officials at the city of Chicago's Department of Aviation and the airports in Atlanta, San Francisco and San Diego didn't return calls seeking comment. Dave Steigman, a spokesman for the U.S. Transportation Security Administration, said officials at the agency "do not comment on security procedures or operational security at the nation's airports."

Mary Schiavo, former inspector general at the U.S. Department of Transportation, said WLAN security holes need to be addressed because attacking the systems used at airports is a "logical next step" for terrorists.


Air Traffic

AirDefense's audit found these security problems:

Wireless access points (AP) broadcasting identifiers for a baggage transfer system.

APs broadcasting system IDs with names such as "Tower" and "X-ray."

Unencrypted LAN access protocols being broadcast.

APs broadcasting server file directory information.


Copyright © 2002 IDG Communications, Inc.

Shop Tech Products at Amazon