Wifi security: Airport Wi-Fi easily hacked

Technology
Hacking Airport Wi-Fi
Taylor Buley 12.08.08

Richard Farina booted up his computer on an American Airlines flight in October from New York to San Francisco. It was one of the first commercial flights to offer wireless Internet service. Within a couple minutes of reaching 10,000 feet, Farina was snooping the airwaves with the ability to see what his fellow passengers were doing without having to leave his cramped middle seat.

Farina isn't a bad guy. He was just doing his job as a so-called white-hat hacker for AirTight Networks, a manufacturer of wireless intrusion protection hardware and software. AirTight's chief executive, David King, sends hackers out for unsolicited security assessments. Earlier this year he dispatched Farina and a few other of his 100-plus employees to collect wireless security data at 20 U.S. airports and a few abroad. They found rampant phony Wi-Fi hot spots created by phishers and, at several large airports, plenty of open or insecure networks run by critical operations such as baggage handling and ticketing. Almost all public networks allowed data such as user names and passwords to pass through the air unencrypted. Only 3% of people used something more secure.

Video: Hackers Target Airports

To be sure, King's missions are self-serving; he runs a business that sells the devices that plug security holes. But King says that U.S. airports have a genuine problem. Very few, such as McCarran International in Las Vegas, monitor all wireless traffic for intruders. (The Vegas airport officials are quick to add that they don't censor for content.) Others, like San Francisco International, are laissez-faire. AirTight found that 47 wireless networks used for SFO's airport operations were wide open or poorly secured.

Wireless networks are some of the most easily hacked. Indian terrorists this summer broke into underprotected networks to e-mail a warning prior to bomb blasts in Delhi and Ahmedabad. In August the Justice Department indicted 11 members of a retail hacking ring, accusing them of grabbing millions of credit and debit card numbers off networks inside stores run by TJX Companies, BJ's Wholesale Club, OfficeMax, Barnes & Noble and Forever 21, among others.

The most common means of protecting Wi-Fi networks, the Wired Equivalent Privacy encryption standard, or WEP, was broken in 2001. Nowadays a moderately skilled hacker needs only a couple of minutes to crack its key with an off-the-shelf wireless card. In November a pair of German computer science students made a critical first step toward cracking the Wi-Fi Protected Access encryption standard, or WPA, once heralded as the solution to WEP's insecurity.

The market for wireless intrusion prevention systems is still small: $168 million worldwide this year, according to research firm Gartner, but that represents a 40% gain from 2007. King's AirTight competes with other sellers of Wi-Fi security gear such as AirMagnet and AirDefense, which was recently acquired by Motorola for an undisclosed sum. Publicly traded Aruba Networks and Cisco Systems sell wireless security systems that are already built into their networking gear. Four-year-old AirTight has 600 customers paying between $40,000 and $50,000 a year. The private company in Mountain View, Calif. also licenses its products to hardware makers Siemens and 3Com.

King says that most of his clients are retailers, which are compelled by credit card industry audits to protect the financial data that travel on their networks, but airports are high on his prospect list. He and other security vendors say airports have been slow to harden their airwaves because of cost. It might require $200,000 to cover a place as big as San Francisco International, and the airports lack any mandate from the federal government to take control of the networks run by airlines and the companies that service them.

AirTight's system consists of a $5,000 to $10,000 central server that can manage a few hundred sensors at a time. The sensors, which look like a home Wi-Fi access point, cost $500 to $1,200 apiece. AirTight's server sends out what the company calls marker packets that identify radios actively connected to the network. Those packets are bounced back to the sensors from any active connection. All unauthorized connections are cut off. The server continues to monitor the airwaves for unauthorized attempts to connect.

McCarran airport is one of those willing to spend money for wireless security. It runs two wireless networks, one for public use and another for airport operations. "It was our intent to put the passenger in a bubble. He can go out to the Internet, but he can't touch anything on the airport side, and he can't see anyone else who is using the network," says Gerard Hughes, IT service manager at McCarran, which pays Aruba Networks $20,000 a year for software and hardware maintenance.

AirTight's David King will continue to cause headaches for airports with his surreptitious security scans to raise awareness and woo them as customers. "For any security product, there is this learning curve," he says. "We're somewhere in the getting-past-the-awareness stage."

Sidebar:
Is It Safe?

Video: Hackers Target Airports

Source: http://www.forbes.com/forbes/2008/1208/052.html