Airport Study Reveals Wireless Security Risks for Travelers and Airport Operations

At Gartner Mobile and Wireless, AirTight Networks issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems.

"If hackers can bring down the power grid in several cities as reported by the CIA, how easy would it be for them to create havoc with an unsecured baggage system," said Sri Sundaralingam, senior director of product management at AirTight. "Imagine the ripple effect at an airport like Heathrow or O'Hare if someone could work their way into the baggage transiting system and reroute luggage all over the world. It could bring the system to a grinding halt with both economic and security consequences."

Despite incidents like the one mentioned above, the massive TJX data breach and the case of an Indiana University student who was able to generate fake boarding passes, AirTight's findings appear to demonstrate that retailers, airlines and providers of critical systems at airports are still not taking a long hard look at cyber security or understanding the additional risks that wireless introduces.

The study also discovered that fully ten percent of the laptops detected during the scans were infected with a viral (ad-hoc) Wi-Fi Network, making the users vulnerable to data leakage and identity theft.

"It is ironic that the traveler passes through a phalanx of physical security to only to be sitting at a gate and be vulnerable to cybercrime," continued Sundaralingam "Both network administrators and business travelers recognize the benefits of mobility and anywhere, anytime computing but it is time for all of these constituencies to recognize the risks as well and implement best practices."

How the study was conducted
AirTight security researchers took five minute scans at randomly selected locations in airports in Ottawa, Canada, Newark, NJ, Philadelphia and Pittsburgh, PA, Chicago, IL, Myrtle Beach, SC, West Palm Beach, FL, Orange County, San Jose and San Francisco, CA, Portland, OR, Seoul, Malaysia and Singapore over a two week period from January 30 through February 8, 2008.

The traces were collected using off-the-shelf (consumer) Wi-Fi cards and publicly available data collection tools. Four hundred seventy eight access points and 585 Wi-Fi clients were scanned. The scans were typically collected at gate or airport lounge areas.