Wireless LANs: Trouble in the air

As the airline industry scrambles to meet a Jan. 18 deadline to screen every checked bag for explosives, security experts, analysts and government officials are raising serious concerns about the security of wireless technology that’s integral to the effort.

At issue is the adoption by airlines of industry-standard 802.11b, or WiFi, wireless LANs operating in the 2.4GHz band. These systems, which are widely viewed as inherently insecure, are being used to support such applications as bag matching and curbside and roving-agent check-in.

The concerns appear to be justified, based on two investigations that were conducted last week by professional security firms that analysed airline wireless LAN systems at Denver International Airport and San Jose International Airport.

The analysis in Denver was conducted Jan. 9 by a security firm that didn’t want its identity disclosed. It revealed that American Airlines Inc. operated wireless LANs totally in the clear without any encryption in its portion of the DIA terminal.

The vulnerability of the American Airlines wireless LAN networks was highlighted by the fact that the security specialists witnessed an intrusion while conducting their monitoring. According to a report furnished to Computerworld (U.S.), security of the wireless LANs supporting Fort Worth, Tex.-based American’s curbside check-in stands was further compromised by the fact that the IP address of the curbside terminal was prominently pasted on the monitor.

Except for an administrative network operated by the Denver International Airport authority itself, none of the networks monitored by the security specialists had turned on even the simplest form of encryption: the 40-bit Wired Equivalent Privacy encryption algorithm.

Thubten Cumerford, CEO of Westminster, Colo.-based security firm White Hat Technologies Inc., said airlines that operate unprotected 802.11b wireless networks “are putting themselves and our nation’s security at risk.” Even when encryption is enabled, wireless LANs “are a serious liability,” Cumerford added.

A scan of wireless networks at San Jose International Airport on Jan. 10 produced similar results. Jonas Luster, co-founder of D-fensive Networks Inc. in Campbell, Calif., which conducted the analysis in San Jose, said the wireless LANs there had few safeguards against intruders.

Luster said he was easily able to pick up signals and sensitive network information emanating from the wireless LANs belonging to American Airlines and Dallas-based Southwest Airlines Co. American’s curbside check-in operations could be monitored, Luster said, and Southwest’s networks were issuing information from back-end systems, including at least three Unix servers running the Solaris operating system.

RIP Weakness

“In a matter of minutes, you could sniff out whatever you wanted,” said Luster, who added that the routing infrastructure at both airlines was open to exploitation. Routing Information Protocol (RIP), a high-level language that transmits routing updates at regular intervals, can be modified easily to assist a hacker, said Luster. “By injecting a wrong RIP response, I could declare myself a legitimate, authoritative, powerful node on the network,” said Luster.

Although American acknowledged the vulnerability of the 802.11b standard, it downplayed the seriousness of the situation.

“This particular issue is a very temporary one and a very noncompromising one,” said American CIO Monte Ford. American is already on track to roll out a proprietary security system to replace 802.11b well before an industry-standard improvement is adopted, Ford said. And he added that even if a hacker was able to locate passwords, he would still be unable to access applications and databases. “A password is not a free ticket to our network, by any stretch of the imagination,” he said. “They can just see points on the network. They can’t get into applications.”

Ford said American doesn’t plan to use positive bag matching to meet the Jan. 18 deadline Congress has set for the airlines to implement some means of screening all checked baggage. It does plan to start using a bag-matching system later this year, Ford added.

American Airlines’ visibility is at least partly attributable to the fact that it has been ahead of the curve in wireless LAN deployment.

Delta Air Lines Inc., United Air Lines Inc. and Southwest Airlines all declined to comment for this story, citing security concerns. Northwest Airlines Inc. and Continental Airlines Inc. didn’t return calls seeking comment by deadline. In any case, there appears to be no coordinated effort among the airlines to address wireless security issues.

For its part, American currently uses its wireless LANs only for curbside check-in and roving agents, and Ford said that even if intruders penetrated the network, they could do little damage. That’s because American’s core systems are hosted by Fort Worth, Tex.-based Sabre Inc. on an IBM transaction processing facility (TPF) system that’s generally viewed as extremely difficult to hack because of the rigid and arcane structure of TPF.

“It’s not possible that you could get into the kinds of things that could do damage,” said Richard Eastman, an airline industry consultant at Newport Beach, Calif.-based The Eastman Group.

The TPF-based reservation system is a deep matrix, with passwords embedded in each level, explained Michael Anderson, director of airport systems at Sabre.

But that doesn’t satisfy Joe Weiss, vice-president of the network applications division at Annapolis, Md.-based Aeronautical Radio Inc. (Arinc), a communications services provider owned by a consortium of airlines. Weiss said he’s concerned that a hacker could use an unprotected wireless LAN to hop into core airline operational systems. These systems include flight operations, bag matching and passenger reservations. Flight operations systems manage such vital functions as refuelling, maintenance and flight dispatch, Weiss said.

Weiss expressed concern that access to a bag-matching system could allow an attacker to manipulate the system to show that luggage belonged to a boarded passenger when in fact it did not. This concern is one reason Arinc plans to abandon the 802.11b-based bag-matching system it operates as a shared resource system for all carriers with international flights at San Francisco International Airport. Arinc said it will switch to a private wireless system operating in the 800MHz band. That system will be based on Integrated Digital Enhanced Network (IDEN) voice and data terminals developed by Schaumburg, Ill.-based Motorola Inc.

IDEN provides more robust security than wireless LANs, Weiss said, including software keys for each terminal. Arinc plans to encrypt the network traffic as well.

Presidential Concerns

The security weakness of wireless LANs used throughout the nation’s critical industries, including airlines, hasn’t gone unnoticed at high levels of the Bush administration. A senior White House official said wireless security initiatives are at the top of the 2002 agenda for the president’s newly established Critical Infrastructure Protection Board. At least one white paper is in development that will examine wireless LANs and the interconnections between wireless devices and critical infrastructure systems, such as Federal Aviation Administration networks.

The U.S. Department of Transportation (DOT) and two of its key agencies – the FAA and the newly formed Transportation Security Agency (TSA) – plan to take a critical look at wireless LAN security over the next year. Mike Brown, director of information security at the FAA, said that in this new security-conscious era, airline wireless systems are subject to increased scrutiny.

The DOT has formed a “go team,” led by Associate CIO Lisa Schlosser, that will examine existing airline wireless systems, including LANs. In partnership with the FAA, the TSA and private industry, it will develop security standards and define a general wireless architecture, Brown said.

Though American Airlines downplayed the vulnerability of its wireless networks in San Jose and Denver, some security analysts viewed the potential threat as significant and symptomatic of the airline industry’s failure to properly address network security.

James Foster, a senior consultant and researcher at Guardent Inc., a security firm in Waltham, Mass., has conducted several wireless security audits during the past year that have uncovered significant vulnerabilities in and around major airport facilities, including John F. Kennedy International Airport in New York and Boston’s Logan International Airport.

“Possible baggage system vulnerabilities do not surprise me,” said Foster. “This is a serious problem that puts lives and the U.S. infrastructure at risk.”

Although he wouldn’t provide details about specific airlines, Foster’s wireless security audits have shown that a skilled hacker with the right software tools would need only seconds to conduct a detailed reconnaissance of an airline’s wireless network.

“Most of the time these [wireless systems] are tied to back-end systems,” Foster said. Regardless of how arcane or proprietary those networks may be, “it’s only a matter of time until somebody figures out how it works, how it communicates and how people authenticate,” he said. “It would take no more than an hour to figure out how the system worked.”

Beyond Wireless: Tapping Other Tech

The Massachusetts Port Authority (Massport) has started to beef up security at Boston’s Logan International Airport – the departure point for two of the planes hijacked on Sept. 11 – with facial-recognition technology and an automated document authentication system.

According to Barbara Platt, a spokeswoman for Boston-based Massport, the authority last month signed a contract with Imaging Automation Inc. in Bedford, N.H., to test that company’s BorderGuard document authentication technology.

BorderGuard uses a scanner to verify that an identification document such as a passport hasn’t been forged or altered. The system compares the scanned passenger ID against a database of Interpol document security information developed by Keesing Reference Systems BV in Amsterdam.

It also captures the contents of the document and cross-checks the information against a database of suspected criminals and terrorists. Platt said Massport intends to use BorderGuard to check IDs of passengers as well as airport workers, but declined to say where within the airport complex the agency plans to use the system.

Platt said Massport has also tapped two companies to provide facial-recognition technology to assist in passenger screening and to help positively identify Logan workers. She said Lau Technologies in Littleton, Mass., and Visionics Corp. in Jersey City, N.J., will provide Logan with the biometric systems for a pilot program. She declined to specify the number of systems ordered or where they would be used.

While several airports have installed or have announced plans to install facial-recognition systems, the problem is that there’s no standard for how those systems should be deployed. Oakland police Sgt. Mark Schmid, who is in charge of the installation of a facial-scanning program at Oakland International Airport in California, said his and other agencies must agree on a standard format for storing the pictures before they can link to government agencies such as the FBI.

Bliss-less Ignorance

The skills required to secure wireless networks aren’t keeping pace with the rapid build-out of wireless infrastructures, a recent survey found.

Despite growing concerns about the security of corporate wireless networks, nearly 20 per cent of survey respondents said they lacked needed knowledge to deal with the problem, and 54 per cent said they were only “somewhat knowledgeable.” The survey of 1,200 security professionals was conducted by Information Security magazine, published by Herndon, Va.-based security firm TruSecure Corp.

“These are all security professionals who are saying this. When you back this out to the larger [IT] population, there still seems to be somewhat of an ‘ignorance is bliss’ attitude” relating to wireless security, said Andrew Brinley, editor-in-chief of Information Security. Inadequate security in the Wireless Equivalent Privacy (WEP) protocol and in handheld devices continues to be a major concern for wireless users, Brinley said.

The WEP algorithm is used to protect wireless networks based on 802.11, the current wireless LAN standard, from electronic eavesdropping and unauthorized access. But a survey by researchers at the University of California, Berkeley last year, along with other reports, has revealed a number of flaws in WEP.

The Institute of Electrical and Electronics Engineers Inc. this year will introduce a new standard, 802.1x. It will use encryption keys that are unique for each user and each network session, and it will support 128-bit key lengths. It will also support the use of Remote Authentication Dial-In User Service, a central repository of authentication information for the network, and Kerberos, an authentication protocol that enables dynamic key changes.

Most of the major wireless vendors have announced plans to support the new standard with products due early next year. In fact, Cisco Systems Inc. has already introduced Lightweight Extensible Authentication Protocol (LEAP) for its Aironet devices. With LEAP, client devices dynamically generate a new WEP key instead of using a static key as part of the log-in process.

The fact that wireless frequencies can be easily jammed and communication tapped without physical access are major concerns, said Daniel Lange, an IT strategist at BMW Group in Munich, Germany. “WEP is seriously flawed [and] thus needs to be considered insecure. Communication can be compromised just by listening remotely,” Lange said.

BMW uses 802.11-based wireless LANs at two of its manufacturing facilities in Germany.

“There is no standard for securing 802.11 [wireless LANs] now, only incompatible vendor-specific implementations,” Lange said.

“WEP has come under a lot of criticism for its lack of security. But [even a WEP-enabled network] is still better than nothing” when it comes to securing wireless access, Brinley said.