Travelers Beware: Survey Exposes Airport Wi-Fi Vulnerabilities

By Lisa Phifer

March 10, 2008

The boon of finding free Wi-Fi access when traveling can come at a high price. A new airport Wi-Fi survey finds that high-risk APs and ad hocs are surprisingly common in terminals both in the U.S. and in Asia.

The boon of finding free Wi-Fi access when traveling can come at a high price. A new airport Wi-Fi survey finds that high-risk APs and ad hocs are surprisingly common in terminals both in the U.S. and in Asia.


In preparation for this week’s SpectraGuard SAFE release, AirTight Networks sniffed the airwaves at 14 airports throughout the US and Asia. Of nearly 500 APs overheard at gate, lounge, baggage claim, and ticketing venues, just 15 percent used WPA. You might expect the rest to represent open hotspots—but you would be wrong.

“We were actually looking for data on security at hotspots,” said Sri Sundaralingam, senior director of product management. “We wanted to assess risk exposures that users face at hotspots, as well as best practices now being used. We thought we would find mostly hotspot APs at airports—we didn’t expect to find so many open and WEP APs being used for what appear to be critical applications.”

Open for business

AirTight engineers used off-the-shelf tools like WireShark to passively capture Wi-Fi packets over five-minute intervals throughout airports in Ottawa, Newark, Philadelphia, Pittsburgh, Chicago, Myrtle Beach, West Palm, Orange County, San Jose, San Francisco, Portland, Seoul, Malaysia, and Singapore. According to published results, 77 percent of the Wi-Fi networks found were not hotspots.

“When we looked at SSIDs, we found well-known hotspot names and also default SSIDs like ‘linksys.’ But there were also many hidden SSIDs and interesting SSIDs like KIOSKWIRELESS and e-BaggageTrial,” said Sundaralingam.

Intrigued, AirTight classified APs based on SSID, security, and usage—for example, hotspot SSIDs are usually broadcasted by multiple APs that do not require wireless encryption. This rationale could slightly inflate non-hotspot count—for example, "tmobile1x" is a non-broadcasted, WPA-encrypted hotspot SSID. "There may be a few exceptions, but we think [our classification] is perhaps 90 percent accurate," said Sundralingham.

Mitigating risk

Disconcertingly, just 20 percent of non-hotspot APs used WPA or WPA2. Approximately 36 percent of non-hotspot APs used WEP, while another 44 percent required no 802.11 encryption.

Some might employ "compensating controls" like VPN or SSL tunnels over WEP. However, researchers saw nearly 200 clients exchanging plain text protocols with open APs. After examining SSIDs and packets, testers concluded that they had found a significant number of unsecured APs being used for sensitive activities like baggage handling and traffic ticketing.

For example, at SFO, a cluster of open and WEP APs used the "ultratrak" SSID. "We did a little research and found that UltraTrak is being used for baggage handling around the world," said Sundaralingham. "We cannot say if UltraTrak is using open or WEP APs in other airports, but we definitely saw this occur at SFO."

Leaky hotspots

When AirTight analyzed hotspot traffic, they expected to find widely-recommended best practices like SSL or VPN. Here again, results were unexpected.

Testers identified the source MAC addresses from which captured IPsec and other VPN tunneling protocols originated. Just three percent of the total number of unique MAC addresses were seen using a VPN. Another 38 percent sent SSL-encrypted packets.

This analysis can be tricky. Many clients do nothing more than probe for APs; they may not send any data—encrypted or otherwise. Furthermore, VPN and SSL clients do not encrypt everything they send—unencrypted broadcast traffic is quite common. But the fact that AirTight saw 59 percent of clients actively transmitting plain text HTTP is clear cause for concern.

Viral ad hocs

Researchers also spotted hundreds of Ad Hoc nodes beaconing catchy SSIDs like "Free Public WiFi." A whopping 10 percent of the 585 clients identified in this study showed signs of being infected by at least one "viral SSID."

Ad Hoc SSIDs propagate from one client to another by exploiting the default settings of Windows XP Wireless Zero Config. When an infected laptop activates Wi-Fi, it starts to advertise an Ad Hoc named "Free Public Wi-Fi." Nearby Wi-Fi users can see and connect to this enticing available network. Those users may or may not get free Internet, but they always end up with a new Preferred Network. Unless that entry is reconfigured to disable auto-connect or avoid Ad Hoc connections altogether, this cycle repeats ad infinitum.

AirTight captured viral SSID beacons or probes at 13 of 14 airports, affecting up to 22 percent of the total clients seen at each venue. "At Orange County, we found a network of six clients actively connected to each other via Free Public Wi-Fi," said Sundaralingham. "An attacker could join that network to access shared folders or use known XP exploits against other clients."

Improving air traffic safety

As a wireless security vendor, AirTight has a vested interest in identifying such threats. "Our mission is to help secure the enterprise, and SpectraGuard SAFE is part of that," said Sundaralingham.

SAFE is a host-resident WIPS agent that can be administered through AirTight's SpectraGuard Enterprise WIPS console. Employers can install SAFE on laptops before users attempt to connect to home or hotspot networks. Configured profiles control Wi-Fi activities permitted in each location—for example, preventing users from sending data to hotspot APs without a VPN tunnel, or from connecting to any Ad Hoc node or unknown SSID. SAFE 2.5 enhancements include automated profile switching, VPN/firewall policy enforcement, and more extensive reporting.

SpectraGuard Enterprise is being tested at one airport, but company officials say they do not have airport customers at this time. "We didn't set out to find airport network vulnerabilities," said Sundaralingham. "Airport authorities really have to do a better job of encrypting those mission critical application networks."

“It is ironic that the traveler passes through a phalanx of physical security to only to be sitting at a gate and be vulnerable to cybercrime," continued Sundaralingham. "Both network administrators and business travelers recognize the benefits of mobility... but it is time for all of these constituencies to recognize the risks as well and implement best practices.

For more on how to protect yourself when using an open hotspot, read, "Hotspot Safety for Business Users," "When 'Free Public Wi-Fi' Is Bad," and "The Wi-FiPlanet Guide to Hotspot Safety."

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. She has been involved in the design, deployment, and testing of wireless/mobile products and services for over a dozen years and is a frequent contributor to Wi-FiPlanet.

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.