[ISN] Wireless LANs: Trouble in the Air

From: InfoSec News (isnat_private)
Date: Tue Jan 15 2002 - 22:18:11 PST

  • Next message: InfoSec News: "Re: [ISN] Web hoster takes security to extremes"

    January 14, 2002
    As the airline industry scrambles to meet a Jan. 18 deadline to screen
    every checked bag for explosives, security experts, analysts and
    government officials are raising serious concerns about the security
    of wireless technology that's integral to the effort.
    At issue is the adoption by airlines of industry-standard 802.11b, or
    WiFi, wireless LANs operating in the 2.4-GHz band. These systems,
    which are widely viewed as inherently insecure, are being used to
    support such applications as bag matching and curbside and
    roving-agent check-in.
    The concerns appear to be justified, based on two investigations that
    were conducted last week by professional security firms that analyzed
    airline wireless LAN systems at Denver International Airport and San
    Jose International Airport.
    The analysis in Denver was conducted Jan. 9 by White Hat Technologies
    Inc., a Westminster, Colo.-based security firm. It revealed that
    American Airlines Inc. operated wireless LANs totally in the clear
    without any encryption in its portion of the DIA terminal.
    The vulnerability of the American Airlines wireless LAN networks was
    highlighted by the fact that the security specialists witnessed an
    intrusion while conducting their monitoring. According to a report
    furnished to Computerworld, security of the wireless LANs supporting
    Fort Worth, Texas-based American's curbside check-in stands was
    further compromised by the fact that the IP address of the curbside
    terminal was prominently pasted on the monitor.
    Except for an administrative network operated by the Denver
    International Airport authority itself, none of the networks monitored
    by the security specialists had turned on even the simplest form of
    encryption: the 40-bit Wired Equivalent Privacy encryption algorithm.
    Thubten Comerford, CEO of White Hat Technologies, said airlines that
    operate unprotected 802.11b wireless networks "are putting themselves
    and our nation's security at risk." Even when encryption is enabled,
    wireless LANs "are a serious liability," Comerford added.
    A scan of wireless networks at San Jose International Airport on Jan.  
    10 produced similar results. Jonas Luster, co-founder of D-fensive
    Networks Inc. in Campbell, Calif., which conducted the analysis in San
    Jose, said the wireless LANs there had few safeguards against
    Luster said he was easily able to pick up signals and sensitive
    network information emanating from the wireless LANs belonging to
    American Airlines and Dallas-based Southwest Airlines Co. American's
    curbside check-in operations could be monitored, Luster said, and
    Southwest's networks were issuing information from back-end systems,
    including at least three Unix servers running the Solaris operating
    RIP Weakness
    "In a matter of minutes, you could sniff out whatever you wanted,"  
    said Luster, who added that the routing infrastructure at both
    airlines was open to exploitation. Routing Information Protocol (RIP),
    a high-level language that transmits routing updates at regular
    intervals, can be modified easily to assist a hacker, said Luster. "By
    injecting a wrong RIP response, I could declare myself a legitimate,
    authoritative, powerful node on the network," said Luster.
    Although American acknowledged the vulnerability of the 802.11b
    standard, it downplayed the seriousness of the situation.
    "This particular issue is a very temporary one and a very
    noncompromising one," said American CIO Monte Ford. American is
    already on track to roll out a proprietary security system to replace
    802.11b well before an industry-standard improvement is adopted, Ford
    said. And he added that even if a hacker was able to locate passwords,
    he would still be unable to access applications and databases. "A
    password is not a free ticket to our network, by any stretch of the
    imagination," he said. "They can just see points on the network. They
    can't get into applications."
    Ford said American doesn't plan to use positive bag matching to meet
    the Jan. 18 deadline Congress has set for the airlines to implement
    some means of screening all checked baggage. It does plan to start
    using a bag-matching system later this year, Ford added.
    American Airlines' visibility is at least partly attributable to the
    fact that it has been ahead of the curve in wireless LAN deployment.
    Delta Air Lines Inc., United Air Lines Inc. and Southwest Airlines all
    declined to comment for this story, citing security concerns.  
    Northwest Airlines Inc. and Continental Airlines Inc. didn't return
    calls seeking comment by deadline. In any case, there appears to be no
    coordinated effort among the airlines to address wireless security
    For its part, American currently uses its wireless LANs only for
    curbside check-in and roving agents, and Ford said that even if
    intruders penetrated the network, they could do little damage. That's
    because American's core systems are hosted by Fort Worth, Texas-based
    Sabre Inc. on an IBM transaction processing facility (TPF) system
    that's generally viewed as extremely difficult to hack because of the
    rigid and arcane structure of TPF.
    "It's not possible that you could get into the kinds of things that
    could do damage," said Richard Eastman, an airline industry consultant
    at Newport Beach, Calif.-based The Eastman Group.
    The TPF-based reservation system is a deep matrix, with passwords
    embedded in each level, explained Michael Anderson, director of
    airport systems at Sabre.
    But that doesn't satisfy Joe Weiss, vice president of the network
    applications division at Annapolis, Md.-based Aeronautical Radio Inc.  
    (Arinc), a communications services provider owned by a consortium of
    airlines. Weiss said he's concerned that a hacker could use an
    unprotected wireless LAN to hop into core airline operational systems.  
    These systems include flight operations, bag matching and passenger
    reservations. Flight operations systems manage such vital functions as
    refueling, maintenance and flight dispatch, Weiss said.
    Weiss expressed concern that access to a bag-matching system could
    allow an attacker to manipulate the system to show that luggage
    belonged to a boarded passenger when in fact it did not. This concern
    is one reason Arinc plans to abandon the 802.11b-based bag-matching
    system it operates as a shared resource system for all carriers with
    international flights at San Francisco International Airport. Arinc
    said it will switch to a private wireless system operating in the
    800-MHz band. That system will be based on Integrated Digital Enhanced
    Network (IDEN) voice and data terminals developed by Schaumburg,
    Ill.-based Motorola Inc.
    IDEN provides more robust security than wireless LANs, Weiss said,
    including software keys for each terminal. Arinc plans to encrypt the
    network traffic as well.
    Presidential Concerns
    The security weakness of wireless LANs used throughout the nation's
    critical industries, including airlines, hasn't gone unnoticed at high
    levels of the Bush administration. A senior White House official said
    wireless security initiatives are at the top of the 2002 agenda for
    the president's newly established Critical Infrastructure Protection
    Board. At least one white paper is in development that will examine
    wireless LANs and the interconnections between wireless devices and
    critical infrastructure systems, such as Federal Aviation
    Administration networks.
    The U.S. Department of Transportation (DOT) and two of its key
    agencies—the FAA and the newly formed Transportation Security Agency
    (TSA)—plan to take a critical look at wireless LAN security over the
    next year. Mike Brown, director of information security at the FAA,
    said that in this new security-conscious era, airline wireless systems
    are subject to increased scrutiny.
    The DOT has formed a "go team," led by Associate CIO Lisa Schlosser,
    that will examine existing airline wireless systems, including LANs.  
    In partnership with the FAA, the TSA and private industry, it will
    develop security standards and define a general wireless architecture,
    Brown said.
    Though American Airlines downplayed the vulnerability of its wireless
    networks in San Jose and Denver, some security analysts viewed the
    potential threat as significant and symptomatic of the airline
    industry's failure to properly address network security.
    James Foster, a senior consultant and researcher at Guardent Inc., a
    security firm in Waltham, Mass., has conducted several wireless
    security audits during the past year that have uncovered significant
    vulnerabilities in and around major airport facilities, including John
    F. Kennedy International Airport in New York and Boston's Logan
    International Airport.
    "Possible baggage system vulnerabilities do not surprise me," said
    Foster. "This is a serious problem that puts lives and the U.S.  
    infrastructure at risk."
    Although he wouldn't provide details about specific airlines, Foster's
    wireless security audits have shown that a skilled hacker with the
    right software tools would need only seconds to conduct a detailed
    reconnaissance of an airline's wireless network.
    "Most of the time these [wireless systems] are tied to back-end
    systems," Foster said. Regardless of how arcane or proprietary those
    networks may be, "it's only a matter of time until somebody figures
    out how it works, how it communicates and how people authenticate," he
    said. "It would take no more than an hour to figure out how the system
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 02:49:29 PST