http://www.computerworld.com/cwi/story/0,1199,NAV47_STO67344,00.html By BOB BREWIN, DAN VERTON AND JENNIFER DISABATINO January 14, 2002 As the airline industry scrambles to meet a Jan. 18 deadline to screen every checked bag for explosives, security experts, analysts and government officials are raising serious concerns about the security of wireless technology that's integral to the effort. At issue is the adoption by airlines of industry-standard 802.11b, or WiFi, wireless LANs operating in the 2.4-GHz band. These systems, which are widely viewed as inherently insecure, are being used to support such applications as bag matching and curbside and roving-agent check-in. The concerns appear to be justified, based on two investigations that were conducted last week by professional security firms that analyzed airline wireless LAN systems at Denver International Airport and San Jose International Airport. The analysis in Denver was conducted Jan. 9 by White Hat Technologies Inc., a Westminster, Colo.-based security firm. It revealed that American Airlines Inc. operated wireless LANs totally in the clear without any encryption in its portion of the DIA terminal. The vulnerability of the American Airlines wireless LAN networks was highlighted by the fact that the security specialists witnessed an intrusion while conducting their monitoring. According to a report furnished to Computerworld, security of the wireless LANs supporting Fort Worth, Texas-based American's curbside check-in stands was further compromised by the fact that the IP address of the curbside terminal was prominently pasted on the monitor. Except for an administrative network operated by the Denver International Airport authority itself, none of the networks monitored by the security specialists had turned on even the simplest form of encryption: the 40-bit Wired Equivalent Privacy encryption algorithm. Thubten Comerford, CEO of White Hat Technologies, said airlines that operate unprotected 802.11b wireless networks "are putting themselves and our nation's security at risk." Even when encryption is enabled, wireless LANs "are a serious liability," Comerford added. A scan of wireless networks at San Jose International Airport on Jan. 10 produced similar results. Jonas Luster, co-founder of D-fensive Networks Inc. in Campbell, Calif., which conducted the analysis in San Jose, said the wireless LANs there had few safeguards against intruders. Luster said he was easily able to pick up signals and sensitive network information emanating from the wireless LANs belonging to American Airlines and Dallas-based Southwest Airlines Co. American's curbside check-in operations could be monitored, Luster said, and Southwest's networks were issuing information from back-end systems, including at least three Unix servers running the Solaris operating system. RIP Weakness "In a matter of minutes, you could sniff out whatever you wanted," said Luster, who added that the routing infrastructure at both airlines was open to exploitation. Routing Information Protocol (RIP), a high-level language that transmits routing updates at regular intervals, can be modified easily to assist a hacker, said Luster. "By injecting a wrong RIP response, I could declare myself a legitimate, authoritative, powerful node on the network," said Luster. Although American acknowledged the vulnerability of the 802.11b standard, it downplayed the seriousness of the situation. "This particular issue is a very temporary one and a very noncompromising one," said American CIO Monte Ford. American is already on track to roll out a proprietary security system to replace 802.11b well before an industry-standard improvement is adopted, Ford said. And he added that even if a hacker was able to locate passwords, he would still be unable to access applications and databases. "A password is not a free ticket to our network, by any stretch of the imagination," he said. "They can just see points on the network. They can't get into applications." Ford said American doesn't plan to use positive bag matching to meet the Jan. 18 deadline Congress has set for the airlines to implement some means of screening all checked baggage. It does plan to start using a bag-matching system later this year, Ford added. American Airlines' visibility is at least partly attributable to the fact that it has been ahead of the curve in wireless LAN deployment. Delta Air Lines Inc., United Air Lines Inc. and Southwest Airlines all declined to comment for this story, citing security concerns. Northwest Airlines Inc. and Continental Airlines Inc. didn't return calls seeking comment by deadline. In any case, there appears to be no coordinated effort among the airlines to address wireless security issues. For its part, American currently uses its wireless LANs only for curbside check-in and roving agents, and Ford said that even if intruders penetrated the network, they could do little damage. That's because American's core systems are hosted by Fort Worth, Texas-based Sabre Inc. on an IBM transaction processing facility (TPF) system that's generally viewed as extremely difficult to hack because of the rigid and arcane structure of TPF. "It's not possible that you could get into the kinds of things that could do damage," said Richard Eastman, an airline industry consultant at Newport Beach, Calif.-based The Eastman Group. The TPF-based reservation system is a deep matrix, with passwords embedded in each level, explained Michael Anderson, director of airport systems at Sabre. But that doesn't satisfy Joe Weiss, vice president of the network applications division at Annapolis, Md.-based Aeronautical Radio Inc. (Arinc), a communications services provider owned by a consortium of airlines. Weiss said he's concerned that a hacker could use an unprotected wireless LAN to hop into core airline operational systems. These systems include flight operations, bag matching and passenger reservations. Flight operations systems manage such vital functions as refueling, maintenance and flight dispatch, Weiss said. Weiss expressed concern that access to a bag-matching system could allow an attacker to manipulate the system to show that luggage belonged to a boarded passenger when in fact it did not. This concern is one reason Arinc plans to abandon the 802.11b-based bag-matching system it operates as a shared resource system for all carriers with international flights at San Francisco International Airport. Arinc said it will switch to a private wireless system operating in the 800-MHz band. That system will be based on Integrated Digital Enhanced Network (IDEN) voice and data terminals developed by Schaumburg, Ill.-based Motorola Inc. IDEN provides more robust security than wireless LANs, Weiss said, including software keys for each terminal. Arinc plans to encrypt the network traffic as well. Presidential Concerns The security weakness of wireless LANs used throughout the nation's critical industries, including airlines, hasn't gone unnoticed at high levels of the Bush administration. A senior White House official said wireless security initiatives are at the top of the 2002 agenda for the president's newly established Critical Infrastructure Protection Board. At least one white paper is in development that will examine wireless LANs and the interconnections between wireless devices and critical infrastructure systems, such as Federal Aviation Administration networks. The U.S. Department of Transportation (DOT) and two of its key agencies—the FAA and the newly formed Transportation Security Agency (TSA)—plan to take a critical look at wireless LAN security over the next year. Mike Brown, director of information security at the FAA, said that in this new security-conscious era, airline wireless systems are subject to increased scrutiny. The DOT has formed a "go team," led by Associate CIO Lisa Schlosser, that will examine existing airline wireless systems, including LANs. In partnership with the FAA, the TSA and private industry, it will develop security standards and define a general wireless architecture, Brown said. Though American Airlines downplayed the vulnerability of its wireless networks in San Jose and Denver, some security analysts viewed the potential threat as significant and symptomatic of the airline industry's failure to properly address network security. James Foster, a senior consultant and researcher at Guardent Inc., a security firm in Waltham, Mass., has conducted several wireless security audits during the past year that have uncovered significant vulnerabilities in and around major airport facilities, including John F. Kennedy International Airport in New York and Boston's Logan International Airport. "Possible baggage system vulnerabilities do not surprise me," said Foster. "This is a serious problem that puts lives and the U.S. infrastructure at risk." Although he wouldn't provide details about specific airlines, Foster's wireless security audits have shown that a skilled hacker with the right software tools would need only seconds to conduct a detailed reconnaissance of an airline's wireless network. "Most of the time these [wireless systems] are tied to back-end systems," Foster said. Regardless of how arcane or proprietary those networks may be, "it's only a matter of time until somebody figures out how it works, how it communicates and how people authenticate," he said. "It would take no more than an hour to figure out how the system worked." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com