http://www.computerworld.com/cwi/story/0,1199,NAV47_STO67344,00.html
By BOB BREWIN, DAN VERTON AND JENNIFER DISABATINO
January 14, 2002
As the airline industry scrambles to meet a Jan. 18 deadline to screen
every checked bag for explosives, security experts, analysts and
government officials are raising serious concerns about the security
of wireless technology that's integral to the effort.
At issue is the adoption by airlines of industry-standard 802.11b, or
WiFi, wireless LANs operating in the 2.4-GHz band. These systems,
which are widely viewed as inherently insecure, are being used to
support such applications as bag matching and curbside and
roving-agent check-in.
The concerns appear to be justified, based on two investigations that
were conducted last week by professional security firms that analyzed
airline wireless LAN systems at Denver International Airport and San
Jose International Airport.
The analysis in Denver was conducted Jan. 9 by White Hat Technologies
Inc., a Westminster, Colo.-based security firm. It revealed that
American Airlines Inc. operated wireless LANs totally in the clear
without any encryption in its portion of the DIA terminal.
The vulnerability of the American Airlines wireless LAN networks was
highlighted by the fact that the security specialists witnessed an
intrusion while conducting their monitoring. According to a report
furnished to Computerworld, security of the wireless LANs supporting
Fort Worth, Texas-based American's curbside check-in stands was
further compromised by the fact that the IP address of the curbside
terminal was prominently pasted on the monitor.
Except for an administrative network operated by the Denver
International Airport authority itself, none of the networks monitored
by the security specialists had turned on even the simplest form of
encryption: the 40-bit Wired Equivalent Privacy encryption algorithm.
Thubten Comerford, CEO of White Hat Technologies, said airlines that
operate unprotected 802.11b wireless networks "are putting themselves
and our nation's security at risk." Even when encryption is enabled,
wireless LANs "are a serious liability," Comerford added.
A scan of wireless networks at San Jose International Airport on Jan.
10 produced similar results. Jonas Luster, co-founder of D-fensive
Networks Inc. in Campbell, Calif., which conducted the analysis in San
Jose, said the wireless LANs there had few safeguards against
intruders.
Luster said he was easily able to pick up signals and sensitive
network information emanating from the wireless LANs belonging to
American Airlines and Dallas-based Southwest Airlines Co. American's
curbside check-in operations could be monitored, Luster said, and
Southwest's networks were issuing information from back-end systems,
including at least three Unix servers running the Solaris operating
system.
RIP Weakness
"In a matter of minutes, you could sniff out whatever you wanted,"
said Luster, who added that the routing infrastructure at both
airlines was open to exploitation. Routing Information Protocol (RIP),
a high-level language that transmits routing updates at regular
intervals, can be modified easily to assist a hacker, said Luster. "By
injecting a wrong RIP response, I could declare myself a legitimate,
authoritative, powerful node on the network," said Luster.
Although American acknowledged the vulnerability of the 802.11b
standard, it downplayed the seriousness of the situation.
"This particular issue is a very temporary one and a very
noncompromising one," said American CIO Monte Ford. American is
already on track to roll out a proprietary security system to replace
802.11b well before an industry-standard improvement is adopted, Ford
said. And he added that even if a hacker was able to locate passwords,
he would still be unable to access applications and databases. "A
password is not a free ticket to our network, by any stretch of the
imagination," he said. "They can just see points on the network. They
can't get into applications."
Ford said American doesn't plan to use positive bag matching to meet
the Jan. 18 deadline Congress has set for the airlines to implement
some means of screening all checked baggage. It does plan to start
using a bag-matching system later this year, Ford added.
American Airlines' visibility is at least partly attributable to the
fact that it has been ahead of the curve in wireless LAN deployment.
Delta Air Lines Inc., United Air Lines Inc. and Southwest Airlines all
declined to comment for this story, citing security concerns.
Northwest Airlines Inc. and Continental Airlines Inc. didn't return
calls seeking comment by deadline. In any case, there appears to be no
coordinated effort among the airlines to address wireless security
issues.
For its part, American currently uses its wireless LANs only for
curbside check-in and roving agents, and Ford said that even if
intruders penetrated the network, they could do little damage. That's
because American's core systems are hosted by Fort Worth, Texas-based
Sabre Inc. on an IBM transaction processing facility (TPF) system
that's generally viewed as extremely difficult to hack because of the
rigid and arcane structure of TPF.
"It's not possible that you could get into the kinds of things that
could do damage," said Richard Eastman, an airline industry consultant
at Newport Beach, Calif.-based The Eastman Group.
The TPF-based reservation system is a deep matrix, with passwords
embedded in each level, explained Michael Anderson, director of
airport systems at Sabre.
But that doesn't satisfy Joe Weiss, vice president of the network
applications division at Annapolis, Md.-based Aeronautical Radio Inc.
(Arinc), a communications services provider owned by a consortium of
airlines. Weiss said he's concerned that a hacker could use an
unprotected wireless LAN to hop into core airline operational systems.
These systems include flight operations, bag matching and passenger
reservations. Flight operations systems manage such vital functions as
refueling, maintenance and flight dispatch, Weiss said.
Weiss expressed concern that access to a bag-matching system could
allow an attacker to manipulate the system to show that luggage
belonged to a boarded passenger when in fact it did not. This concern
is one reason Arinc plans to abandon the 802.11b-based bag-matching
system it operates as a shared resource system for all carriers with
international flights at San Francisco International Airport. Arinc
said it will switch to a private wireless system operating in the
800-MHz band. That system will be based on Integrated Digital Enhanced
Network (IDEN) voice and data terminals developed by Schaumburg,
Ill.-based Motorola Inc.
IDEN provides more robust security than wireless LANs, Weiss said,
including software keys for each terminal. Arinc plans to encrypt the
network traffic as well.
Presidential Concerns
The security weakness of wireless LANs used throughout the nation's
critical industries, including airlines, hasn't gone unnoticed at high
levels of the Bush administration. A senior White House official said
wireless security initiatives are at the top of the 2002 agenda for
the president's newly established Critical Infrastructure Protection
Board. At least one white paper is in development that will examine
wireless LANs and the interconnections between wireless devices and
critical infrastructure systems, such as Federal Aviation
Administration networks.
The U.S. Department of Transportation (DOT) and two of its key
agencies—the FAA and the newly formed Transportation Security Agency
(TSA)—plan to take a critical look at wireless LAN security over the
next year. Mike Brown, director of information security at the FAA,
said that in this new security-conscious era, airline wireless systems
are subject to increased scrutiny.
The DOT has formed a "go team," led by Associate CIO Lisa Schlosser,
that will examine existing airline wireless systems, including LANs.
In partnership with the FAA, the TSA and private industry, it will
develop security standards and define a general wireless architecture,
Brown said.
Though American Airlines downplayed the vulnerability of its wireless
networks in San Jose and Denver, some security analysts viewed the
potential threat as significant and symptomatic of the airline
industry's failure to properly address network security.
James Foster, a senior consultant and researcher at Guardent Inc., a
security firm in Waltham, Mass., has conducted several wireless
security audits during the past year that have uncovered significant
vulnerabilities in and around major airport facilities, including John
F. Kennedy International Airport in New York and Boston's Logan
International Airport.
"Possible baggage system vulnerabilities do not surprise me," said
Foster. "This is a serious problem that puts lives and the U.S.
infrastructure at risk."
Although he wouldn't provide details about specific airlines, Foster's
wireless security audits have shown that a skilled hacker with the
right software tools would need only seconds to conduct a detailed
reconnaissance of an airline's wireless network.
"Most of the time these [wireless systems] are tied to back-end
systems," Foster said. Regardless of how arcane or proprietary those
networks may be, "it's only a matter of time until somebody figures
out how it works, how it communicates and how people authenticate," he
said. "It would take no more than an hour to figure out how the system
worked."
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.
--- end forwarded text
--
-----------------
R. A. Hettinga