Biz travelers beware: Airport ad-hoc hot spots could be dangerous
Public Wi-Fi hotspots in airports can be a lifesaver for many business travelers, but a new study released this week suggests that road warriors could be vulnerable to hack attacks if they aren't careful about which networks they connect to while waiting for their flight.
Jason Hiner, executive editor at CNET News.com's sister site TechRepublic, wrote a blog on Wednesday about the new study published by a company called AirTight at the Gartner Mobile and Wireless Summit in Chicago on Monday. AirTight Networks, which sells wireless-intrusion-prevention software, conducted its study in 11 U.S. airports and three airports in the Asia-Pacific region between January 30 and February 8 using standard Wi-Fi cards and packet tracing software.
The company found that hackers can gain access to information on a laptop hard drive by setting up fake ad-hoc or peer-to-peer Wi-Fi networks in airports. The SSID (service set identifier), which is used to identify nearby wireless networks, appears as an icon with two laptops connecting to each other and is often named something appealing, such as "Free Public Wi-Fi" or "Free Internet!"
When a user tries to connect to one of these supposedly free wireless networks, Windows automatically adds the SSID to the preferred networks list. The vulnerability spreads as the fake SSID is automatically broadcast to other users, who then try to connect to it. These laptops then become infected.
Once someone is infected with the bogus SSID, anyone who knows of the attack can use the connection to access shared files on the infected laptop. The open wireless connection could also allow hackers to access confidential files on a laptop.
In his blog post, Hiner said that there is no payload or tricky code involved in the attack, so it's virtually impossible to track. But because the exploit essentially creates public access to a laptop, anyone who knows the laptop is infected can also exploit the vulnerability.
AirTight, the company that conducted the study, found that 10 percent of all wireless users it scanned in the airports it surveyed were broadcasting at least one bogus SSID. In some airports the percentage was higher. At the John Wayne Airport in Orange County, California, almost 22 percent of laptops were transmitting one of the viral SSIDs. About 17 percent of laptops surveyed at Fort Lauderdale Hollywood International airport in Fort Lauderdale, Fla., and Pittsburgh International Airport had one or more of the viral SSIDs.
For a full list of the SSIDs used in the attack check out Hiner's blog. He suggests that the best way to make sure you don't fall victim to an attack is to never click on an ad-hoc network, which is the icon with the two laptops. And users should stick to paid public Wi-Fi hot spots, such as ones offered by companies like Boingo.
AirTight also recommends that people connect to their corporate VPN after accessing a public Wi-Fi hotspot and before they do any corporate work. And finally, the company also recommends that IT departments implement software, such as their own, that helps detect wireless intrusion.
Marguerite Reardon has been a CNET News reporter since 2004, covering cell phone services, broadband, citywide Wi-Fi, the Net neutrality debate, as well as the ongoing consolidation of the phone companies. E-mail Maggie. 
mode, and name themselves "Free Public WiFi" or somesuch.
I've seen this pretty often in the past few months.
Airports should use WEP and WPA (WPA2) on different hotspot accesspoints with different passwords/passkeys. WEP for older laptops and WPA/WPA2 for newer ones. Then they can post signs about the hotspots and periodically change passwords. This way, airport travelers know which hotspots are legit and secure. (or rather securer...)
As for public hotspots, most of them have software which you can freely download with provides mutual authentication with the Access Point (so you know it is not fake) and encryption (so people cannot sniff your data). If the hotspot provider doesn't provide such software (which basically performs WPA) then it is really the user's responsibility to either use their VPN or choose not to use the hotspot based on the security risk.
Rick Farina
Full Disclosure: As I mentioned previously, I do work for AirTight Networks as a Senior Wireless Security Researcher.
- John Wayne Airport
- by fbnfbn March 7, 2008 9:26 AM PST
- It is worth noting that John Wayne Airport does not provide ANY public wireless access. This would cause the numbers to be skewed and show an abnormally high percentage of rogue SSIDs. With the exception of the premier lounges of some airlines, the only public access wireless Internet is provided by unauthorized outside companies. For example, one company says on their sign up web page that you have to stand close to the windows. This is because they are using directional antennaes to beam the signal across the airfield from off-airport premises.
- Like this Reply to this comment
-
-
- Windows Behavior
- by rick.farina March 7, 2008 10:34 AM PST
- Well fbnfbn I think some explanation about Windows Wireless networking behavior may help out here. You see, because the team at Microsoft is so smart, even if you are connect to an Access Point your laptop will actually continue to look for other Access Points in your preferred network. This means that even if there is not public wireless access, or if there is, your Windows XP laptop will leak information either way. I thank you for the entertaining explanation of the hotspot company with the high gain antennas, I have to say that is pretty amusing, but I suppose it proofs the point that you never know where that potentially evil hacker is, they could even be off airport property hacking you at the gate!
- Like this
-
(5 Comments)Rick Farina
Full Disclosure: I do work for AirTight Networks, but I am a Senior Wireless Security Researcher not in the marketing department.