Is airport public Wi-Fi cyber-secure?12 November 2018
Earlier this year, cybersecurity experts Coronet published a report ranking the US airports where passengers are most likely to be hacked if they sign in via a public Wi-Fi network. But just how risky is it to connect to public Wi-Fi in an airport? Elliot Gardner finds out more.
Wi-Fi availability has become a precious modern commodity and one that the general public have come to expect as a norm everywhere that they find themselves, from restaurants and bars, to busy city streets and of course to transport facilities. But what many may not be aware of is the inherent dangers associated with connecting to an unknown Wi-Fi network.
Cybersecurity is increasingly being identified as a potential danger to airport infrastructure and the welfare of staff, travellers and visitors. Considering the emphasis placed on rigorous physical security procedures in today’s airports, it can come as a shock how unprepared many high-profile airports actually are when it comes to the cyber protection of their own systems and the devices of passengers. Malicious use of unsecured Wi-Fi networks is yet another area where airports may be letting their guard down.
Ranking airport Wi-Fi cybersecurity
A 2018 report published by security experts Coronet ranked the 45 busiest airports in the US in which passengers were most likely to be subject to a cyberattack, with San Diego International Airport coming in at the top of the list. And these risks weren’t minor.
At San Diego alone, Coronet identified a 30% chance of a passenger connecting to a medium-risk network while in the airport and an 11% probability of connecting to a high-risk network. In fact, while the company was conducting its analysis, an ‘evil twin’ Wi-Fi access point called ‘#SANfreewifi’ was operational within the airport.
“To identify the airports with the greatest cyber risk, Coronet collected data from more than 250,000 consumer and corporate endpoints that travelled through America’s 45 busiest airports over the course of five months,” explains Coronet co-founder and CISO Dror Liwer.
“Coronet then analysed the data consisting of both device vulnerabilities and Wi-Fi network risks, which was captured from the company’s threat protection applications. Following the completed analysis, the data was combined and standardized to compile an Airport Threat Score. The greater the vulnerability for devices and networks, the higher the score assigned. Based on the analysis, Coronet classifies any score above 6.5 as unacceptable exposure.”
The company identified seven US airports with a threat index score of 6.5 or over, with San Diego scoring 10.0, the maximum available. But only ten of the 45 airports scored lower than 5.4, meaning the vast majority of public Wi-Fi systems at airports posed a notable risk to passengers’ devices.
An inconvenient convenience
While public Wi-Fi is extremely convenient, especially for business passengers and those who cannot afford to be out of touch with the outside world, connecting to an unknown network provides a very easy entry point for those looking for vulnerable devices to compromise.
“The trouble with Wi-Fi is that current Wi-Fi security was designed by engineers and not cryptographers, and I’m afraid they’re badly flawed,” says PA Consulting digital trust and cyber resilience expert David Alexander. “There are publicly available attack tools for any of the techniques used at the moment to secure Wi-Fi. Quite frankly, anything that’s available at the moment can be broken.”
While there is nothing inherent about airport networks that specifically renders them susceptible to attacks, airports themselves have been identified by many assailants as ideal locations to carry out an attack. They are unique environments where you’ll find a great deal of Wi-Fi-hungry individuals connecting to any network they can get their hands on, including businesspeople with potentially sensitive intelligence on their devices, and a place where a great deal of people will naturally be idling around on laptops, tablets and smartphones, making any suspicious activity much easier to hide.
“There are lots of unknown people sitting around the airport – by definition, people pass through all the time. And people can be there for hours if they’re waiting for a check-in or a flight connection. So with someone sitting in an airport cafe somewhere with a cup of tea and their laptop open, how do you know what they’re looking at? Are they actually running a rogue access point in the background capturing people’s details? It would be easy to do and no one would know,” says Alexander.
And according to Liwer, an attacker doesn’t even necessarily need to be anywhere near an actual airport terminal to carry out a Wi-Fi-driven attack. Thanks to the availability of legally purchasable devices and software, fraudulent captive portal or evil twin attacks can easily be set up to entice the public to sign up their details, or trick their devices to believe the connection has previously been validated.
The complicated set-up in most airports adds to the confusion. Often, airport lounges will have their own private Wi-Fi networks for premium passengers. High-profile restaurants, cafes and bars might want to do the same. Any business in the public service industry wants to keep customers happy, but adding extra variables into the airport setting can provide additional vulnerability avenues for attack.
“Existing Wi-Fi security simply isn’t good enough,” says Alexander. “Someone who’s got the knowledge can gain access fairly quickly, probably within an hour at most. If the airport security isn’t up to date, they might be able to do it in 15-20 minutes, maybe less if they get lucky.”
Compromised business traveller devices
Six out of ten small companies go out of business within six months of a cybersecurity breach, and given the amount of air travel arranged to facilitate day-to-day business, this inevitably means sensitive business information is going to be at risk. By merely accessing a network compromised by a malicious actor, data can be entirely compromised.
“People could capture log-in credentials, banking details; if you’re a businessperson they could look at capturing business intelligence. They can read your traffic if you’re not using an encrypted virtual private network to your office systems. Even simple information is useful to them. If you’re high-profile and a frequent traveller, they can see where you’re heading off next,” explains Alexander.
“It could be a rogue access point with a man in the middle attack – your traffic ends up at the intended destination but via a system controlled by the attacker. They might even inject some kind of malware or spyware onto your device. There was a recent attack where Starbucks customers had their devices recruited to mine cryptocurrency.”
It’s not just businesspeople with high-profile data at stake; anyone can have their details stolen. Unsecured airport Wi-Fi even poses a risk to government personnel. Alexander speaks specifically of certain nation states that are known to use methods similar to compromised Wi-Fi networks to monitor specific persons of interest.
In terms of how to protect devices from these kinds of attacks, both Liwer and Alexander offer the same advice to passengers: ensure the operating system on all devices using a Wi-Fi network are up-to-date and patched. The same goes for any browsers and apps; keeping a device up-to-date prevents 80% of attacks.
While some airports are better prepared and configured than others, with several having fleshed out cybersecurity processes built into their security centre operations, the innate vulnerabilities of public Wi-Fi means airports themselves – if they offer such a service – are always going to be opening up their passengers to potential risks. It appears that until more secure Wi-Fi systems come into effect, members of the public will have to very quickly become cyber-savvy enough to protect their own devices.