airtight airport wifi scan analysis

A Study Conducted by AirTight Networks

Wireless Vulnerability Assessment: Airport Scanning Report

www.airtightnetworks.net

��

� ��

��

� ��

� ��

��

� �� !��

� "��

� ��

��

��#��

>> Pittsburgh (PIT)

>> Philadelphia (PHL)

>> Myrtle Beach (MYR) >> Orange County (SNA)

>> Ottawa (YOW)

>> Portland (PDX)

>> San Jose (SJC)

>> Newark (EWR)

>> West Palm Beach (PBI)

>> Chicago (ORD)

� $��%&��'%%��"�(�)��*��+

� ��,��

'��+

� ��

� �� )-�.��/--0��0�� /--0

� �� *��1�&20(�� 1�,0,

Singapore (SIN)

Malaysia (KLIA)

Seoul (ICN)

>> San Francisco(SFO)

��

3��4�!��

1 2 3

Critical Airport systems found

vulnerable to Wi-Fithreats

Data leakage by both hotspot and

non-hotspot users

‘Viral Wi-Fi’ outbreak continues

~ 80% of the private Wi-Fi networks at Airports

are OPEN / WEP!

Only 3% of hotspot users are using VPNs to encrypt

their data! Non-hotspot users found leaking network information

Over 10% laptops found to be infected!

Evi

denc

eS

tudy

Fin

ding

s

��

��

� ��

� 225��'�6�6�� +��

� 0-5�� 7*��

� �� 8� ��8��

� ��

� 9��)5��$*��

� ��

� ��:

� "��; ��< ��

� ;$��< ��=� %-5��

� �� >��? ��:�

� �� ; ��< ��

��

��@��

But are all OPEN Wi-Fi networks Hot-Spots?

A total of 478 Wi-Fi Access Points were analyzed across all Airports!

� ��

� �� !"� �� #��"��$%&'

� (!��' �� )�� %��

��

��@��

Hot-spot providers

These don’t look like

hotspot APs!

Private Wi-Fi NetworksAccess Points (APs)

Public Wi-Fi Hotspots

Open APs

��

��"�� *��

Hotspot APs Non Hotspot APs

� ��

� ��

� ��

� ��

� ��*��

� ��

� ��AB

� ��A�

� .��C��

� ��6D��C��A��*� ��

� ��7��C�

41% 59%

� *��+

� ��"��

� ��

� ,�-��!

� (��./0 �� /��1� ��(� #��

� / 11�

� 2/�(2�/.�,�((

� ��34

� �.��

� �� 4

(1) Hotspot APs don’t hide SSID

(2) Hotspot SSIDs are well known/published and advertised

(3) Usually signal from multiple hotspot APs is visible at any coverage location

��

��E��!��

� ��8��?

� 225��'�� +�

� 0-5 ��7*��

�� F�

� B��

� *��

� B��

�� =

��

$�� 9��

� ��*�� >��

� �� !G�'��+�� FHH��6��6��H��H��6�� ;��< ��9

We discovered the “Hidden” SSID of an

AP in a mere 5 minute scan!

The “Hidden” WEP-encrypted Access Point was communicating with a “Symbol” card typically used in handheld devices that are likely used in baggage management at SFO. The baggage management system at SFO airport may easily be compromised!

The “Hidden” WEP-encrypted Access Point was communicating with a “Symbol” card typically used in handheld devices that are likely used in baggage management at SFO. The baggage management system at SFO airport may easily be compromised!

Prevalent Myth – Hiding SSID is more secure

than encryption

All APs are Open/WEP!

��

"��

OPEN WEP WPA WPA2

57% 28% 10% 5%

Clients( 585 in number)

15% 7% 1%

6%

59%HTTP

38%HTTPS

3%

VPN

� 59% hotspot users are using plain text protocols such as HTTP� Only 3% are using VPN connectivity to secure their data!

� 59% hotspot users are using plain text protocols such as HTTP� Only 3% are using VPN connectivity to secure their data!

Hotspot Non - Hotspot

71%

��

G��D��? B��"��

(1) User is visiting www.marketwatch.com

(2) He is looking at the Nasdaq Composite Index (symb=comp)

(3) We have his cookie! So we can impersonate him

Clients sending data without any encryption using HTTP are in serious danger of having their activities spied on and accounts

hijacked in some cases

Clients sending data without any encryption using HTTP are in serious danger of having their activities spied on and accounts

hijacked in some cases

��

G��D��? B��"��

� "��> ��

� �� '��8��+�

� C��

� 9��

� C��

� �� ;C��< H�;��D��<��

��

;C��< ��

'%+�D�� !G��'��+6

'/+��*��!G�6�� '�6�6�3��8�C��+

� �� :

� �� 8� ��

� �� :

')+�D��>��6��

1��

�� '&+�� >��6��

��

��

10% of all mobile users were advertising viral Wi-Fi networks!

% of total Clients infected by one or more viral SSIDs at various Airports

��

��$��I

• US Airways Free Wi-Fi• Free Public Wi-Fi• Free Internet!

� $��C�� !G�

� ��!G�� ;��<!��

� �� ?��@77:::

��

C��!��=

� 9��"��8��$��!G�'<��*� ��<+��"��>��

Infected Laptop

Free Public Wi-Fi User Infected!

��

C�� =

� 9��8�� ;��*� ��< ��!G��

� ��

� ��$��!G� �� :

Infected

InfectedInfected

Infected

Infected

Infected

Infected

��

��$�� I

� 9��$��!G��=

� ��>�� $��!G��

� ��

Infected

Infected

Infected

Infected

Infected

Infected

Infected

��

��? ��

� �� ?

� ��

� "��*��

� *��!��

��

��? ��C��"��

� G��"��'��F�;��*� ��<+��

� B��

�*��

�@�� ;��< ��

� G��'�6�6�� +��

� B�� "��$*��

� ��9��:�

airtight airport wifi scan analysis

Documents