Slashdot Mirror
Airports As Secure As 802.11b
INO_Fiend writes: "SF Gate is running a story about how at both Denver and San Jose Int'l American Airlines has been using unencrypted wireless to connect the curb check-in with the rest of their networks. They tested this by grabbing a laptop and hanging around the airport. I guess I might finally have something to do with a laptop and a WiFi card the next time I fly..."
It's not wireless, but the Las Vegas airport has these open Ethernet ports in the floor. You can walk up to them, plug in an Ethernet cable, and start prowling around the network (sniffing, going out to the Internet, etc.).
I accidently connected to an AA wireless network in Dallas. This was way before 9/11. At first I thought it was a freebie for exec flyers, once i realized it was their business network i disconnected.
they had a dhcp server that assigned ip/dns to anyone that connected.
didn't even think about it again until i read this article.
Does this mean that you are breaking the law when you happen to overhear a conversation between two business men about an ipo and use this information to your advantage in the stock market? If people choose not to implement anykind of encryption or other security measures, albeit there aren't many available as of yet for this particular application, its similar to leaving the front door of your house wide open when you go to work. Surely if you are robbed, and the person responsible is caught, you'll at least get a funny look from the judge. Furthermore, if someone looks in your front door, are they breaking the law because they now know how your living room is decorated? Really....Fences only keep honest people honest...
-\|/-\|/- If its not 1200 baud, its crap....
This is cock and bull.
First we are talking about a network related to airport security. If you argue with the Flight Crew you can be arrested by the FAA... this is pre-sept 11th.
The open door thing? We aren't testing products or networks transmitting misc traffic. If you leave your door open you're stupid, but coming inside is still illegal. If somoene looks into your front door... that is legal. Cops can do this to provide a weak search.
Being that the reporters haven't been arrested, we know that it's ok to walk into the 'port and see if you can get on the network. But! when you start using that network to browse the web, or shift data to make it look like you are boarding the plane with your bomb....
I mean, if you are going to use someone else's argument... know what it is. The argument you are trying to use is about port scanning and the like, not abusing the private network of an airline. Last time I checked that was 100% illegal.
If I dial into Microsoft that's ok. If I connect and download the source to XP... thats' not. Even if I just want to use them as an ISP, it's illegal.
Just because you left the door open doesn't mean you invited the neighborhood in.
Get your Unix fortune now!
Sorry, I am posting anonymous.
The airline that I worked at (until just after 9/11) had a similar setup. An average sized hub airport probably has roughly 1700 things with an IP address. To help out, I used a machine with arpwatch to help keep track of what was running and to monitor changes. About 5-15 times a week, I saw non airport workstation names and mac addresses of nic's that we did not have. Luckily we did not have anything with a DHCP server running or everyone of these computers would have fit right in. We had coverage at every ticketing area and every gate, not hard to get a good signal.
My purpose is not network security, only an installer and maintainer of the network and systems, so I made note of our insecure wireless network to our networking group and got nothing back. When I had left about a year after bringing this up, nothing had changed. With so many levels of IT support and groups of people protecting their specialized interests at the company, it was nearly impossible to find someone that could step back and look at more then what they were currently responsible for. I guess we needed a "wireless network security" position before anyone would care to address this.
I don't know what you would do once on the network. Sure you could sniff around but I doubt you would get anything useful from the scheduling and ticketing part of the traffic.
It is a big firm in Europa. AFAIK we do not use the above mentionend standard but we use another standard for baggage check in and baggage follow up. The system is so complex that even *us* the programmer have sometimes difficulty with it. The hic is the following : would it be worth for a terrorist to learn the system when they can get it easier to fake the control band of the baggage with the so called "bag tag" (simple paper a serial number and a code bar) or have an insider in the baggage loading worker team. On the other hand 6 monthes ago I would have said "terrorist learning to fly a plane to pill it into a building ? Unprobable. They could do things in a far easier way than such a long term plan.". So maybe we have to starts worry...
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Drexel University does a great job of securing their otherwise unencrypted wireless traffic with a VPN.
Intelligent Life on Earth
denver has a wireless network setup throughout the airport. there's no password to get on the network, however if you try to browse the web, etc. you'll run into their proxy which will prompt for a username and password.
it's quite easy to guess their user and pass combo, just think about what they used when they had to "test" the network.
I am continually amazed by how backward the USA is sometimes. Here in the UK we have had this system for as long as anyone can remember. That is why then you check-in at Heathrow they ask all those tedious questions about if you have been given anything to carry and if anyone could have messed with your luggage. If you don't turn up at the gate, they literaly search through the hold and take your bags off. This of course can take ages!
Some years ago a terrorist made friends with a presumably not terribly bright girl and persuaded her to carry a bag on an El Al flight for him. Fortunately, a security guard thought the bag looked suspiciously heavy and found the bomb in it.
While the network may have been viewable is there really a practical application to this?
All baggage checked at curbside is simply registered witht eh flight recorder saying that this bag is here, this is how much it wieghs. The only possible thing I could think of doing with access to the wireless net is removing a bag from the list, but what does that do?
Since all bags are also scanned (espesialy since 9/11) after they've been checked, it seems to me that hacking the curbside checkin is completely useless. In order to be effective, a terrorist would have to physicaly have and item on the plane. And that would be possible regardless of whether it was done curbside or at the counter. Personaly I don't see a big issue here, but they should be using at least the basic encryption (I know the airport software as basic encryption, I would assume the oher stuff does)
-Tevis
T Money
World Domination with a plastic spoon since 1984
There is extensive coverage in Computerworld, here.
While staying at the Sheraton for the Open Source Convention/Perl Conference last year, I tried getting on to the local wireless network provided. Great during the sessions. The only problem was our room was at the far end of the hotel by the airport. Couldn't get a peep from the conference network out there, but I got an IP and DNS from the airport, and a great connection at that.