Slashdot Mirror
Airports As Secure As 802.11b
INO_Fiend writes: "SF Gate is running a story about how at both Denver and San Jose Int'l American Airlines has been using unencrypted wireless to connect the curb check-in with the rest of their networks. They tested this by grabbing a laptop and hanging around the airport. I guess I might finally have something to do with a laptop and a WiFi card the next time I fly..."
Changi International airport in Singapore has free access to the Internet over 802.11b in large parts of the airport. They also have modules with a bunch of power sockets and RJ45 jacks in the center of numerous desks in case you're low on power or limited to wired Ethernet.
Changi International rules in general, actually.
I guess I might finally have something to do with a laptop and a WiFi card the next time I fly...
I'm sure you are breaking a large number of laws. If not, I'm sure some bills will be sponsored in your name!
Please kids, don't try this. Messing with aircraft [anything] is a big no-no. Someone was on local TV once complaining about the airport noise level. This hillbilly said that he would shoot at a plane if the didn't stop going over his house. Stupid, stupid man. He was arrested and even served 3 days.
Reminds me of this Gallagher joke: Why don't they just give the homes by the airport to deaf people?
Get your Unix fortune now!
It's not wireless, but the Las Vegas airport has these open Ethernet ports in the floor. You can walk up to them, plug in an Ethernet cable, and start prowling around the network (sniffing, going out to the Internet, etc.).
Actually, my sister is in that line of work. When you call it unskilled labour, she gets very aloof and explains that, since the job requires training, that it is not unskilled. Then I must inform her that training is given at McDonald's to flip burgers. Anyway, her pay is now $24/hour after working there yor 2 months.
They seem to think paying people a higher wage will cause spontaneous generation of competence...
I accidently connected to an AA wireless network in Dallas. This was way before 9/11. At first I thought it was a freebie for exec flyers, once i realized it was their business network i disconnected.
they had a dhcp server that assigned ip/dns to anyone that connected.
didn't even think about it again until i read this article.
Apple's implementation of 802.11b is called "Airport". So I wasn't too surprised to read that Airport is as secure as 802.11b
Check this out: you can't even think of bringing a pair of nail-clippers on an airplane, but that little guy who vacuums the plane between flights isn't even checked for knives, guns, explosive shoes...
Yeah, right.
Well, exactly.
Not only is it in bad taste, but it's illegal. You can see if the network will let you on, but anything you do after that is illegal. Even if you are putting a "readme_about_major_security_issues.txt" on their 'desktop'.
Anyone *can* joke about it, but it seems that it isn't a good idea. I'm sure suggesting that you are going to do such a thing would put a red flag in your file. Don't say you don't have a file... this is slashdot, where conspiracy theories fly.
Get your Unix fortune now!
Sorry, I am posting anonymous.
The airline that I worked at (until just after 9/11) had a similar setup. An average sized hub airport probably has roughly 1700 things with an IP address. To help out, I used a machine with arpwatch to help keep track of what was running and to monitor changes. About 5-15 times a week, I saw non airport workstation names and mac addresses of nic's that we did not have. Luckily we did not have anything with a DHCP server running or everyone of these computers would have fit right in. We had coverage at every ticketing area and every gate, not hard to get a good signal.
My purpose is not network security, only an installer and maintainer of the network and systems, so I made note of our insecure wireless network to our networking group and got nothing back. When I had left about a year after bringing this up, nothing had changed. With so many levels of IT support and groups of people protecting their specialized interests at the company, it was nearly impossible to find someone that could step back and look at more then what they were currently responsible for. I guess we needed a "wireless network security" position before anyone would care to address this.
I don't know what you would do once on the network. Sure you could sniff around but I doubt you would get anything useful from the scheduling and ticketing part of the traffic.
Just because it is insecure at the wireless level, doesn't mean its insecure at the check-in level.
After all, if they have a firewall, and the wireless is on the public side of the firewall, then it should be pretty secure- the check in desks would have to use tunnelling to connect, but that can be arbitrarily well encrypted.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"It is a big firm in Europa. AFAIK we do not use the above mentionend standard but we use another standard for baggage check in and baggage follow up. The system is so complex that even *us* the programmer have sometimes difficulty with it. The hic is the following : would it be worth for a terrorist to learn the system when they can get it easier to fake the control band of the baggage with the so called "bag tag" (simple paper a serial number and a code bar) or have an insider in the baggage loading worker team. On the other hand 6 monthes ago I would have said "terrorist learning to fly a plane to pill it into a building ? Unprobable. They could do things in a far easier way than such a long term plan.". So maybe we have to starts worry...
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
I thought that was one of the things that the new regulations after 9/11 got rid of.
Either way, I'm sure those systems have additional encryption a few layers up. No sane persion trusts WEP. Even if the net isn't encrypted at the wireless level, it only matters (and is better) if it's encrypted a few layers up. (IPSec, SSL, or the like.)
retrorocket.o not found, launch anyway?
How come that it is always what they say when you prove that you can break in...? You actually have to do some real damage for these people to wake up, and obviously, you can't.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
my name address and phone number are flying through the air for anyone to pluck out
You mean like this ?
Oh, and don't forget, you've attached that information to the outside of your luggage, so that any disgruntled baggage handler with a score to settle because he dropped your 80 pound suitcase on his toe can come find you and settle the score.
Face it, your name, address, and phone number are in the public domain now. Nothing you can do will stop it.
Drexel University does a great job of securing their otherwise unencrypted wireless traffic with a VPN.
Intelligent Life on Earth
Who cares if putting a readme_about_major_security_issues.txt on their desktop is illegal? It could save lives.
denver has a wireless network setup throughout the airport. there's no password to get on the network, however if you try to browse the web, etc. you'll run into their proxy which will prompt for a username and password.
it's quite easy to guess their user and pass combo, just think about what they used when they had to "test" the network.
In the US, at least,NOW is not the time to be screwing around at airports with ANYTHIN, never mind ANYTHING you do Illegally at an airport CAN be considered a FEDERAL offense.
Im as much of a guy that would throw an 802.1b card on my laptop and scan with it as the next slashdot geek, BUT there is a time and a place for all thing. The Airports and airlines should be notified, if they dont rectify it then take the next step, we got maniac bastards with shoe bombs trying to drop this stuff out of the air, YOU might not see anything of use, but not many Slashdotters are terrorists. They may, It needs to be secured, I fly and more importantly my FAMILY flies.
There is a time and a place for fun and screwing around with stuff. An Airport isnt the place and this isnt the time, Would you wack a beehive in a closed room for the fun of it ?.
Hell If I was in charge of Airport security, after seeing this I would set up a honeypot and get ahold of a 200 dollar rdf and start nabbing anyone that tried this, thow em up on federal charges and let shit lands where it may.
I KNOW its insecure an it need to be fixed, be fucking responsible for once in you life and do something responsible with that info, like find the person in charge and let them know, give them resources they obviously dont have to get it fixed. Your a Geek heres you chance to do something that actually might matter.
Next time you mom, or dad, or brother flies think, he I hope theres a bunch or dipshits sitting around the airprt sniffing stuff they have no business, GOD know the potential hazzard that exists here for bridging networks to something OTHER than Curb Check in.
Sig went tro...aahemmm.....fishing........
I am continually amazed by how backward the USA is sometimes. Here in the UK we have had this system for as long as anyone can remember. That is why then you check-in at Heathrow they ask all those tedious questions about if you have been given anything to carry and if anyone could have messed with your luggage. If you don't turn up at the gate, they literaly search through the hold and take your bags off. This of course can take ages!
Some years ago a terrorist made friends with a presumably not terribly bright girl and persuaded her to carry a bag on an El Al flight for him. Fortunately, a security guard thought the bag looked suspiciously heavy and found the bomb in it.
...a cracker with the know-how could theoretically check their own luggage.
That's nice.
While the network may have been viewable is there really a practical application to this?
All baggage checked at curbside is simply registered witht eh flight recorder saying that this bag is here, this is how much it wieghs. The only possible thing I could think of doing with access to the wireless net is removing a bag from the list, but what does that do?
Since all bags are also scanned (espesialy since 9/11) after they've been checked, it seems to me that hacking the curbside checkin is completely useless. In order to be effective, a terrorist would have to physicaly have and item on the plane. And that would be possible regardless of whether it was done curbside or at the counter. Personaly I don't see a big issue here, but they should be using at least the basic encryption (I know the airport software as basic encryption, I would assume the oher stuff does)
-Tevis
T Money
World Domination with a plastic spoon since 1984
You and your sister don't get along well do you?
---If you can't trust a nerd, who can you trust?
More likely to lose lives. Basically it's a bad idea to even get too interested in what security they do or do not have. The network could be wide open or it could be carefully snooped. If the security is any good, they have people watching for people and things being where they shouldn't be or doing what they shouldn't be doing.
There is extensive coverage in Computerworld, here.
Actually, no, there isn't a "large background check" for ground ops, especially not the cleaners or caterers who go through a myriad subcontracting layers. Even firms providing baggage screening personnel - I can't bring myself to call them security professionals - have been repeatedly found guilty of not conducting FAA-mandated background checks. The measly fines imposed by the administration must send a pretty laissez-faire message, since those violations have apparently continued after 9/11.
A personal anecdote: I was flying out of JFK a few days ago and while standing in a massive line at the security checkpoint, waiting to have my shoes removed and bags rummaged through by grubby little Mexican hands I witnessed two ground ops walk right through the screaming metal detector. Hola, Pedro! Could that be a gun you're going to give a pax at the terminal's bathroom you're carrying under that orange vest of yours? Not according to the corrupt FAA-airline cabal, apparently.
It is your kind of attitude that is responsible for the security holes that allow terrorist attacks in the first place. Airlines and airports must fix these problems preemptively. Apparently, they are unwilling to pay what that costs in this competitive market. It takes a big bang or public relations disaster to have them act decisively. If the people who found this problem just spoken to someone "in charge", nothing would have happened.
The temptation to haul anybody in on federal charges who does something that might be suspicious is unacceptable. We live in a free society, and lots of people will do things that are harmless but that my strike someone as suspicious. As in other areas of security, it's foolish to assume that the bad guys will have less knowledge than the general public, and it's foolish to assume that the bad guys won't have the resources to find the security problems easily and with low risk of detection. If you arrest everybody who appears to be trying to discover holes in your security systems, you'll mostly end up arresting harmless and you give police the tools to arrest anybody at their discretion; just about any activity can be construed to be suspicious. That's called a police state. Maybe that's where you want to live, but I don't. As far as security is concerned, the "get-tough" approach is a cop-out for companies that don't want to pay the money necessary for doing security right. It gives the appearance of security without delivering actual security.
Companies that have such security holes should get stiff fines, retroactively and for as long as the security holes persist. That's the only way to force them to invest the money up-front necessary to make their systems secure. And if that isn't sufficient, there needs to be federal regulations specifying rules and requirements for things like networking, screener training and salary, etc. People who discover security holes should be left alone (unless they try to take advdantage of them to do something illegal, of course).
While staying at the Sheraton for the Open Source Convention/Perl Conference last year, I tried getting on to the local wireless network provided. Great during the sessions. The only problem was our room was at the far end of the hotel by the airport. Couldn't get a peep from the conference network out there, but I got an IP and DNS from the airport, and a great connection at that.
They seem to think paying people a higher wage will cause spontaneous generation of competence...
In a way, it does. Higher pay = lower turnover. The longer most people stay at a job, the more competent they become.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Check this out: you can't even think of bringing a pair of nail-clippers on an airplane, but that little guy who vacuums the plane between flights isn't even checked for knives, guns, explosive shoes...
Yes he is. Last time I went through airport security, a pilot in uniform went through in front of me. They made him remove his hat so they could check under the brim. Airline employees go through the same security checks as passengers.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Since various airlines have been notified about
/. and I would not want to trust MY family's safety to
this and have done nothing so far, I would propose the following:
Have a computer savy individual hook up with a reporter.
Have them go to the airport together and sniff the net.
Capture a bunch of data, go back to the office, and write an article about it.
I bet something would be done about it then.
I would involve a reporter so they have a tougher time portraying you as a terrorist or criminal.
Someone sitting at the coffee shop working on their laptop would not look out of place.
Perhaps people would argue that you are alerting terrorists to this possibility.
But, it is already posted here on
"security by obscurity".
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
Higher pay == more applicants.
If you have 10 jobs to fill and 100 applicants, you get to be real picky about what kind of people you accept. 10 jobs and 11 applicants doesn't let you be so choosy.
And in Pittsburgh, a US Air pilot was arrested, and then suspended when he objected to having his tweezers confiscated by security. He said something along the lines of "What do you think I'm going to do with those tweezers. Hell, I'm the PILOT, for chrissakes. I could crash the plane if I wanted."
Man had a point, there. But it's not a good time to tell people the truth, they REALLY don't want to hear it, and will do anything possible to avoid it.
Get a grip. A cornerstone of our criminal justice system is that "criminal" acts require an overt act known to be criminal, or at least reasonably expected to be so.
What this means, in practice, is that every door into an airport is clearly marked. It's not a crime to walk through an unmarked door. Walking past a door clearly marked "authorized personnel only" is a different matter.
Now look at this "problem." Computers with wireless LAN cards will automatically try to establish a connection... and these airports are offering these connections complete with DHCP and DNS services. They know that this will happen automatically whenever the owner turns on the computer, yet they've taken no action to restrict access to their system or warn travellers to avoid using their computers.
Yet you want to send the police to arrest these travelers for felonies - attempts to interfere with airport operations - for doing nothing that isn't routine in countless other places.
Worse, as some other posters have pointed out these networks can often be accessed from outside of the main terminal. A business traveler may innocently turn on his laptop in his hotel room and inadvertently connect to the airport network - and it's *his* fault for failing to anticipate this problem?
If somebody is there and clearly trying to compromise the system, throw the book at them. But if an airport just has lax security, direct your anger at the airport/airlines, not the innocent travelers.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Hell If I was in charge of Airport security, after seeing this I would set up a honeypot and get ahold of a 200 dollar rdf and start nabbing anyone that tried this, thow em up on federal charges .
So, let me get this straight... If you were in charge, then instead of fixing the holes, you would concentrate on throwing people in federal prison, for being bright enough to notice and point out the security flaws you had failed to notice. Good plan. Don't let anyone question your security.
In fact, this story was a good way to highlight the problem in a prominent enough way to actually get something done about it. If we threw these people in jail then nothing would be done and the security hole would remain !
--
What has always annoyed me are these people that build next to an airport that has been there for many years ... then have the gall to complain a couple of years later about the jet noise they hear every day because of the airport that was there when they built their dream homes. If they didn't want the jet noise in the first place, they should have built somewhere else?
There's a legal doctrine about that. It's called "moving to a nuisance". Basically if you move into proximity with an annoyance that predates your move it's your fault for moving there and you have no gripe.
But enforcement of the doctrine in courts tends to be spotty in some places. Colorado and Oregon generally laugh such people out of court. But California seems to be the home of successful nuisance suits.
This kind of thing happens to small private-plane airports all the time. Developer builds devopment next to one, and after the people move in they drive the airport out of business with suits.
One such small-plane airport in Colorado came up with a great idea: After they'd gotten the suit laughed out of court, they bought up the fancy new houses that had been built next to their fence for a song. Then they put gates in the fence and ran driveways from the BACK of the carports to the taxiway. And resold the fancy houses at a significant profit to people with private planes - who NEVER complained about airport noise. B-)
I understand several other small airports in similar situations have done the same thing, or even had developers build such houses deliberately, and there's now a term for such a development - "Air Park" or something to that effect.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I know it could save lives, but that doesn't make it legal.
Sorry, but that is how things are.
Get your Unix fortune now!
Actually, that's not a really accurate statement. The people in Ohio were complaining because the runways run north-south and the air traffic was routed directly over their houses at low altitude in the late hours of the night. And, large portions of that area aren't "rich" as you put it - I believe the area is mostly lower-middle-class, and they had a real noise complaint.
No, they aren't lower-middle class. The people are upper-middle if not upper class. Lower class people rarely get their compliants on TV because they don't have the 'juice' to do so.
The were complaining because they paid 70,000+ for their homes. They couldn't understand why they didn't go over the cheaper neighborhoods. It wasn't the whole city complaining, it was one specific neighborhood.
I really don't know what they were complaining about. I live a few miles to the east of them. While I'm on the westside of 'nati still. The traffic used to go over our neighborhood, and it wasn't a problem. Sometimes if you talked on your portable phone outside you would get drowned out by engine noise, but that was it.
It was the west siders who complained... not the eastsiders. Eastsiders, mainly, are way richer than the w'siders.
Get your Unix fortune now!