The next time you're in an airport terminal with your wireless notebook on, there's a good chance you're exposing your or your company's data to others. Even worse, the wireless network you're connected to might be completely insecure -- or even be running on the laptop of the guy sitting next to you.
Researchers from AirTight Networks visited 14 airports around the world and discovered that most business travelers aren't taking the basic steps necessary to protect sensitive data. "We found that only three percent of all users were using virtual private networks (VPNs), so most of their data was free and clear to anyone who could sniff the airwaves," said Mike Baglietto, director of product marketing for AirTight Networks.
With little effort the researchers were able to see what Web surfers were looking at, and even capture their cookies (small text files that allow Web sites to identify and track users). "There's a huge data-leakage exposure," Baglietto said. "We're able to track people's cookies in the air, and once you start getting a user's cookies, you could impersonate that user" to steal their banking credentials, for example.
Insecure Access Points
Web surfers weren't the only ones operating insecurely, Baglietto told us. Most of the wireless networks the AirTight researchers checked out were insecure.
The team noted 478 access points, of which 57 percent were completely unprotected, and another 28 percent were protected by WEP (wired equivalent privacy), an encryption protocol that is easily broken. Even worse, 77 percent of the networks were not hot spots (networks offered by the airport or a provider like T-Mobile). Rather, eight out of 10 were insecure networks run by shops, restaurants and even the airport back offices.
The names of some of the access points -- for example, e-Baggage Trial -- gave the researchers clues that those networks were being used for airport operations like baggage handling to airline ticketing. Just like the other access points, Baglietto said these were also insecure.
The potential for an attack on airport systems is enormous, and such an attack would have catastrophic ramifications. "Imagine somebody doing a denial-of-service attack on the baggage infrastructure at San Francisco or Heathrow airports," Baglietto said. "It would send the entire airport into total chaos" and would likely impact air travel around the globe.
The researchers also noted a huge outbreak of viral ad-hoc wireless networks. A laptop with this infection broadcasts itself as a free mobile hot spot. Other laptops inadvertently connect to it since it has a strong signal that wireless cards search for. Once connected, a laptop becomes infected itself and convinces other computers to connect to it.
"The biggest risk that creates is that all your shared folders are exposed to everyone else on that network, so you could be sitting in the airport completely unaware that your laptop is connected to the guy sitting next to you" with your personal and corporate data exposed, Baglietto said. One out of 10 users was infected, the researchers noted, and in one airport five users were connected to the same viral network.
Simple and common-sense measures can prevent these problems. AirTight advises executives to use VPNs and not to connect to any unknown wireless networks in public places. It also said users should periodically look at their Wi-Fi configuration and remove any unneeded networks from the preferred list. Users should also disable "ad hoc" connectivity in public places and turn off wireless connectivity when it's not being used.