NetworkWorld Panorama Podcast with Jason Merrick from AirTight Networks
I spent my Sunday morning catching up on some older podcasts I haven't had time to listen to but had interesting subjects. One in particular, "Wireless Dangers at Airports" from NetworkWorld Panorama on 5/8/2008 piqued my interest as it was directly related to my current employer. As I listened to the podcast I had thoughts ranging from "interesting" to "yeah, but" and "that's FUD."
Quick Summary:
14 Airports in the US, UK scanned
- 77% of networks found were private networks
- 80% of those had either WEP or no encryption
Airports:
- "large" number used for logistics
- ticketing
- baggage
- stores
- restaurants
- Using WEP or Open for business use
Users:
- 3% used corporate VPN
- SSID leakage
- Viral WLAN
Example:
- Baggage tracking WLANs
- "BetaBaggageSystem" was an SSID
- WEP encrypted
Worst case scenario:
- DOS baggage or ticketing system
- hide baggage
- reroute baggage
- enter ticketing system
My thoughts:
- 14 is a very small statistical sample but I believe the finding would be similar if the sample size was large
- Hotspots have not proliferated because only a select number of providers are allowed into the airport space and the have to share the frequency space with legitimate business use WLANs so the 77% number is what should be expected.
- The use of WEP is a very touchy subject. I like almost everyone else in the infosec field agree that WEP should be banished from the wireless landscape. Unfortunately, corporations rushed out five or six years ago with the encouragement of vendors to rapidly deploy wireless networks. The standard at the time was WEP and unfortunately the cost of going back and migrating up to WPA or WPA2 is going to cost millions per airline.
- As for the logistical use of wireless in airports, once again, the business benefit of wireless far exceeds the risk. Also, I think there is a basic assumption that once you gain access to the WLAN you would have unfettered access to the baggage system or the ticketing system (as Jason Merrick of AirTight Networks states more than once during the podcast). I would make the assumption that business traffic being broadcast over the WLAN via WEP is encrypted via a SSL tunnel and that there is two factor authentication and authorization in place. Therefore, the assumption that you could just reroute a bag or book yourself a ticket is greatly exaggerated (read: FUD).
- Jason mentions hiding SSIDs as a risk to wireless users and thus the enterprise. Now depending on my mood I would either agree or disagree (I see both sides of the subject) but it must be said that until PCI eliminates the mandate for hiding the SSID that the corporate environment has its hands tied on the matter and opinion plays no part. I cannot design a solution that purposefully disregards PCI (or any other statute) because I think they are incorrect and I know better.
- I agree that we need to try and force our users to use the IPSEC VPN clients we provide to them. But since I can't be everywhere, we filter web access through a corporate gateway proxy, and we offer HTTPS access to email as an alternative (for the CEO when he's visiting Mom's house for instance), it appears that using a VPN is an unattractive and restrictive way to do some quick work while waiting for a flight.
Overall I think Jason's study is worthwhile (although I question his motives a bit... trying to get my attention?) and his findings are somewhat accurate, but his assumptions and conclusions are way off base and smack of fear-mongering and FUD.
No comments:
Post a Comment