Earlier this week, July 18th 2018 to be exact, a Tel Aviv based cloud security company named Coronet released a report detailing the cyber security risks of connecting to airport Wi-Fi (I’m fine with that concept) and then went ahead and ranked the top 45 busiest airports in the United States based on their own proprietary security score (that is what I have a big problem with.)
Disclaimer: I work at, and run the guest Wi-Fi for an airport that is in the middle of this list. I will still attempt to be objective, but I’m not making any promises!
The actual report, which you can find here, is simply a report that they published. The problem is it was picked up by multiple publications, as is usually the case, and people without any qualifications are starting to put their spin and understanding on said report. The report, and the subsequent news articles, miss the one big point that is inherent in guest Wi-Fi; that it is unsecure and it is that way by design.
By sheer happenstance, I just finished taking a CWNP CWSP class last week and during the class we spent some time talking about wireless security at airports. As I read through this report, and applied my knowledge from all of my CWNP studies (which, if you aren’t going down that road, I highly suggest you start immediately) there were a lot of red flags that started to go up, and in the end made me pretty upset. I am going to break down their published study in an attempt to point out where I take issue with their report and methodology in an attempt to educate people about guest Wi-Fi.
Their report was created by crowdsourcing data from devices that had the Coronet application on them as they traversed through America’s 45 busiest airports. This data was collected over 5 months and comprised of “more than 250,000 consumer and corporate endpoints.” While that may seem like a lot, lets take a look at the number of passengers that would have traveled through Houston’s William P. Hobby Airport (not the airport I work at but the #3 worst on their list) during the first 5 months of 2018. While the report doesn’t call out which 5 months were part of their study, it does point out it was over the course of 5 months. During the first 5 months of 2018, Hobby airport had a total of 5,743,661 passengers during that time frame. That number is good enough for 34th in the country and places them in the “Medium Hub” category for airports. In comparison, Hartsfield-Jackson Atlanta International Airport, which is the busiest airport in the world, during the same 5 months had a total of 41,960,415 passengers. I mention this as a reference that while 250,000 might sound like a lot, in the world of airports 250,000 travelers can represent a single busy day at a “Major Hub” airport like Atlanta.
This ties into the next part of the report I want to examine, and is a fact well known by Wi-Fi professionals but not thought about by others, like security professionals, and it has to do with range. On Page 5 of the report, in the Network Risk Score, Coronet stated that their SecureCloud scanned connected and neighboring networks and used proprietary algorithms to assess network risks. The one point they missed is they are only gathering the data that the device can see, and if you have ever tried to collect Wi-Fi frames on purpose you know that it is super easy to miss frames and beacons when you are trying to capture them, let alone some background process. Coronet is assuming that if they didn’t see a malicious network then it wasn’t there. That’s like saying I didn’t see the person down the street get mugged so this must be a safe street. Take into account the limited amount of time a device stays in an airport, you might as well say I didn’t see that person get mugged in the past 30 minutes down the street so this must be a safe street. Even more, since Wi-Fi in a high noise environment doesn’t have the same range to decode packets, it’s like saying I didn’t see anyone get mugged in the past 30 minutes within 75 feet of me on this street so it must be a safe street. I wish I was exaggerating, but that’s just the truth as it pertains to environments like mine.
Within that same paragraph I would like to point out that according to their scale, the highest risk they account for is a “5” with “1” being the lowest. When we jump to the end of the report we find that only 2 airports out of 45 make it into the 4’s (Raleigh Durham at 4.9 and Chicago Midway at 4.5.) While that’s just what it is, the number 3 “safest” airport is Nashville with a score of 5.1. While good enough for 3rd on the safe list, it’s actually breaks their range of being bad. Keep in mind, this is their own scale based on their own reasons.
The rest of the report, just to wrap this up, is the ranking of airports using their own random numbers. After discussing the fact that they didn’t publish how many scans were done per airport over these 5 months, how often and how much of the public space was scanned, it really loses it luster really quick. Refer back to my analogy about someone being mugged. The thing to take away is they only reported on what they were able to see, from what has to be a VERY limited perspective. They don’t call that out in their report which is why all of these “news” organizations are loading up my Twitter search with this report and stating it as a very important read. Don’t believe me? Go on Twitter and search “airport wifi” and see what comes up. I keep a constant feed running in my TweetDeck for airport wifi (it’s my job, honest) and it’s driving me nuts.
What Can You Do
This is also known as what they didn’t discuss in their report. Since I believe the report is meant to promote their product and company, I will tell you this would be counter-productive to the purpose of their work, so I get why they avoided this part. The one thing they did say, that makes sense, is on page 4 where they talk about captive portals. I’m not a fan of captive portals, and even more so after reading this. It makes sense that if you were to connect to a malicious AP (aka Bad Guy Hacker) he could serve up a captive portal modeled after the real portal and when you click a link, have it install malware on your device as well as granting you access to whatever they want to give you access to. Just one more reason to turn them off. That’s someone elses rant from a different day.
This leads into my recommendations.
- Educate yourself. Every airport has a website, and that website will indicate what their SSID is, if they even offer guest Wi-Fi. If you can’t find that SSID while you are there, don’t connect to something just because “it’s close enough.” Look at it from an operators perspective – we can’t shut down “rogue” AP’s because we don’t know what someone named their own Mi-Fi hotspot or some other random device they travel with. Even an extra space or an underscore is enough to make it “different” and that is hard to track down with over 100,000 people a day through your facility.
- Configure correctly. Unless it is your home network inside your house, and we can argue about 802.1X versus WPA2-PSK at your house another day, always indicate you are on a public network. That will, in hope, keep others from being able to access your device fully, no matter what you connect to. Also, keep your firewalls and security up to date and set to high. While it is a pain and can stop functions from working, it’s better than having your identity stolen or company secrets leaked.
- Take responsibility. Keep in mind, all public Wi-Fi services, be it at an airport, sporting venue or coffee shop, is meant to be a nice service to you, but we need your help. The report talks about the KRACK “vulnerability” from last year as something, and I will tell you they are just jumping on the latest security “scare” in the Wi-Fi world. KRACK is only for WPA2 encryption, guess what isn’t on a guest network? We discussed internally about a WPA2 service for about 30 minutes and we came up with why that was a bad idea and then killed it. Advertising a WPA2 password on a banner will only add about 3 seconds of additional workload to a malicious player in the space and in the end, only drive up complaints about how hard it is to connect. The fact they talked about WPA2 and guest Wi-Fi in the same report is infuriating.
- Protect yourself. This is really a subset of #3, but we will make it its own number because it is that important. Understanding that as the operator of the system, I can only do so much. Client to client isolation is about it, which we do at our location, and any other parameters would only complicate the system and make it difficult to use. Take responsibility and get yourself a trusted VPN service. If that isn’t an option, then understand as an operator I have to refer back to #3. Don’t send emails you don’t want others to see and definitely don’t do anything related to your financial stuff on any network without proper security in place. At an airport, that means a VPN is the only option. While https or SSL is some protection, it doesn’t offer complete protection. Always try to use it, but think of it as an additional security measure, not your only security measure. Another tip I picked up in class is around username and passwords. If you don’t use unique username and passwords for every account, then at least come up with different ones for your critical accounts that are different than your non-critical accounts. Then only access the non-critical accounts on unsecured networks. This isn’t recommended, but refer back to #3.
- Be proactive. This ties back into #1 and educating yourself. There are free (or cheap) apps for phones and laptops that allow you to see some information about your connection. I don’t want to get into an exhaustive list or debate, but they exist. If you encounter a captive portal, if you can get it to load, don’t just click on any random hyperlink without examining what it connects to. Hover over the link with your pointer and leave it there, your OS will pop up and tell you what it really points at. Spoiler alert – it doesn’t have to be what it says it is. Check out the DNS information your device received. Most major system will hand out 2 DNS servers and they are usually pretty reputable. If your only offered one, question it. Check out the subnet mask you are assigned. Atlanta breaks this rule so it’s not a hard and fast one, but larger venues won’t have the traditional subnet mask you have at your house. Don’t know what a subnet is, read about it here. This is an education step you can take to protect yourself. Remember, you and I are in this together and we need to help each other.
- Be skeptical. Unless the website you researched before getting to the public venue says different, expect most locations to have a captive portal and limit your speed, time, and what you can view. Shameless plug here, our location doesn’t do any of that, but it also says so on our website. Actually getting blocked from a site, while frustrating, is actually indicative of a legitimate service. Hackers won’t block you because they want you to stay connected. If you do have any doubt about your connection ask someone or move to a different location. Move far enough away to be out of range of where you were. Malicious players will try to be closer to you than you are to the AP, and they won’t move with you. If they do move with you, you have other problems.
- Understand where you are. Public venues are not your home or office. We face different challenges than those areas, but we also have some other advantages that makes it pretty cool. Unfortunately, the cool factor doesn’t extend to the end user so all you get out of this is the challenge part. For the most part operators of these Large Public Venues (LPV) really do want to provide the guest a great experience that they don’t complain about. Our interaction with customers is limited so as long as you aren’t complaining, we call it a win. Part of that is the understanding on the guest’s part. There are some bad configurations out in the LPV Wi-Fi world, but security is normally something we take seriously. What we need the guest to understand is that the security we focus on is to limit the guest’s ability to access OUR network. We know it’s a security grudge match going on inside guest Wi-Fi, we just want to contain it and keep it away from us. Now that you understand that, you can go back and re-read #3 and understand it better.
Security is a very, VERY real thing and all of us, network operators and users alike, need to constantly be vigilant in this effort. As any security professional will tell you, we are only as strong as our weakest link. Guest Wi-Fi is a very weak link. It doesn’t mean you have to avoid it, what it means is you need to understand what you are getting yourself into. I will take one final exception to the report from Coronet, and that comes on the top of page 9 – Taking Action. They have the audacity to actually think they can “downgrade” your security stance based on their color code and random numbering scheme. That is the worst possible thing you can EVER do. Go back and read #6. If you aren’t assuming that EVERY public location is a very serious threat against all of your connected devices, don’t bother doing anything, because you will get hacked, pwned, compromised, or whatever you want to call it that day. This isn’t some random threat, it’s just a fact. In Wi-Fi, if your connection isn’t rated as a Robust Security Network (RSN) or in other words, using an 802.1X form of EAP (Extensible Authentication Protocol, you will probably have to ask someone about that one) then just assume that it is not as secure as you should be. WPA Pre-Shared Keys (PSK) are only as good as the people you share that key with and that key works for everyone, hackers included.
Long story short – trust no one and always be on the lookout. If not, it’s only a question of when your device will be compromised, not if it will ever happen to you.