Wireless Fidelity (Wi-Fi) is everywhere, extensively used and fraught with dangers. Outside of information technology professionals, few users understand how Wi-Fi works, its potential security flaws and the ramifications of improper design and use.
In the simplest terms, Wi-Fi is a means to connect a device to a network using radio waves. Once connected via Wi-Fi a device is no different than any other computing device on that network. Devices, your phone or notebook computer, connect to the network via a wireless access point (WAP) also known as a router (almost all homes have one) using the IEEE 802.11 standards.
Wi-Fi Use & Dangers
Many businesses provide free Wi-Fi to their customers as an incentive, as a means for employees to connect to networks to facilitate operations, a path for operators to manage remote devices attached to the network(s) and the ability to rapidly pass information throughout their organization and share the information with others. Wi-Fi generally provides cheaper access to systems and in the case of managing remote devices (e.g., a security gate or door), eliminates the need for long runs of cabling. The aviation industry is no different when it comes to motivations and use of Wi-Fi. Unfortunately, along with the convenience and cost savings associated with Wi-Fi also comes problems associated with unauthorized access to networks, theft of information, illegal control of remotely operated devices and in extreme cases the ability to compromise and shut down operational systems – both on the ground and in the air.
These issues might be dismissed as the stuff of science fiction or bad adventure novels, but they are real. Widely published reports have illustrated situations where airport virtual private networks (VPNs) have been compromised by the Citadel Trojan (a type of malware), passenger manifest and baggage information stolen from curb-side check-in via intercepted Wi-Fi signals, security equipment compromised, and airports and airlines information technology infrastructure hijacked in South Korea, Saudi Arabia, Pakistan and other countries compromising operational systems. There have even been reports, although not fully documented, that flight control systems in aircraft have been compromised as a result of Wi-Fi-vectored intrusions. While this extreme possibility appears remote and especially unlikely, there have been widely documented cases of industrial control processors hacked and even destroyed via Wi-Fi -vectored attacks (this includes autos taken over through their ‘On-Star’ link).
Wi-Fi on the Ground Dangers
Airports and airport located businesses offer free or readily accessible Wi-Fi, including airports themselves (the port authority), restaurants, bars, airline lounges, etc. to customers. Many of these WAPs are free, open (do not require a password) and are not encrypted (all information is transmitted in clear format). So if it is free and open, that is a good thing, right? Yes, the free part is great. Unfortunately, the balance is quite problematic.
First, an open WAP is available to everyone creating a two-way flow of data between the device and the network. That in itself is not problematic but open WAPs can be easily compromised with malicious software (malware) and that malware can then be downloaded to the user’s device which can move to any network that device connects. Malware has the ability to capture information, key strokes, copy and/or replace files and even take over a device for nefarious purposes.
Second, users connecting to non-encrypted WAPs might as well stand on a table and shout their information as they transmit because those unencrypted signals are easy to intercept. This is known as a man-in-the-middle attack. If the user is just checking the news or weather there is no real issue but most users check their emails – personal and business-revealing account IDs and passwords, text personal information and in some cases shop (providing payment information) and view financial information. WAPs with password protection (airline lounges) have more security but passwords are often weak, infrequently changed, and in one case known through personal experience, the password is provided on slips of paper at the check-in desk.
There have also been reports of individuals setting-up fake WAPs and tricking people into connecting to them by letting them believe they are receiving something (internet access) for free. Once connected, a user’s device is compromised. A new and widely spreading scheme is for the criminal to lock the compromised device, then send an email to or call the device owner demanding ransom. So what can be done? Unfortunately with open WAPs, very little with the exception of clearly warning users of the dangers and encouraging vendors to continuously scrub their routers for malware and shutting down fake WAPs. This is usually the responsibility of the facility’s IT department that is already overtasked.
Wi-Fi on the Ground Solutions
The ability to protect a network is greatly improved once the public domain is excluded. Networks accessed exclusively by internal users should be completely ‘locked down.’ This means at a minimum, the networks are password protected (using strong passwords), encrypted (a means to encode the transmissions) and fully separated from those networks used by the general public. Strong passwords consist of at least eight characters (the more characters, the better) that are a combination of letters both uppercase and lowercase plus numbers and symbols (@, #, $, %). While these passwords are harder to remember, they are harder to ‘crack’ making the network more secure. While strong passwords are recommended they can still be broken. This is accomplished by using password cracking tools such as Reaver, a free, open-source tool designed to exploit security flaws in most routers. Encryption is a means to encode the information transmitted using a mathematically generated formula or ‘key.’ As with passwords, the more robust the encryption and key, the stronger the network protection. Both software and hardware based encryption is readily available on the open market. Proper configuration of WAPs as well as the networks themselves is critical, including using strong encryption, regular password changes, insuring that factory settings are changed before the device is placed in use, and closing virtual ports that are not actively in use.
Most public WAPs broadcast the name of the network (also known as an SSID – service set identification) for any device to see. The SSID broadcast makes it easier for computers and phones to find and connect to these devices. If the private network is broadcasting its SSID, network managers are facilitating ‘wardriving,’ a technique where an individual uses a wireless device to find and identify WAPs and their networks. Even though the network is not broadcasting its SSID, it is still available to users with administrators either configuring a user’s device or providing instructions on how a user can connect. Like other measures, this does not eliminate the security issue as skilled hackers with the proper tools can identify the network’s signal, but does make it harder to penetrate by non-skilled unauthorized users.
The aviation industry has embraced ‘bring your own device,’ where employees can use their personal devices at work. This provides cost savings to the operation and convenience to the user but is very problematic. If the user acquires malware on their device (for instance while using it at home) and connects to the work network, it is highly possible that the malware will move and infect the work network and every device attached to it. This line of thinking should also be applied to work-issued devices that are given to an employee, used outside the workplace (attaching to other networks) and then reattached to the work network. As an example, airlines issue pad computers to their flight crews eliminating the need for paper charts and approach plates. Policies for network use and work-issued devices are critical to managing this problem, while education of users to the dangers should be mandatory. Many organizations hire ‘white hat’ hackers to test their networks for security issues and may even send phishing emails to their users to gauge the effectiveness of training and end user behaviors. These services are also widely available on the open market at reasonable prices.
In many locations, ‘public’ and ‘private’ networks are one and the same with traffic separated by firewalls. Firewalls provide a means to restrict movement into and within a network and can be either software or hardware based. They are rule-based, meaning that as an example someone has determined who can or cannot access the network, what different users are allowed to access and what information can be exchanged with other networks. Firewalls are an excellent tool to ensure security but like all forms of network security they are not infallible. They are developed and maintained by individuals and therefore are subject to errors. Even the best firewalls can be compromised. Therefore, the most secure means to ‘lock-down’ the private network is to completely separate it from a public network, sometimes referred to as ‘air gapping.’ This means that there is no possible path between the public and private networks. In other words, two separate networks exist completely isolated from each other. While more expensive (requiring separate servers and WAPs) than partitioning networks using firewalls alone this scheme is orders of magnitude more secure. This is especially important for operations networks, networks that control physical access such as gates and security doors or transmit security camera feeds, networks holding critical or personal information e.g. passenger databases, and even voice over internet protocol (VOIP) communications. When air gapping a system, ALL paths into and out of the network should be considered. Claims have made that aircraft control systems could be compromised using an attack path through the aircraft’s entertainment system. The vulnerability both the entertainment system and cockpit (including flight control systems) shared the same communications bus. While manufacturers claim the problem never existed, the point is that if the systems were completely separated, the attack vector would be eliminated.
Business Aviation Solutions
It should become apparent from the examples above that the fewer individuals on a network the easier it is to secure. There has been ongoing concern in business aviation, especially among large companies operating their own fleets, about the security of communications. It seems that senior executives and VIPs who regularly use aircraft immediately connect to an aircraft’s Wi-Fi as soon as they board and conduct proprietary and sensitive business. Since there are few passengers onboard a business aircraft and once the plane is airborne most assume that no problem exists. Unfortunately, there have been cases where the transmission has been intercepted between the aircraft and its ultimate destination, placing proprietary information in the hands of unauthorized individuals. The fact that corporate espionage has grown in recent years should come as no surprise given many media reports of breaches. Many organizations are using virtual private networks (VPNs) to provide security while placing firewalls around the networks. VPNs provide an encrypted ‘tunnel’ through the internet. This encrypted path provides users with enhanced security from unauthorized access. These techniques do provide improved security but again there have been a number of cases where VPNs have been compromised.
A stronger solution to optimize security to protect a small number of ‘high-value’ users and their assets (including the aircraft) is to use hardware-based encryption. The scheme used by most militaries around the world is available to users on the open market. The system consists of a small hardware device (encryptor) added to the aircraft’s communication panel that encrypts the outgoing transmission before it is passed to the aircraft’s communication system and decrypts signals after they are received. The same type of device must be placed in the IT system where the aircraft’s transmission is received. In this case, the most likely location would be the IT system at an organization’s headquarters.
The encryption ‘key’ (a mathematically derived, prime number based formula) is loaded into both encryptors (in the aircraft and at HQ). As long as both encryptors are active and have the same key loaded, the transmission is secure from compromise. A system of hardware-based encryption is similar in nature to a VPN but much more robust. Organizations can generate they own encryption keys (strength depending on their unique requirements) and change the key as often as they feel is necessary (hourly, daily, weekly). A system of hardware-based encryption is transparent to the user meaning that senior executives would not be bothered with additional passwords, key fobs with rolling codes or challenge questions. They would log into their devices as usual, connect and work. A system of hardware-based encryption works equally well for hard-wired connections as it does for Wi-Fi. Of course, this system of hardware devices and software keys is much more expensive to operate and manage than a VPN but provides military-like security.
Wi-Fi and computer networks are pervasive, widely used, beneficial to organizations and individuals, and fraught with danger. This article provides a variety of potential solutions both organizations and individuals can enact to mitigate security pitfalls while making their organizations and users more secure. Perhaps the most important recommendation is to continuously train and educate users! The most desired solution has been and will always be a magic ‘box’ provided by the IT department to solve all security problems. Unfortunately, that magic solution does not exist and if it did would still depend on users making sound decisions and choices. Users need to understand the dangers lurking at the next website or in that ‘too good to be true’ email they just received. No matter how strong the password or the encryption key, or how cool that new technological tool is, security is a requirement and job of every user. It is the responsibility of every organization to insure their users are trained, educated, and tested to protect their networks. It only takes a single user connecting to that infected device or clicking the wrong link to compromise everyone else.
Steven “Doc” Simon holds a PhD in information technology and international business from the University of South Carolina and is currently an associate professor at the Stetson School of Business and Economics at Mercer University in Atlanta. He is a retired Navy Captain having spent most of his 26-year career in information technology operations and cyber security. He served as the Commanding Officer (CO) of the Department of the Navy’s Communication Security (COMSEC) System, CIO/J-6 for US Strategic Command’s WMD Center, director of the Cyber Security Center at USNA, and CO of NR Naval Information Operations Center – Georgia.
