David Alexander, digital trust and cyber resilience expert at PA Consulting, is interviewed by Airport-Technology.com on the risks of public Wi-Fi in airports.
“The trouble with Wi-Fi is that current Wi-Fi security was designed by engineers and not cryptographers, and I’m afraid they’re badly flawed,” David says. “There are publicly available attack tools for any of the techniques used at the moment to secure Wi-Fi. Quite frankly, anything that’s available at the moment can be broken.”
“There are lots of unknown people sitting around the airport – by definition, people pass through all the time. And people can be there for hours if they’re waiting for a check-in or a flight connection. So with someone sitting in an airport cafe somewhere with a cup of tea and their laptop open, how do you know what they’re looking at? Are they actually running a rogue access point in the background capturing people’s details? It would be easy to do and no one would know,” David continues.
“Existing Wi-Fi security simply isn’t good enough,” David adds. “Someone who’s got the knowledge can gain access fairly quickly, probably within an hour at most. If the airport security isn’t up to date, they might be able to do it in 15-20 minutes, maybe less if they get lucky.”
The article goes on to talk about business traveller devices explaining that by merely accessing a network compromised by a malicious actor, data can be entirely compromised.
“People could capture log-in credentials, banking details; if you’re a businessperson they could look at capturing business intelligence. They can read your traffic if you’re not using an encrypted virtual private network to your office systems. Even simple information is useful to them. If you’re high-profile and a frequent traveller, they can see where you’re heading off next,” David explains.
He adds: “It could be a rogue access point with a man in the middle attack – your traffic ends up at the intended destination but via a system controlled by the attacker. They might even inject some kind of malware or spyware onto your device. There was a recent attack where Starbucks customers had their devices recruited to mine cryptocurrency.”
The author notes that it is not just businesspeople with high-profile data at stake; anyone can have their details stolen, and this also poses a risk to government personnel. David says there are some nation states that are known to use methods similar to compromised Wi-Fi networks to monitor specific persons of interest.
In terms of how to protect devices from these kinds of attacks, David advises passengers: “Ensure the operating system on all devices using a Wi-Fi network are up-to-date and patched. The same goes for any browsers and apps; keeping a device up-to-date prevents 80% of attacks.”