Using Wireless in the Air: Whatever Happened to Security?
If you have the same kind of job that I have, airplanes are no strangers to you. For better or worse (more often the latter lately), flying is a big part of life for many people, myself very much included. Part of what I consider unpleasant about flying is the fact that I have to sit very close to someone whom I do not know and who may not be very considerate at all (have you noticed all those uncovered sneezes lately?) for an extended period of time. Additionally, events, sometimes very important ones, transpire while one is in the air. Keeping up with them is almost impossible unless you pay for in-flight wireless services. These services not only help a flyer keep in touch with what is happening on the ground, but also are a good antidote for boredom. And, oh by the way, they also help people to become more productive on the job.
I’ve heard a few information security professionals say that the greatest security risk in using a computer in the air is the risk of a nearby passenger seeing what is displayed on a computer screen. True, this is a potentially serious threat, but what most people do not realize is that if someone uses wireless services in the air, chances are that person will be connected to an insecure IEEE 802.11 something wireless network. Anyone on the same plane with a laptop connection to the same wireless network or a WiFi-enabled phone can eavesdrop on everything that an in-flight wireless user sends or transmits. Consider the risk when there are 400 people on a jumbo jet! But the danger does not stop there—a malicious user can also attempt to access shares or possibly even to logon to any similarly connected system. Additionally, Emagined Security’s COO, Paul Underwood, has seen mindboggling in-flight wireless scenarios. In one of them, a user set up an in-flight wireless connection and then created a proxy to which other users on board could connect!
The point here is that security concerns about using wireless networks should not be limited to on-the-ground wireless networks. The same risks that occur in using such networks also apply to in-flight wireless networks. At a minimum, every user of in-flight wireless networks should apply the following security control measures:
1) Ensure your computer has a properly configured firewall running
2) Ensure that your computer is running anti-virus and anti-spyware, both of which are updated frequently
3) Use VPNs for all communications with your organization’s hosts
4) Use SSL or some other strong encryption method for connections to Web sites and mail servers
5) Check for open shares on your PC; protect shares (minimally with a difficult-to-guess password) if they do.
Or if you do not want to use all these measures, at a minimum connect to a VPN and then launch your email client or Web browser.
Hopefully, this blog entry will change your thinking about risks involved in in-flight connectivity. Assuming that you make changes in your in-flight use of wireless, you next ought to turn your attention to your organization’s information security policy and standards. Do they cover in-flight computer usage? If not, it may also be time to start planning and discussing necessary changes in both.
Conventional computing use involves many risks; wireless connectivity introduces even more. Whether you are using wireless on the ground or in the air, make sure you do not fall victim to wireless attacks.