Online Exclusive

Cybersecurity and Mass Transportation

Lately I have been spending a lot of time in airports, train stations and other transportation centers. Though I often find myself at these locations for my work, recently I have been spending an inordinate amount of time just like everyone else, a traveller. Last week, while sitting at the gate waiting for my flight, I overheard a couple of businessmen talking about how they can never seem able to connect to the “free public WI-FI” networks that they always see while surfing in public places. I was a little shocked, these guys looked like polished professionals, as it turns out - they were doctors. It was then that it dawned on me, not everyone thinks the same way as someone who makes their living in the protection business.

You may be asking yourself, OK what gives? What is the deal with “free public WI-FI”? Well ask yourself this question: Does anything in life ever come for free?

I couldn’t help but lean over and begin talking to the gentlemen. I asked how many times he had tried to connect to the “free public WI-FI” networks to no avail? I think he could tell by the grin on my face that I was implying something. “Oh great,” he uttered, as he glanced at his colleague and then back in my direction. I mentioned that they should avoid connecting to anything ad-hoc, or anything labeled as “free public Wi-Fi,” as they were likely connecting to an unfriendly host. He shirked and said, “Well I’m smart enough to know that if I don’t connect there isn’t any risk.” My smile grew a bit wider, and his buddy gives him an elbow in the ribs, “Looks like there’s more to it than that.”

There is certainly more to it than that. Funny thing is, this is old hat. This has been happening for years, specifically in airports and transit centers. Why hasn’t anything been done to make the public aware of this threat? Before we try and answer that question, let me offer you a quick explanation on exactly what the threat is:

You click on the seemingly “free” WI-FI hotspot SSID, and are unable to connect. Maybe you do connect, but you are unable to get to the World Wide Web, and you soon disconnect. Everything in your computer seems OK, your virus alert hasn’t started buzzing at you, so, - no harm no foul … Right?

Well not exactly. You see, by clicking on the SSID you have given your system permission to access wireless connections through that SSID. Essentially it has been added to your wireless configuration list. Whether or not you have actually connected, you have given your system instructions that it is OK to connect to this SSID, and subsequently you have opened yourself up to attack. Once the SSID is in your list of preferred networks, a malicious “bot” (a bot is an application that automatically executes tasks through internet and other network connections) is able to connect to your machine using those permissions, and propagate itself.

Once your machine is infected, it then becomes a host. Essentially it means that you are now the person broadcasting the SSID for someone else to unwittingly connect to, and the cycle continues. It should start making more sense to you now. In most cases, there are no hackers stalking the airports, and broadcasting the malicious SSID’s. Though these cyber-criminals are ready to pounce on your data, they are likely relaxing at home, waiting for you to connect to their systems.

The hacker will then use the bots to create a botnet, a network of bots that operate synchronously and symbiotically to perform nefarious tasks such as simple data theft, distribution of spam, or the execution of a denial of service attack. Similar botnets have been used by hackers to take down high-profile websites and services, there is nothing stopping them from snagging your Facebook password and allowing the hacker to send messages to your friends, maybe even telling them you are trapped in a foreign land in need of a quick fix from Western Union to get you out of a jam. The cascading effects of these bots make them a desirable yet very simple tool for hackers. It doesn’t take long to realize why we see these SSID’s so often at airports and other mass transit centers.

Almost everyone who travels brings a laptop to keep up productivity and help pass the time while on the road, and the fact that almost everyone loitering at these locations will soon be on their way to a distant geographic location, means the malware can spread world-wide without even using the World Wide Web, thereby reducing the chances of the perpetrators being caught through an Internet service provider (ISP), or the bot being contained. To better understand what is happening, try to think of it as a virus that jumps directly from machine to machine, and thrives without being transmitted over the Web. You may think your data is secured because you encrypt its transmission or even the data as it resides on the hard drive, but a botnet that operates in this way can just as easily read your keystrokes and provide a hacker with everything from bank account numbers, to usernames and passwords, along with other personally identifying information that you may type into the keyboard.

After I gave these two doctors the lowdown on why they should avoid these types of networks, I again started wondering … Why isn’t there any sort of public awareness of these types of cyber-crimes? These two gentlemen appeared genuinely shocked that it could be possible that each of those occurrences of “free public WI-FI” had been nothing more than a laptop infected by malware, unwittingly attempting to create ad-hoc connections with other users. How would they know about the basic information security faux pas that I have come to consider as simple common sense? Whose responsibility is it to make the general public aware of these types of threats?

Much of the work I have done in the past few years has related to protecting transit riders from crime, through the implementation of physical systems and traditional operational strategies and tactics. Until recently, the major concerns at these types of facilities have consisted mainly of screening passengers, detecting possible suspicious behavior or devices, monitoring controlled points and providing an “eye in the sky” for investigators to utilize in real-time, as well as forensically; in order to deter and investigate crimes of a physical nature, such as theft, violence or indecent behavior.

Many riders are consciously aware of the physical risks associated with travel; transportation centers provide a hub for nefarious individuals to discretely monitor and determine their potential victims. Transportation infrastructure and operational centers are well known as popular choices for terrorist targets as they provide a way for people to be attacked in a concentrated group, while instilling fear among those who rely on mass transit. The same attributes that makes these facilities attractive to conventional or kinetic criminals, also makes them attractive to cyber-criminals, especially considering the consistent connectivity levels of the average traveller.

The systems that these organizations have been focusing on; the ones the U.S. government has given them grants to implement, were designed to detect crime that is visible and tangible, not the crimes that can occur over a data stream, or via the theft of digitized personal data. This focus on detecting physical security breaches and crime directly related to drugs, terrorism, violence and sex; has left significant gaps in the overall operational involvement of the typical security and IT department in securing the average rider’s data. There are a few important questions that should be asked of those who manage security at these highly susceptible organizations:

  • Should the transit organizations be responsible for developing programs to protect riders from information security threats while in the transit system?
  • What is the difference between a rider and passenger who has had their data stolen or their purse stolen? There are clear controls and processes in place to warn people about physical crime. They are warned to protect and guard their valuables, and police officers are on duty to respond to thefts that occur at transit centers, airports, park-and-rides, etc … Where are the signs warning users not to fall prey to cybercrime? Considering most victims of cybercrime do not realize they have been victimized for a considerable amount of time, who will be responsible for cyber-enforcement at these known hubs for cybercrime?
  • Are these mass transit organizations even aware of these threats? Are they being ignored because of ignorance or a lack of funds to support such a program?
  • It is clear that many transit organizations are focused on dissuading terrorism. Considering a huge portion of funding that terrorists use for their operations, along with the illegal documents they use to move in and around the United States are obtained illegally through identity theft, is there not an obligation on the part of these transit organizations and the U.S. government to mitigate this illegal activity at transit centers?

Those questions still need answering, but I believe there is a pretty simple answer to the question of what can be done about it, utilizing limited technological implementation or spending. Security awareness programs at airports and transit centers are prevalent in signage, PA announcements, handouts, instructions by TSA employees etc. … There is no reason (other than a lack of awareness) that similar if not exactly the same media could be used to provide the travelling public with basic tips on how not to be a victim of identity theft, or other cyber-crime while travelling.

  • Informational bulletins describing typical rouses, including the “Free Public WI-FI” threat
    • Placards that display exactly which WI-FI networks are in use throughout the facility
    • Email blurbs that could be included within emails confirming travel reservations
    • Warnings that could be easily printed on the back of ticket stubs or boarding passes.

If you are concerned that you have fallen prey to the “Free Public WI-FI” rouse, or other similar malicious bots that use ad hoc networks to propagate, it is relatively easy to change the advanced settings on your wireless manager to refuse all ad hoc connections automatically. Another sensible practice is to use the mechanical WI-FI on/off switch to disable your WI-FI adapter when you are not using it, and regularly purge your preferred network list. There is no reason to have anything other than the networks you regularly connect to at home, work or other regular trusted connection point on that list.

For more details on changing your wireless settings you can check out this very detailed article on TechRepublic:

Stay safe, and well-connected in your travels.

Bradford Baker CPP, PSP is a security project manager at TRC, a national engineering consulting and construction management firm serving the energy, environmental and infrastructure markets.