Today the Wall Street Journal reported that the Hartsfield-Jackson Atlanta International Airport shut off Wi-Fi service as a security precaution while an active ransomware attack took place on the city. Early reports are indicating that multiple city official computers have had their files encrypted and held at ransom by an attack known as SamSam. The Atlanta airport had “pulled the plug” on their Wi-Fi service likely to avoid the attack spreading to airport authority computers, airline computers, and possibly customers’ computers.
Although travelers didn’t experience any disruption to their flights, they surely were puzzled to see the Wi-Fi SSID disappear from their phones, tablets, and laptops.
The ransomware
Ransomware is a type of advanced malware attack that encrypts files on a computer system so they cannot be used and demands a ransom to be paid in exchange for the decryption keys to restore the files back to a usable state. Usually the ransomware is hidden or packaged into a legitimate-looking file or e-mail attachment that unsuspecting victims click and open, infecting their machines. A file can come to a user’s computer in many ways such as over Ethernet wires, over cellular data, and of course Wi-Fi.
So what does ransomware have to do with Wi-Fi?
If ransomware infects machines through one or more malicious files, then why did the Atlanta airport shut off Wi-Fi service if people’s laptops, tablets, and phones will simply switch from Wi-Fi to cellular connectivity still exposing them to the malicious files? The answer is that the good network and security people in Atlanta’s airport understand that Wi-Fi is an easy way for attackers to spread malicious files with simple to use and well automated attack tools that perform man-in-the-middle (MiTM) attacks.
Spreading malicious files, possibly ransomware, via man-in-the-middle Wi-Fi attacks
The Atlanta airport understood that If an attacker wanted to spread malicious ransomware to airport authority computers connected the Atlanta airport Wi-Fi, it could be done and so they pulled the plug to avoid the threat altogether. Without going into too much detail, the basics of a Wi-Fi man-in-the-middle attack are simply that a nearby bad actor spoofs the SSID, sometimes even MAC address of a legitimate access point thereby creating an Evil Twin access point. Users’ machines will connect to the Evil Twin not realizing that all the traffic is being eavesdropped by an attacker who can easily spoof splash pages or manipulate the data stream to place malicious files onto victims machines. This video explains an Evil Twin Wi-Fi attack in more detail.
Recommendations
Although being overly cautious during a cyber attack is totally understandable, the world’s busiest airport may have felt comfortable leaving Wi-Fi service in place if the buildings are properly protected with a Wireless Intrusion Prevention System (WIPS) that keeps private airport and airline computers connected to the correct access points, neutralizing any possible man-in-the-middle attack attempt to spread ransomware. For more information on WIPS, see watchguard.com/wifi. Additionally, it’s critically important to implement proper network security and detection & response capabilities within a network to achieve a layered security defense strategy against such advanced cyber attacks as ransomware. More information is available here.