How PIT Stays Ahead of Cyberthreats and What Travelers Can Do

Wi-fi and charging ports are no longer considered amenities at the airport — they are now necessities. Phones, tablets and computers not only keep travelers entertained with movies and games while waiting for flights but also provide access to boarding passes and allow us to stay in touch with loved ones and colleagues.

Many travelers connect to the internet as soon as they arrive at an airport without a second thought. However, a wave of recent warnings about public wi-fi and USB charging infrastructure has left some travelers wondering whether it is safe to connect personal devices to internet hotspots at the airport and other public places.

While these activities do carry some risks, travelers can take a few concrete actions to protect their data and browsing history when connecting to public wi-fi while traveling. Meanwhile, Pittsburgh International Airport (PIT) is working behind the scenes to protect its networks and systems against data breaches and cyberattacks.

Here’s what you need to know about keeping data and personal information safe when connecting and charging personal devices at the airport.

How safe are public wi-fi networks?

Even though wi-fi has been ubiquitous at most major airports for years, there’s still debate about how far travelers should go to protect themselves when connecting to these public networks.

For example, many of us have heard warnings that public wi-fi is inherently unsafe for tasks that transmit personal information, such as looking up a bank balance. But some experts say the reality is more nuanced.

Swarun Kumar, a professor at Carnegie Mellon University’s Electrical and Computer Engineering department, explained that most modern websites now use the encrypted HTTPS protocol as a standard practice to garble the information sent between your browser and a website’s server. This makes it harder for hackers to glean meaningful information while personal data is in transit.

“These days, pretty much every website out there is HTTPS, which means pretty much all data that you’re downloading from most common websites are encrypted,” Kumar said.

Even though encryption is widespread, public wi-fi is not risk-free. The basic domain name of websites you visit can be visible to your internet service provider or potential attackers. Travelers who are especially concerned about their privacy online may prefer to use a virtual private network (VPN).

While website encryption makes it difficult for attackers to steal personal information on a legitimate wi-fi network, using a VPN can add another layer of security and privacy.

“I advise people to use VPN, or if you’re doing banking or something, use your cellular network for that,” said Deepak Nayyar, PIT’s executive vice president and chief information officer. “Don’t use any public wi-fi for doing your banking, or anything important. Because that means you’re somehow, somewhere, sharing some of the information with somebody.”

Traveler Tip: While most modern websites have adequate encryption to keep malicious actors from accessing your personal data, using a trustworthy VPN or your cellular network adds another layer of privacy when using public wi-fi.

The threat of ‘evil twin’ wi-fi networks

While the rise of encryption on websites has lessened the risk of using legitimate public wi-fi networks to some extent, security experts have raised the alarm about another issue: so-called “evil twin” networks posing as legitimate wi-fi hotspots by using similar names. These malicious networks can collect sensitive information or install malware on unsuspecting travelers’ devices.

One of the most high-profile cases of an “evil twin” attack was in Australia last year, when authorities charged an individual with setting up fake wi-fi pages at several airports in the country to steal users’ personal information.

For example, a network might be called Airport-Public, whereas an “evil twin” may have the name of “Airport-Public-2.” While these similar-sounding hotspots could be legitimate in some cases, it’s best to exercise caution before connecting.

Fake wi-fi networks may inflict more damage than other attacks you may encounter when using a legitimate public connection.

“These are the kind of simpler, low-hanging fruit, easy-to-launch attacks that are more dangerous,” Kumar said.

To help protect travelers, PIT is working behind the scenes to continually identify and disconnect any unknown hotspots that appear to be using a similar name as the official wi-fi network called “Flypittsburgh.”

The airport’s IT team regularly scans for potentially malicious networks several times an hour, Nayyar said, adding that the airport is also working to help passengers maintain their cellular connectivity.

To avoid these fake networks, double-check the network name and avoid any unknown hotspots that promise free internet access. Do not connect to a network if you see any spelling errors or pop-ups requesting personal information, such as passwords.

“If something looks suspicious, just stop and don’t use that network,” CMU’s Kumar said. The same goes for any website, pop-up, or e-mail that seems out of place, no matter whether you’re on a public or private network. Plus, never ignore warnings in your browser about suspicious or unsecured websites.

Traveler Tip: PIT’s official wi-fi network is called “Flypittsburgh.” Avoid using unknown networks promising free internet. When in doubt, stick to using your cellular network, which Kumar notes is harder to spoof.

Should you charge devices at an airport?

The new PIT features power outlets at more seats to make charging devices easier while on the go.

Power outlets are the sensible choice because the U.S. Transportation Security Administration (TSA) has warned against another potential cyber threat in public places that targets charging infrastructure: “juice jacking.” That is an attack that involves configuring a USB charging port or cables to install malware or steal personal information from devices.

“Juice jacking” is not a new concept, but warnings in recent months appear to have renewed interest in the issue. However, no data is publicly available to suggest that it is a widespread threat — at least for now.

“Although ‘juice jacking’ has been demonstrated to be technically possible as a proof of concept, the FCC is not aware of any confirmed instances of it occurring,” the U.S. Federal Communications Commission (FCC) said in an April 2023 post on its website.

Still, travelers should exercise caution when plugging in any unknown cables to their phones and always decline the option to allow data transfers on their devices. The Federal Bureau of Investigation (FBI)’s Denver office, for example, has advised travelers to carry their own chargers and cords and use electrical power outlets instead of USBs.

PIT’s IT team is aware of potential threats such as “juice jacking,” Nayyar said, underscoring that the airport regularly conducts routine inspections of US charging stations for tampering and is constantly assessing ways to keep its systems safe. In addition to signs warning of juice jacking risks, PIT plans to replace USB-only charging stations with AC power outlets and work with cybersecurity-vetted vendors to install tamper-proof charging stations.

Traveler Tip: If you need to charge your device using a public USB port, decline any permissions that would allow it to access data from your phone. Consider powering your phone with a portable power bank or plugging your own charger directly into a wall outlet. Data-blocking cables can also prevent unknown USB ports from accessing your device during charging.

How PIT makes cybersecurity a priority

While travelers can take precautions to prevent cyberattacks, airports must also stay ahead of any threats that could compromise passengers’ personal data or operational information.

PIT is taking cybersecurity seriously as it brings several new technologies online. These improvements aim to make it easier for passengers to park, find airport amenities, and spend less time waiting for their bags to arrive.

Nayyar said the airport’s IT team has taken two main actions to mitigate the risks of situations such as cyberattacks and power failures. First, the network is built on a highly resilient architecture to minimize downtime. Secondly, the airport has segmented its network. This involves separating systems so that if one technology has an issue, the others can continue functioning. The airport also works with a vendor to monitor its systems 24/7.

Furthermore, PIT is now providing an option to the concessionaires and partners operating in the terminal. Each business used to rely on its own internet provider, but now PIT is streamlining equipment and services to ensure all networks are protected and working properly.

While airports can’t remove all the risks for travelers, taking sensible precautions can make your cyber journey safer.