RealTime IT News

More Wireless, Not Enough Security

Since 2002, RSA, the security division of EMC , has been doing regular surveys of wireless networks found in big cities – essentially, wardriving the same streets, time after time, using everything from cars to buses to horse-drawn carriages – to see what changes. For 2007, they found that while deployment of Wi-Fi was up, so was security – but security is not keeping up with the deployment.

“We drive the same route in New York, London and Paris,” says Toffer Winslow, vice president of product management and product marketing for RSA, talking about the three cities surveyed. “We record the total number of access points we see. We can determine things like the encryption tech they’re using, if defaults have changed, that kind of thing,” all using commonly available, free applications and tools. The consistency of the route makes it easy to extrapolate the data.

For example, the number of access points on the three routes was up 44% in Paris, 49% in New York, and a major jump for London of 160%. RSA’s unnamed independent contractor who conducts the surveys also narrows down just how many of the APs are for business networks, and found that the growth there for London was 180%. RSA provides details on each city on their site.

While the number of APs is up, so is the use of encryption on those APs – but not at the same pace. For example, use of either wired equivalent privacy (WEP) or a more advanced encryption like WPA/802.11i in London only went up 6% from 2006 to 2007, to a high of 81% in total. New York and Paris’ increases were less than 2% each (to 76% and 80%, respectively).

Still, that’s a lot better than in 2004, when RSA found only two thirds of APs in London and Paris were using any encryption at all.

“The good news is, relative security is improving,” says Winslow. “The number of networks unsecured is down. But there’s probably more unsecured targets out there on an absolute basis.”

Security purists know, of course, that WEP doesn’t cut it at all. However, WPA/802.11i use was less than half in all three cities, at 48% in London and 49% in New York, and even lower in Paris (41%).

“The thing that boggles my mind is in 2007, one quarter to one fifth of businesses have no encryption at all,” says Winslow. “That’s a little frightening.”

He’s not just talking encryption. The growth in APs in London also brought with it a growth in the number of APs (30%, up from 22% last year) still with their default setting turned on, such as the factory-set passwords, SSID broadcasting, and the like. New York and Paris had a small reduction in that number, however.

More Wi-Fi out there means more network admins who’ve never installed it before. “A lot of unsophisticated users make themselves vulnerable,” says Winslow, who fears that the lack of security “can undermine user confidence.”

“There’s a lagging education curve,” is Winslow’s only explanation. “Once it’s working from a technology perspective, how do you make it secure? We hope in the future to see a massive growth in properly secured APs.”

Hotspots found in the survey were also up along the wardriven routes. They found 461 in London, a 27% increase. New York’s hotspots grew 17%, accounting for 15% of all the networks found. RSA thinks the growth in the number of hotspots, many close to unsecured business networks, adds “a new and disturbing dimension to the wireless security problem,” as mobile users, used to getting their access, try to get online with whatever open network they encounter. “If you have a WLAN today, it is likely to be found and used,” according to RSA’s reports.