According to the “2008 New York City Retail Wireless Security Survey” published by AirDefense last week, retail Wi-Fi devices remain vulnerable despite measures mandated by the Payment Card Industry (PCI) Data Security Standard (DSS).
“We are not seeing retailers spending time and money, commensurate with risk,” said Dr. Amit Sinha, Vice President and Chief Technology Officer. “Even those with some form of physical security are not yet devoting the same attention to wireless.”
Taking stock
In preparation for the 97th National Retail Federation Convention on January 13th, AirDefense surveyed nearly 800 retail locations throughout Manhattan, Brooklyn, Bronx, Queens, and Staten Island. Results were consistent with a nationwide survey of over 3,000 stores conducted last fall.
“In both surveys, half of the networks found were not strongly encrypted,” said Sinha.
Just 32 percent of the 1300+ APs discovered in New York used PCI-recommended WPA or WPA2. Roughly 29 percent used the notoriously weak WEP, while 39 percent were open at layer two. However, AirDefense did not try to measure higher-layer encryption. PCI DSS requires retailers that use WEP to apply a “compensating control” like VPN or SSL/TLS.
“VPNs can mitigate some risks, but without layer two security, those networks are open to other attacks,” said Sinha. “Spanning tree attacks can completely cripple your network. And I know retailers who use VLANs to isolate wireless, but double tagging and VLAN hopping can still get you onto the wired network from the wireless side.”
Advertising mistakes
This survey also found an alarming number of weak AP and switch configurations. For example, 23 percent were seen leaking wired network protocols onto wireless.
“Protocols used by internal LANs, like ARP and NetBIOS and spanning tree, get filtered out by routers inside pure wired networks. But, that changes completely with wireless,” explained Sinha. Some APs encrypt unicast traffic, but send broadcast and multicast messages as cleartext. Advertising a network’s topology to the world this way is asking for trouble.
“Many retailers also continue to use brand names and store names in SSIDs, inviting targeted attacks,” said Sinha. One third of the APs found by this survey advertised a Service Set Identifier (SSID) containing the retailer’s name. Others used factory default SSIDs, effectively rolling out a welcome mat for would-be attackers.
Creating targets
Finally, the New York survey discovered 887 wireless clients, including laptops, handhelds, printers, phones, and barcode scanners. AirDefense estimates that 81 percent of those devices could have been compromised.
To rate each device, AirDefense analyzed Wi-Fi capabilities, operating system, patch level, browser version, and configuration.
“POS devices are very easy to compromise by making them connect to you when there’s no bi-directional authentication,” said Sinha. “In many cases, you can figure out shared keys used by devices running WEP or even WPA. We also considered each device’s vulnerability to published fuzzing attacks.”
Bottom line
According to Mike Potts, AirDefense President and CEO, these surveys show a striking imbalance between wireless security and physical security best practices at mainstream retail stores.
“Retailers today are adept at preventing or minimizing shoplifting by using a layered security approach, but the same can’t be said for wireless security.”
While initiatives like PCI DSS can provide financial impetus, there is clearly still plenty of room for improvement.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. She has been involved in the design, implementation, assessment, and testing of NetSec products and services for over 25 years.
