Poking Holes in Public HotSpots

Wireless Internet access is becoming more ubiquitous in large cities and especially at trade shows. While this is as much a license to goof off during a keynote as it is to work, you’ve probably assumed you’re surfing on a secure wireless network, right?

Think again.

While in London for the InfoSecurity security conference recently, Kaspersky Labs senior virus analyst Alexander Gostev decided to probe the wireless public networks around the conference hall and in greater London.

What he found was the equivalent of a dentist with bad teeth. Almost two-thirds, 62 percent, of the 200 wireless access points at the conference were operating without security — and most of them were access points in the booth of vendors selling security products.

It got a little better outside of the conference hall. Around Canary Wharf, only 40 percent of the 250 public WiFi  networks were operating without any encryption. Around the rest of London, Gostev found 49 percent of the public wireless access sites had no encryption whatsoever.

“It’s obvious from the stats in this report people are not taking advantage of the security in these products,” said Shane Coursen, senior technical consultant for Kaspersky’s U.S. office. “The end lesson is: People putting up these access points need to be aware of the security built into these things and take advantage of the security in every way shape and form; and they are not.”

Part of the issue comes from a lackadaisical attitude by show vendors, of all people, who may think, well, it’s just a show, why secure it? But Coursen said they should be showing off their security by securing their own booth to start.

The laptops and systems behind the access points are as secure as the owner makes it, he added. If they connect through a fully unsecured access point and they’re talking directly with corporate servers with no VPN &nbspconnection, then the traffic they transmit is going to be able to be intercepted, plain and simple.

That could mean someone gaining access to a user’s laptop. Something similar happened to a Kaspersky researcher who was using a hotel’s wireless access, and his Macintosh was hijacked by someone who used the unsecured hotel wireless network, said Coursen.

Brandon Hoff, chief marketing officer for network encryption vendor CipherOptics, said his firm took down the heavy security on its wireless network because visitors to the company’s office couldn’t access the network. Then one day a network engineer for the company noticed a lot of people sitting in their parking lot using a laptop, leeching off a free Internet pipe.

“There are two big problems from customers with wireless; a proliferation of technologies, and where do you encrypt,” said Hoff. “We’ve been through every letter in the alphabet with 802.11 networking and it’s hard to be consistent as to which is secure and which is not and have policy between them.”

As internetnews.com has reported, studies commissioned by security vendor Symantec show that almost 50 percent of consumers with home wireless access points are not using encryption to protect their networks.

As for decryption, where it’s done raises concerns of security because some spots, such as the access points, aren’t the most secure location in the first place, said Hoff.

People concerned with securing their laptop on a public network shouldn’t count on the hotel, conference hall or coffee shop to do it, said Coursen. They should use the latest technologies, like 802.11i or WPA2, which offer Advanced Encryption Standard (AES) block security. His advice: Configure your wireless equipment and check your default settings.

News Around the Web