More Wireless, Not Enough Security
June 15, 2007
Wardriven surveys by RSA in three major cities show the number of business APs is way up, but use of encryption is not keeping pace.
Since 2002, RSA, the security division of EMC
, has been doing regular surveys of wireless networks found in big cities essentially, wardriving the same streets, time after time, using everything from cars to buses to horse-drawn carriages to see what changes. For 2007, they found that while deployment of Wi-Fi was up, so was security but security is not keeping up with the deployment.
We drive the same route in New York, London and Paris, says Toffer Winslow, vice president of product management and product marketing for RSA, talking about the three cities surveyed. We record the total number of access points we see. We can determine things like the encryption tech theyre using, if defaults have changed, that kind of thing, all using commonly available, free applications and tools. The consistency of the route makes it easy to extrapolate the data.
For example, the number of access points on the three routes was up 44% in Paris, 49% in New York, and a major jump for London of 160%. RSAs unnamed independent contractor who conducts the surveys also narrows down just how many of the APs are for business networks, and found that the growth there for London was 180%. RSA provides details on each city on their site.
Still, thats a lot better than in 2004, when RSA found only two thirds of APs in London and Paris were using any encryption at all.
The good news is, relative security is improving, says Winslow. The number of networks unsecured is down. But theres probably more unsecured targets out there on an absolute basis.
Security purists know, of course, that WEP doesnt cut it at all. However, WPA/802.11i use was less than half in all three cities, at 48% in London and 49% in New York, and even lower in Paris (41%).
The thing that boggles my mind is in 2007, one quarter to one fifth of businesses have no encryption at all, says Winslow. Thats a little frightening.
Hes not just talking encryption. The growth in APs in London also brought with it a growth in the number of APs (30%, up from 22% last year) still with their default setting turned on, such as the factory-set passwords, SSID broadcasting, and the like. New York and Paris had a small reduction in that number, however.
More Wi-Fi out there means more network admins whove never installed it before. A lot of unsophisticated users make themselves vulnerable, says Winslow, who fears that the lack of security can undermine user confidence.
Theres a lagging education curve, is Winslows only explanation. Once its working from a technology perspective, how do you make it secure? We hope in the future to see a massive growth in properly secured APs.
Hotspots found in the survey were also up along the wardriven routes. They found 461 in London, a 27% increase. New Yorks hotspots grew 17%, accounting for 15% of all the networks found. RSA thinks the growth in the number of hotspots, many close to unsecured business networks, adds a new and disturbing dimension to the wireless security problem, as mobile users, used to getting their access, try to get online with whatever open network they encounter. If you have a WLAN today, it is likely to be found and used, according to RSAs reports.