[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Wireless LAN scan finds big security holes in NYC retailers wireless nets
By John Cox
There's bad news for some retailers at this weeks National Retail
Federation trade show in New York City, where WLAN security company
AirDefense disclosed the findings of its four-day scan of local
retailers wireless nets.
Security for retail wireless nets is still bad, though improving,
AirDefense found after scanning nearly 800 stores in the five NYC
boroughs between Thursday, Jan. 10 and Sunday, Jan. 13.
About one third of the stores had no security at all, not even the
minimal encryption provided by the flawed Wired Equivalent Privacy (WEP)
protocol. Another third had weak encryption, such as WEP or the
pre-shared key mode of the Wi-Fi Protected Access (WPA PSK)
specification, which was originally intended as basic security for home
or SOHO WLANs.
The final third showed a quantum improvement, according to AirDefense
Chief Security Officer Richard Rushing: the more advanced WPA2
specification, with 802.1X authentication brought down to every device,
including handhelds, on the WLAN, and AES encryption, the strongest
commercially available today. These are the first retail stores weve
seen with bulletproof [wireless] security, Rushing says.
Rushing has surveyed large retailers in sections of Manhattan in the
past. The new scan was focused on smaller stores, 771 in all, in malls
and shopping centers throughout the five boroughs. Rushing walked around
with his notebook PC running the AirDefense monitoring and analysis
software, simply observing the WLAN traffic in each store. No attempt
was made to connect to any of the nets or launch penetration attacks.
In many of the sites, where the only network may be a DSL broadband
router, Rushing also frequently found unprotected rogue access points
deployed. He speculates that many of them are brought into stores so
employees can run applications, make VoIP calls or get Internet access
when not dealing with customers. But apparently, these unprotected
devices are unknown to the store owners or managers, creating gaping net
security holes. (Learn more about WLAN security in our Wireless LAN
Security Buyers Guide. )
Another noticeable problem with the first two groups was that radio
signals -- and thus access to the unprotected access points and
unencrypted traffic -- spilled well beyond the walls of the store.
Attackers could set up shop outside, snoop on the WLAN traffic, and
collect MAC addresses and other data that could be used to hack deeper
into the stores net, servers and data.
Based on the survey findings, many of these stores that take credit
cards may not measure up to the PCI Data Security Standard, mandated by
payment card companies.
Rushing is sympathetic, up to a point, to the special issues that hamper
retail wireless security. Few retailers can afford to scrap legacy nets
and devices and replace them wholesale. In addition, older wireless
barcode scanners and other handhelds often lack the memory or processing
power to support any security other than WEP, for example. These devices
would have to be replaced with new ones that can.
In addition, stores may need to add much more complex security
frameworks, such as Public Key Infrastructure, RADIUS servers and the
Finally, point-of-sale devices such as cash registers are still clearly
visible on these weakly defended retail nets, according to Rushing. This
tells me that segmenting these devices behind firewalls on secure nets
is not being done, even though PCI mandates this, he says. Or, if it is
being done, its being done ineffectively.
While the survey clearly is intended as a marketing tool for AirDefenses
WLAN security software, the new results are broadly similar to findings
of a 2007 survey of 3,000 stores in eight U.S. and European cities, also
done by AirDefense.
Weak WLAN security was the entry point for hackers in the TJX Corp. data
theft, in which nearly 46 million credit card numbers were stolen.
All contents copyright 1995-2008 Network World, Inc.
Subscribe to InfoSec News