Considering how commonly Wi-Fi networks are used, the situation leaves millions of people, companies and their valuable data open to attack.
IT security company Sophos highlighted this worrying state of wireless security in the UK’s capital city at Infosecurity Europe this week. The security firm had sent its global head of security research, James Lyne, and his computer-equipped bicycle onto the streets of London to test how safe homes, businesses and even people on mobile phones are from cybercriminals, as part of its ongoing “World of Warbiking” tour.
Conducted over two days around the streets of London, Lyne’s warbiking exercise revealed that of 81,743 networks surveyed, some 29.5% were using either the known-to-be-broken Wireless Equivalent Privacy (WEP) algorithm, or no security encryption at all. A further 52% of networks were using Wi-Fi Protected Access (WPA) – which is no longer a recommended security algorithm.
“Incredibly, conventional wireless network security is still a major concern, despite the security industry assuming such issues had been resolved years ago”, Lyne told Infosecurity Magazine at Infosecurity Europe. “Many would assume these methods are ‘old hat’ but it is still a very viable attack vector that demonstrates basic security best practice is not being adopted.”
Just as worrying, he said, was many people’s total disregard for basic security. “Our experiment found a disturbingly large number of people willing to connect to an open wireless network we created, without any idea of who owned it or whether it was trustworthy," Lyne said, adding that many even connected to a network called 'do not connect'. “Compounded by the growing number of devices that are permanently identifying themselves via technology like Bluetooth, this kind of behavior is increasingly putting everyone’s valuable data at risk.”
Lyne continued: “This willingness to connect to any wireless network that professes to offer free Wi-Fi, without ensuring you have some kind of security measures in place, is like shouting your personal or company information out of the nearest window and being surprised when someone abuses it. With a few extra command line arguments, it would have been trivial to attack nearly everyone in our study.”
The open wireless network created during the London experiment also offered an insight into what people are connecting to when they are out and about. Social media sites such as Facebook and Twitter were high on the list of most requested pages, along with corporate outlook and news websites. But worryingly, it appears many people are also choosing to access websites and services that could prove even more attractive to cybercriminals, like financial sites.
“Despite the fact that this was an open network, once connected many people seemed happy to access online banking sites, even though they had no idea who was running the access point. Only a tiny minority (2%) actually took responsibility for their own security by using a Virtual Private Network (VPN) or forcing secure web standards.
“Our test was conducted strictly within the confines of the law,” explained Lyne, “but the cybercriminals won't have the same concerns, so our experiment shows why people need to be much more aware of the potential dangers of connecting to open Wi-Fi networks when they are out and about.”
Even within the security industry there are myths and misunderstanding about what the real risks are with wireless. “Many argue that the unencrypted, intentionally open networks (the majority of the 29.5%) are ‘OK’ as they use a captive portal to register users,” Lyne said. “Unfortunately, the standard user doesn’t recognize that major brand XYZ wireless is not encrypted and that their information can be picked up by anyone with £30 piece of equipment available on Amazon.”
Lyne described this year's Infosecurity Europe as an "infosec gets real" show. "We are still talking about the same things we were last year, but this year I'm seeing people actually doing what they've been talking about. Things are becoming real", he told Infosecurity.
Where progress still needs to be made, Lyne said, is around getting back to security basics. "Security issues that we've known about for more than a decade are still a widespread problem that needs resolving. We need to get back to the very basics."