Top Wireless Worry: Security
Bluetooth security creeping onto America's radar
To get at the root of what enterprises really think of wireless technology and barriers to its adoption, analyst firm Frost & Sullivan (San Jose, Calif.) surveyed over 100 IT directors, operations managers, and buyers from eight European countries. The survey covered wireless local area networks (LANs), Bluetooth, and wireless data services in the enterprise, including SMS, GPRS, and WAP. The one overriding concern with wireless technology: security.
"Security tends to come out as being the highest profile issue for network and IT managers that we contacted for this survey," says Frost industry analyst Michael Wall. "It’s interesting that no matter whether it's Europe or one European country or North America, it’s always the same number-one issue." That finding squares with research Frost conducted about 18 months ago in which security also came in as the top IT manager concern with wireless LANs.
This time around, when asked to fill in a blank box with their single biggest wireless LAN disappointment, 39 percent wrote about security problems. The next highest response, at about 20 percent, was bandwidth. Of the security responses, the biggest issue for almost 40 percent was improving wireless LAN security.
They have reason to worry. When researchers from RSA Security Inc. in Bedford, Mass., drove through downtown London recently and found 328 wireless access points, nearly two-thirds didn’t have Wired Equivalent Protection (WEP) turned on. WEP is crucial for securing 802.11b networks, though, of course, a patient attacker can break it. Of those 328 access points, 208 had the default installation configuration, and 100 were broadcasting which corporate network they were attached to.
Yet security concerns don’t seem to have hampered 802.11b adoption, since 42 percent of the Frost respondents say they’ve deployed wireless LAN technology and another 15 percent plan to. The majority of companies using wireless LANs—about 75 percent—are using it only in a private network, just for their own employees.
One clue about the relatively high level of wireless LANs in the enterprise might be that when they’re unwired, people can really get more done. In fact, wireless is good for improving productivity, say 64 percent of respondents; 7 percent say wireless only slightly improves productivity, and 29 percent say it doesn’t improve productivity at all.
For cash-strapped IT departments, any play to boost the bottom line is welcome. Of course, productivity improvements could help a little or a lot. A recent Gartner Group study helps clarify that point. It found that enabling mobility inside the corporate walls with wireless networking could boost productivity as much as 30 percent.
Wireless, 802.11b technology, however, isn’t the only thing at play in European enterprises, says Wall. Currently, 9 percent say they use Bluetooth and 22 percent plan to. Bluetooth is “probably getting more visibility in Europe and Asia at the moment. There are cell phone shops all over the place here” that market Bluetooth devices, he says, speaking from London. “They sell PDAs with Bluetooth [and] they sell wireless Bluetooth handsets to go with the phones.” It’s only a matter of time, he predicts, before it’s the same way in America.
One delay to American adoption has been that “there's a much greater perception that Bluetooth was a wireless networking technology” in the United States than elsewhere. Wall says that perception was prevalent “because the U.S. leads the world in terms of wireless LAN,” and Bluetooth was seen as a competitor, when in reality it’s more of a complementary technology.
Take one of the few Bluetooth devices on the market in this country: a wireless cell phone headset with Bluetooth. In Europe, it’s de rigueur for new mobile phones—which invariably use GSM networks—to have Bluetooth. The majority of cell phones in America use CDMA networks, however, for which there’s no Bluetooth-compatible phone yet. GSM coverage is spotty.
Good news for security managers is that whereas most 802.11b devices ship with security deactivated, many Bluetooth devices ship with it enabled. “What you have with Bluetooth is the potential to actually bond the devices,” says Wall. A user can designate a set of wireless headphones to always work with her mobile phone, and also enable them to work with a friend’s phone, but with a slightly more restricted access policy. “If it's bonded correctly, it's going to take a hell of an effort by a hacker to break into that.”
Of course, given that so many people don’t seem to realize that plugging in an 802.11b wireless access point into the corporate network and not enabling security is a bad thing, getting them to thumb through their Bluetooth headphones’ instruction manual's security section might be a stretch. Too often, notes Wall, “people won’t realize or won’t bother with putting the security in place—there’s always a tradeoff between security and flexibility.”
The upshot of all this is that Bluetooth will creep onto the radar of American IT managers. While Bluetooth security concerns won’t match those with wireless LANs, “as time goes by and more enterprises start to adopt Bluetooth as an enterprise solution, they’ll start to worry about its security.”
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.