Security Lax with Wireless Routers
Are companies’ current wireless router security practices sufficient? Security policies are too often manually applied, and it shows.
All wireless routers ship with multiple security capabilities, but are they widely used?
To sample current wireless router security practices, Alexander Gostev, a senior virus analyst at Kaspersky Lab, conducted an extensive audit of wireless access points at the recent CeBIT 2006 conference in Hannover, Germany.
His reasoning: “Trade fairs don’t only attract users, [but also] software and hardware manufacturers. Hackers are also attracted by the opportunity to break into the networks of companies taking part in such fairs,” he says.
Gostev’s right: many companies participating in trade fairs not only set up their own local networks, but also connect them directly into their corporate network. Thus, the security settings of their wireless routers are critical. Even so, he notes that “these local networks usually have low security settings, and are set up quickly. These factors increase the risk of hacker attacks. Naturally, one of the main ways of attacking such networks is via WiFi.”
Trade fairs can be potent testing grounds for new attacks. For example, Gostev notes, at the 2005 InfoSecurity conference in London “a group of scammers installed several fake access points, which provided a fake interface to connect to the public network.” When attendees connected and used the Internet connectivity, attackers saved a copy of all relayed information for themselves.
Testing Access Point Security
While no such high-profile attack debuted at the most recent CeBIT, Gostev did study the nearly 300 access points he found within range of the conference (without attempting to connect to the networks or intercept traffic, he says). Equipment from 18 different equipment manufacturers was in use. The most-seen equipment manufacturers (in order) were Symbol, Intel, Linksys, D-Link, Netgear, Cisco, and Agere. Still, 66 percent of the equipment was of unknown, or possibly faked, provenance.
Bespeaking regional differences, the devices in use differ significantly from Gostev’s previous surveys of access points in both China and Moscow. “In China, the most commonly used equipment was manufactured by Agere and Cisco (Linksys), while in Moscow, Cisco and D-Link were the most common manufacturers.”
At the German conference, how frequently did access points use encrypted communications? First, it helps to have a baseline, cautions Gostev. In particular, “war-driving research in towns around the world shows that the number of WiFi networks which do not use any type of data encryption is approximately 70 percent.”
At the conference, however, only about half of all networks employed encryption, creating an “unacceptably high” level of risk, according to Gostev. That’s because wireless networking used without encryption leaves packets open to easy sniffing. Furthermore, there’s the risk of someone accessing more than just the local conference network. “It should again be stressed that these points provide access to the local networks of companies participating in CeBIT—a prime target for hackers.”
Gostev also counted the number of wireless routers using the factory default service set identifier (SSID)—the router’s broadcast name—since that has security implications. “As a rule, this signifies that the administrator of the access point has not changed the router’s name. It may also indicate that the administrative account uses the default password, [and] both factors … make networks potentially vulnerable to attack.” Interestingly, only 2 out of the almost 300 access points employed default SSIDs. Here, at least, administrators did take basic security precautions.
Security Settings a Manual Exercise
One explanation for the poor security practices Gostev found: many companies update all of their network-related security settings manually, if they even manage them at all.
That insight comes from St. Bernard Software, which recently surveyed 233 IT security professionals and found 52 percent still update security settings manually. Worse, one quarter of respondents don’t manage their security settings, and half of all respondents say they don’t have any security policies relating to settings.
How are IT staff supposed to lock down such equipment as wireless routers without relevant security policies? St. Bernard recommends organizations deploy automated tools to audit and update security settings—not just for wireless routers but for all security devices.
“Knowing that 25 percent of IT security experts have not specifically addressed security settings management is a great concern. Hackers and virus writers are becoming more sophisticated by the day, and companies must stay on top of security settings, or they are leaving their network wide open for attack,” says Steve Yin, vice president of sales and marketing at St. Bernard. Furthermore, “although half of the respondents are, in fact, performing this critical function, they’re doing so manually, which may not be the most efficient or effective process.”
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.