In-Depth

Enterprises Throw Out Wi-Fi Welcome Mat to Attackers, Study Finds

A recent report by AirTight Networks finds financial services firms are all but throwing out a welcome mat to wireless attacker

• By Stephen Swoyer
• 05/26/2009

AirTight -- a provider of WiFi security services -- says it scanned 3,632 access points (APs) and nearly 550 clients in seven different financial centers and found that half of these WAPs were either open (unprotected) or used WEP encryption. The test sites were in New York, Chicago, Boston, Philadelphia, Wilmington (DE), San Francisco, and London.

Lest you dismiss the issue as one of rogue access points or isolated consumer WPAs that were caught up in AirTight’s dragnet, 39 percent of so-called “threat-posing” APs could be classified as “enterprise-grade." In many cases, AirTight reports, enterprise-grade APs that could have been configured to support the more robust WPA or WPA2 protocols were instead protected with WEP. AirTight was also careful to distinguish between known or popular open APs -- such as those associated with hotspots -- and enterprise-grade implementations.

In any given financial district, AirTight reports, 13 percent of mobile WiFi clients are configured to operate in ad hoc mode, which makes them vulnerable to wi-phishing or “honeypotting” attacks, researchers pointed out.

AirTight found that 61 percent of open access points were consumer- or SOHO-grade devices. It doesn’t strictly associate the use of these devices with home or SOHO scenarios, however; in some cases, these devices are deployed by “impatient” or reckless employees who, frustrated by the slowness of in-house WiFi rollouts, plug rogue (typically consumer) APs into enterprise networks to perpetrate “back-door” schemes.

Moreover, AirTight reports, some enterprises seem to assume that simply obfuscating an AP’s SSID is protection enough: 79 of open APs with hidden SSIDs were powered by enterprise-grade devices.

The AirTight report reveals a disappointingly low rate of WPA2 adoption: just 11 percent, on average. Compare that with WEP, which is used by fully one-third of Wi-Fi networks in the surveyed financial districts. This is in spite of the fact, AirTight researchers caution, that WEP cracking can take less than 5 minutes. Moreover, AirTight notes, just under a third (32 percent) of Wi-Fi networks use WPA, which is also known to be vulnerable (see http://esj.com/Articles/2008/11/18/Why-Enterprises-Must-Respond-to-WPA-Crack.aspx).