Wireless connectivity is so ubiquitous that one can hardly imagine life without it. Almost all businesses and home users have at least one router or access point deployed on the premises. WiFi technology helps you move faster and connect easily to the web, without cables, patch cords or other physical media. The bad side is that it can allow hackers to do the same.
WiFi security is a critical aspect that often remains overlooked. As most of the wireless routers work out of the box to facilitate installation for non-technical buyers, some wireless routers and access points deployed in both businesses and home offices are poorly secured or have no security measures in place.
This case study presents an overview of wireless setups identified between November 22 2010 and October 3 2011. The study covers 2,133 wireless networks of both consumer and corporate customers.
The state of wireless networks
The test revealed that, out of 2133 networks, 61 percent of networks are safely protected with either WPA or WPA2 encryption algorithm. This means the information flowing between the client and the router or access point is shielded from prying eyes.
At the same time, 19 percent of the analyzed networks were discovered to use an obsolete encryption algorithm (WEP) that has been discontinued on security grounds, but is preserved on modern devices to ensure compatibility with older devices. Wireless devices with default credentials account for 11 percent of the analyzed networks and only 6 percent of networks have no security measures in place. Finally, only 3 percent of the analyzed networks were masking their SSID in order to stay unlisted in the available wireless networks in the wireless card manager.
Business Wireless Networks
When hunting for wireless connections, business parks are attackers’ first choice. Not only that businesses use professional wireless hardware that can cover larger areas with Wi-Fi signal, but exploiting a corporate breach would allow the attacker to lay their hands on marketable intelligence, such as source code, customer lists or other types of proprietary information.
Of the analyzed business networks (networks that explicitly state the company name in the SSID), 62 percent were configured to use WPA/WPA2 encryption, while 15 percent were still using the depreciated WEP. In all, 22 percent of the investigated networks were not using any encryption mechanism.
By using unsecured or poorly secured networks, businesses risk letting intruders tap into their private networks and access shared resources such as file servers or employees’ shared folders. These resources might contain sensitive information or might allow an attacker to drop an infected file with an eye-catching name on a public share and wait for somebody to stumble upon it and execute it. It is an extremely dangerous scenario, as the attacker is located behind the company’s firewall, thus avoiding most of the restrictions.
We understand that access to the Internet via Wi-Fi is extremely important for employees (for instance, when attending meetings in the board room, or when discussing with customers in the lobby). This is why companies should consider deploying a secondary, consumer-level connection to power the Wi-Fi connections, ensuring that any attack that breaches the Wi-Fi security will not reach the corporate network.
Wi-Fi in Bars, Pubs and Restaurants
As expected, most public Wi-Fi networks readily available for customers in bars, pubs and restaurants are completely unsecured in order to facilitate connectivity. However, running an unsecured network with no authentication increases the chances of an attacker (such as another customer that is also connected to the same network) to “sniff” traffic or to steal users’ cookies using a freeware tool such as the controversial Firesheep.
Only 12 percent of Wi-Fi networks we analyzed during the summer were protected with an encryption key printed on either the menu or the check. This dramatically reduces the risk of another user intercepting the data exchanged between the user and the router.
The Fake Sense of Security
As the study reveals, 19 percent of home users choose WEP as their favorite encryption technology for their wireless setups. Although, technically speaking, the network appears to be protected against intrusions, WEP encryption can be cracked in less than one minute using free tools readily-available on the Internet.
More than that, if the router’s default credentials haven’t been changed upon the initial configuration, it is extremely easy for an attacker to find out the administrator’s password, and then grant itself permanent access into the network. Many websites compile lists of default usernames and passwords for virtually any known brand.
If you want to learn more about how to protect wireless networks at home or at the office, please see the Securing Wireless Networks e-guide available for download on the Bitdefender website.
No private information or other content arising or deriving from this inquiry has been collected. No data or confidential information pertaining to individuals or companies was or will be disclosed, used for any other purposes or against the persons who revealed it.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners