Tuesday, January 27, 2009

Motorola Publishes Survey on Wireless Network Security

A new survey by Motorola's Enterprise Mobility business finds that 44 percent of the wireless devices used by retailers - such as laptops, mobile computers and barcode scanners - could be compromised. This significantly lower than results from the same retail shopping survey conducted in 2007 which showed security vulnerabilities in 85 percent of wireless devices.

Survey research included a review of wireless data security at more than 4,000 stores in some of the world's busiest shopping cities including Atlanta, Boston, Chicago, London, Los Angeles, New York City, San Francisco, Paris, Seoul and Sydney.

Other interesting survey findings include:

  • Retailers in Los Angeles and New York City were deploying some form of encryption on 77 percent of their wireless APs. Paris retailers ranked second with 76 percent. Retailers in London and Boston ranked the lowest with only 51 percent and 60 percent of APs, respectively, using some form of encryption.

  • 12 percent of all APs monitored were using WiFi Protected Access (WPA) while another 27 percent were using WPA-PSK (pre shared key), which is only as strong as the shared password used to protect them. In total, only 7 percent of retailers were using WPA2, which is the strongest WiFi security protocol available today.

  • 22 percent, or 1,740, of APs were mis-configured, an increase from 13 percent in the 2007 survey.

  • Some networks were deployed using default configurations and service set identification (SSID), such as "Retail Wireless," "Cash Register," "POS WiFi," or "store#1234," and "Default". This signals to hackers that nothing has been changed on these devices or the entire wireless network.

  • WiFi signage has become popular for retailers, advertising they offer wireless. However, advertising an open wireless network may tip hackers in targeting other customers, who may not be using effective data security tools.

  • 32 percent of retail locations were leaking unencrypted traffic, with an additional 34 percent of retail locations leaking encrypted traffic, for a total of 66 percent. Data leakage is easily solved with simple configuration changes or modifications.

Motorola noted that security vulnerabilities in wireless networks typically are the result of weak encryption, data leakage, mis-configured access points and outdated access point (AP) firmware. One of the more overlooked issues with large retailers is a "cookie-cutter" approach to wireless technology. By using the same technology, configuration, security and/or naming conventions at all retail locations, vulnerabilities repeat themselves across the entire store chain, rendering them susceptible to attacks as well as Payment Card Industry (PCI) non-compliance.