Go To Main Page

In recent years, decreasing prices and ease of deployment have prompted a proliferation of wireless networks in the home and in the work place. But are we sacrificing tighter security for greater physical freedom? And if so, is it really worth the trade off?

At Network Box, one of the most common questions we’re asked by IT directors and managers is how to protect wireless networks. Obviously, there are many security technologies on the market that are capable of securing wireless networks; but what businesses – and home users – don’t appear to understand is that they can greatly increase the security of their wireless networks simply by switching protocols from wired equivalent privacy (WEP) to wi-fi protected access (WPA).

WEP was introduced in 1999 and uses pre-shared keys that must be entered manually at both ends of the message exchange. WEP has been widely criticised because its authentication method is extremely weak and can be hacked in minutes. Essentially, WEP encryption may thwart a hacker with the most basic skills, but it will be sidestepped easily by a criminal with some computer knowledge.

Conversely, WPA affords users a far higher level of security, as it uses a sophisticated key hierarchy that generates new encryption keys as the system is used. By using this technology and enhanced payload integrity, WPA improves protection and effectively defeats the key recovery attacks perpetrated on WEP.

So, if WPA is widely available, is very easy to configure – as simple as flicking a switch – and is far more secure than WEP, surely take up of the WPA protocol would be universal? Not so.

Network Box conducted its own research* in to the wireless protocols used by home users and businesses and the results make worrying reading. Among domestic users, nearly half (48 per cent) were still using WEP, while 39 per cent were using WPA. Amazingly, 13 per cent had no protection at all. These results suggest a prevailing ‘why should I care?’ attitude. Unfortunately for the home users running WEP or with no protection at all, there is every reason to care.

Hacking in to these networks and accessing confidential information is incredibly easy. For example, someone with malicious intent could simply sit unseen in their car outside a home or office and steal confidential information, such as passwords and PINs. Armed with this information, the hacker could commit identity theft and steal money from the unsuspecting user’s account. Or the hacker could access the network and send a deluge of spam, soaking up the user’s bandwidth and slowing the performance of the PC to an unusable pace. Arguably the worst case scenario is that the hacker accesses and downloads illegal material from the internet, which the authorities would track not to the hacker but to the registered owner of the network.

There is always a lag between imparting security knowledge and it being absorbed by the public, which may explain the indifferent attitude of home users. Businesses, however, cannot use the same excuse. Only the most short-sighted company would not regard IT security as a business-critical expense – which makes the findings for commercial organisations’ wireless networks usage even more concerning.

Network Box found that 41 per cent of businesses used the ineffective WEP protocol, while slightly more (43 per cent) used WPA. Staggeringly, 16 per cent of companies had no protection at all on their wireless networks – that’s three per cent higher than the figure recorded for home users!

The dangers to the companies running these WEP and unprotected networks cannot be overstated. Simply put, a hacker can potentially ‘see’ every piece of data sent by PCs logged in to these networks. A hacker could plant a keylogger on one or more PCs on the network, giving him/her access to any confidential information exchanged between, or stored on, PCs logged on to the network.

When you consider the nature of the information stored and exchanged – HR records; financial details; intellectual property; company growth strategy etc – the motivation and potential reward for a hacker is significant. If s/he can get their hands on such sensitive information, the breached company is wide open to blackmail and theft. Similarly, a company with WEP encryption or no protection at all is vulnerable to industrial espionage.

The good news is that home users and businesses can significantly shore up their defences simply by changing from WEP to WPA encryption. That’s not to say WPA is

a silver bullet; as always, users must take care to create passwords that are difficult to crack and store them safely, otherwise the risk of being hacked returns.

Ultimately, as with many IT security issues, there needs to be a mindset change. Until people realise that electronic security is every bit as important as physical security – arguably more so – then these lackadaisical and potentially very costly attitudes will remain.

If you left your home or your company front door open 24 x 7, sooner or later you’d expect to be robbed. This is exactly the risk that is present with WEP. If you or your company is using WEP – or worse still, no protection at all – it’s akin to extending an open invitation to hackers to enter your home or office and help themselves to any files or records they can find.

*Data was collected on 500 commercial and domestic wireless networks in Nottingham, Tunbrige Wells and Tonbridge between March and April 2008. No attempt was made by Network Box to connect to the networks found, nor to intercept or decrypt traffic.

Stumble It!