With encrypted Wi-Fi vulnerable everyone is risking their assets

The seventh annual Wireless Security Survey from RSA reveals the continued, dramatic growth of wireless networks in the world’s major financial centres. The survey of London, New York City and Paris examines the proliferation and inherent security of corporate wireless access points, public hotspots and in-home networks.

Best practices in wireless security have never been more pertinent to businesses and consumers than they are today. In August 2008, an international ring of hackers was indicted in the United States for allegedly exploiting a number of businesses’ poorly-secured wireless networks to steal more than 40 million credit card numbers.

Significant increases in the number of wireless networks

Paris broke all the records with a 543% year-over-year increase in the number of wireless access points detected in the city. Growth in London and New York City, while still substantial, was slower than in 2007: in London the number of access points grew 72% (down from 160% last year) and New York City saw a rise of 45% (down from 49%). London retains its position as the ‘most wireless city’, however, with a total of 12,276 access points detected – exceeding the number we found in New York City by more than 3,000.

Public hotspots – designed to allow anyone with a wireless device to access the Internet on a pay-as-you-go or pre-paid basis – continue to grow in prevalence across all three cities, and in each case the growth of available hotspots accelerated significantly in 2008 compared with development in the preceding year. Paris saw the largest jump, with numbers increasing by over 300% and comfortably outstripping the comparative growth in New York City (44%) and London (34%).

However, New York City remains the leader in regards to its concentration of hotspots. At 15%, New York City is well clear of London where just 5% of wireless access points were found to be hotspots. In Paris, hotspots represented 6% of all the access points we located.

All encryption is not created equal

As in previous editions, the survey examined how many of the wireless access points detected were secured with some form of encryption (hotspots excluded). At face value, the 2008 results show some dramatic improvements in security practice here: in New York City, 97% of corporate access points had encryption in place – up from 76% last year, and by far the best results in the survey’s history. In Paris, 94% of corporate access points were encrypted – although in London, 20% of all business access points continue to be completely unprotected by any form of wireless encryption.

However, with WEP – Wired Equivalent Privacy, the original wireless encryption standard – now discredited, the 2008 survey paid close attention to the types of encryption in-play, and the relative adoption of more advanced forms of wireless encryption, including Wi-Fi Protected Access (WPA) or WPA2. Overall, the adoption of non-WEP advanced encryption is encouraging. Paris once again led the way, with 72% of access points (excluding public hotspots) found to be using advanced security; however the numbers in New York City and London were more modest at 49% and 48% respectively, with a majority of wireless access points relying either on WEP or using no encryption at all.

Such is the speed at which WEP can be routinely cracked that it barely constitutes paper-thin protection in the face of today’s sophisticated hackers. We would strongly urge wireless network administrators to discount WEP as a viable security mechanism and upgrade to WPA – or stronger – without delay,” continues Mr. Curry. “It is also critical that business access points are protected by encryption – even if the corporate network itself can only be accessed via an encrypted VPN. Not using WPA1 or WPA2 can leave the organizations involved vulnerable to whole classes of attacks against both access points and wireless client computers.”

In-home wireless networks: the next wireless explosion, and they’re more secure

For the first time, the RSA Wireless Security Survey identified the number of personal wireless networks in evidence on the routes around London, New York City and Paris – and how secure they were:

• In London, the volume of personal wireless access points was greater even than the number of corporate ones: a total of 6,730 – or 55% of all access points detected – were identified as belonging to home-users
• In New York City, 18% of access points were in-home and in Paris the figure was 21%

Most impressively, home network users appear to be more security-savvy than their corporate counterparts. In Paris, 98% of in-home networks are encrypted – an excellent result – with New Yorkers just behind at 97%, followed by 90% of Londoners who have deployed encryption at home. Digging deeper on the types of encryption found within in-home networks:

• Paris: 75% are using advanced encryption (better than WEP), compared with 72% of the city’s business access points
• New York City: 61% of home users have deployed advanced encryption, with just 50% of business access points protected in the same way
• London: 48% are using advanced encryption in the home – the same percentage as in London’s business sector.