An IT security company has highlighted what it calls the worrying state of wireless security in London, when it sent James Lyne and his computer-equipped bicycle onto the streets to test how safe homes, businesses, and even people on mobiles phones are from cyber-criminals.
Lyne, Global Head of Security Research at the IT security product firm Sophos, went “warbiking” across the city to track down unsecure wireless networks and spotlight user behaviours that could be exploited by hackers. He says: “Incredibly, conventional wireless network security is still a major concern, despite the security industry assuming such issues had been resolved years ago. Many would assume these methods are ‘old hat’ but it is still a very viable attack vector that demonstrates basic security best practice is not being adopted.
“As our London Warbiking exercise found, there are an astonishing number of businesses and home users employing insecure, poorly implemented, or even defunct wireless security protocols. With our voracious hunger to be online at all times, this is leaving millions of people, companies and their valuable data open to attack.”
London was the latest stop on the “World of Warbiking” tour – global research in major cities. Done over two days around the capital, Lyne’s exercise found that of 81,743 networks surveyed, some 29.5 percent were using either the known-broken Wired Equivalent Privacy (WEP) algorithm, or no security encryption at all. A further half, 52 percent of networks were using Wi-Fi Protected Access (WPA) – a no longer recommended security algorithm.
“Even within the security industry there are myths and misunderstanding about what the real risks are with wireless. Many argue that the unencrypted, intentionally open networks (the majority of the 29.5%) are ‘OK’ as they use a captive portal to register users. Unfortunately the standard user doesn’t recognize that major brand XYZ wireless is not encrypted and that their information can be picked up by anyone with £30 piece of equipment available on Amazon,” said Lyne.
Users want the internet
Many people had disregard for basic security, he added. “Our experiment found a disturbingly large number of people willing to connect to an open wireless network we created, without any idea of who owned it or whether it was trustworthy, Compounded by the growing number of devices that are permanently identifying themselves via technology like Bluetooth, this kind of behavior is increasingly putting everyone’s valuable data at risk.”
Lyne added: “This willingness to connect to any wireless network that professes to offer free wi-fi, without ensuring you have some kind of security measures in place, is like shouting your personal or company information out of the nearest window and being surprised when someone abuses it. With a few extra command line arguments, it would have been trivial to attack nearly everyone in our study.”
What Londoners are connecting
The open wireless network created during the London experiment also offered an insight into what people are connecting to when they are out and about. Social media sites such as Facebook and Twitter were high on the list of most requested pages, along with webmail access and news websites. But, it appears many people are also choosing to access websites and services that could prove even more attractive to cybercriminals: “Despite the fact that this was an open network, once connected many people seemed happy to access online banking sites, even though they had no idea who was running the access point. Only a tiny minority (2 percent) actually took responsibility for their own security by using a Virtual Private Network (VPN) or forcing secure web standards. Our test was conducted strictly within the confines of the law, but the cyber criminals won’t have the same concerns, so our experiment shows why people need to be much more aware of the potential dangers of connecting to open wi-fi networks when they are out and about.”
Lyne gave the results of the Warbiking London experiment at the InfoSecurity Europe tradeshow, Earl’s Court, west London, between April 29 and May 1. Details about the methodology used and results so far from the World of Warbiking project – and tips on how to be more secure – are available at www.sophos.com/warbiking.
Cloud release
Sophos meanwhile announced the latest version of Sophos Cloud, the company’s cloud-based product for small- and mid-sized users. The firm claims it’s the only cloud-managed security service to manage Windows, Mac and mobile devices from a single console. It features user-based management, reporting and licensing; built-in web security to prevent user access to malicious and infected websites, and new policy-based Web Control features. For more details or for a 30-day trial, visit: www.sophos.com/cloud.
