The City's wireless security is still too lax

Security expert Phil Cracknell discovers that wireless Lans in the City of London are still at risk from 'drive-by hackers'.

Last month, vnunet.com's sister publication Computing revealed that City of London businesses were failing to take basic precautions to secure wireless local area networks (Lans) - a year after a survey had revealed the threat from drive-by hackers.

The study, on behalf of RSA Security, was carried out by Phil Cracknell.

When I set out on the latest City wireless Lan survey I had no idea what to expect.

Given previous publicity about 'drive-by hackers', there have been improvements to wired equivalent privacy (Wep - a wireless Lan security standard) by certain vendors.

But I could not have imagined what I would find, and what it meant for City businesses using wireless technology.

The survey took three days to complete, walking the streets or riding in a taxi. I invested in a commercial tool and iPAQ handheld, rather than the freeware software and a laptop used previously.

Over three days I discovered 328 access points and 552 client cards - a threefold increase on last year.

More significantly, there were clear indications that businesses were no longer using wireless networks for testing or development.

In some cases a single building yielded nine access points, each with the same SSID value, indicating that they were connected to the same network.

I discovered that the use of Wep has not increased at all. Has all the publicity and security awareness been to no avail?

Further analysis showed that some of the sites not using Wep had a virtual private network (VPN).

This was good news and bad news for businesses - they had forfeited Wep for a VPN and left access to their network at the IP level fully exposed.

Pushing the protection further up the TCP/IP stack is not the answer, and the old adage of implementing security in layers sprung to mind - why not have both?

I was also surprised to see that MAC address/hardware screening was not widely used.

The wireless access point is able to maintain and manage a list of client wireless cards, which are allowed to connect, and this is the most basic form of access control available to WiFi users.

There is a slight administration overhead, but it's worth the effort.

A mixture of MAC address screening, Wep and a VPN combined with some form of client authentication would be the most advisable for wireless networks, used as an extension to the corporate network.

Some businesses had connected their access points directly to the wired Lan, which should be avoided at all cost.

One of the most interesting discoveries of this survey was the number of client systems which didn't appear to be connected to an access point.

The volume of client systems in certain areas made it clear that some businesses were using WiFi as a total wired network replacement, and from a security perspective that has come about surprisingly quickly.

The client systems were often vulnerable to direct remote access based on how the cards had been configured. Using peer-to-peer mode it would be possible to access shared drives and data from a laptop.

Where will it all end? Right now it's hard to tell. Access points and client equipment are becoming more affordable and many laptops now contain a WiFi card as standard.

WiFi is obviously here to stay and offers a convenient way to connect systems on a network.

Emerging variations to the 802.11 standard will mean less congested frequencies and faster bandwidth, so now is the time to understand wireless security and harden these networks.

Phil Cracknell is an independent security specialist.