Security fears over City WiFi

Sheer size of network makes it difficult to protect, say experts

The city WiFi network is difficult to secure

Technology experts have raised concerns about the security of the City of London’s new WiFi network.

The network, turned on last week (Computing, 26 April), covers the heart of London’s financial district, serving more than 350,000 people, comprising 127 nodes, and offering 95 per cent coverage to the area.

But security professionals say the sheer scale of the network, the biggest in the country, makes it almost impossible to guarantee its security.

‘The more entry points a network has makes it more difficult to secure,’ said Phil Cracknell, UK president of not-for-profit body the Information Security Systems Association.

‘Every point can be misconfigured or can lose its settings and be left insecure. Most of these networks are not monitored effectively, but who is going to tell if rogue hotspots are appearing or not?’ he said.

Network operator The Cloud says it encrypts user details and passwords, and monitors each connection continuously.

But Tony Proctor, wireless expert at Wolverhampton University, says this is a difficult thing to do for such a dense and complex network.

‘WiFi is inherently secure,’ he said. ‘But things that introduce complexity introduce potential security vulnerabilities. When you have a number of access points spread across an area as critical as the City of London then you have a potential security headache.’

Access points are vulnerable to ‘evil twin’ attacks where a fraudster sets up a fake access point, while users are also vulnerable to drive-by attacks on their machines.

A spokesman for The Cloud said: ‘We undertake proactive monitoring of every hotspot on our network to observe attempts at signal interference and other behaviour characteristics which identify this kind of attack.’

But a rogue access point might not necessarily interfere with the network, says Proctor.

‘Anyone can set up an access point and try to persuade people to log on to it,’ he said. ‘It does not have to connect to The Cloud network, it could just mimic the entry portal. The devil is in the details.’