News

SURVEY: 3,000 retailers have wireless data-security vulnerabilities

November 25, 2007

ATLANTA - AirDefense, which launched the wireless LAN security market, has released results from its 2007 Retail Shopping Wireless Security Survey of wireless data-and physical-security practices at more than 3,000 retail stores throughout the United States and parts of Europe. Cities covered include Atlanta, Boston, Chicago, Los Angeles, New York City, San Francisco, London and Paris.

Research was conducted in busy shopping areas, including Rodeo Drive in Beverly Hills, Madison Ave. and 5th Ave. in New York City, Michigan Ave. in Chicago, and Union Square and Market Street in San Francisco.

AirDefense discovered that more than 2,500 wireless devices, such as laptops, hand-helds, and barcode scanners, are being used by retailers, yet 85 percent of those devices could have been compromised or are at risk of having data stolen because of data leakage, misconfigured access points, poor naming choices for access points, outdated access-point firmware and a "cookie-cutter" technology approach. A so-called cookie-cutter approach occurs when the same technology is used in all retail locations, so vulnerabilities repeat themselves across the entire store's chain.

According to a news release, some of the networks used were "fresh from the box," using default configurations and SSID (service set identification), such as retail wireless, POS WIFI, or store#1234

Data leakage then occurs when a company adds wireless functionality to an existing wired network. Point-of-sale information on products, and possibly consumer credit-card information, can leak out to the wireless airwaves and be stolen.

According to AirDefense, consequences of wireless-security vulnerabilities are difficult to quantify.

As part of its research, AirDefense also monitored nearly 5,000 access points, the hardware that connects wireless devices to wired computer networks. It found that 25 percent of those access points were unencrypted, while 74 percent were encrypted. Also, 25 percent of retailers surveyed used wired equivalent privacy (WEP), one of the weakest protocols for wireless data encryption, AirDefense says, while 49 percent use WI-FI protected access (WPA) or WPA 2, the two strongest encryption protocols for theft prevention.

The most common data-security lapses involved misconfigured access points that open backdoors to data. On several occasions, larger retailers had configured access points to work with WPA but had not switched off WEP. In addition, many retailers use their store name, the name assigned by the equipment vendor to the wireless network during installation, in the SSID, which gives away a retailer's identity. SSIDs can easily be reconfigured, but often times are not.

AirDefense says most retailers seem to maintain stronger physical security than wireless security, since 95 percent of retailers had some form of physical security system, such as an RFID security alarm, in place. Additionally, nearly 70 percent had security cameras installed and roughly 10 percent employed guards at exit doors.

"Retailers around the country are leaving the -˜proverbial' barn-door open for potential problems," said Richard Rushing, the survey organizer and chief security officer of AirDefense. "Protecting consumer and retailer information is the most important job for retailers. A layered wireless-security approach is the only way to prevent proprietary information from disappearing."