Inside WiFi SecurityBy Sean Gallagher | Posted 2002-06-07 Email Print
The retailer's in-store wireless network exposed customers' credit card data. Best Buy has plenty of company.
Inside WiFi Security
While WEP doesn't provide a great deal of securityits encryption keys are fixed, and even an amateur hacker (albeit a persistent one) can compromise WEP by passively monitoring the network long enoughit at least offers the wireless equivalent of latching the front door, foiling casual attempts at intrusion.
Additional steps can be taken to make WiFi more secure, such as adding virtual private network (VPN) software similar to that used by users connecting to corporate networks over the Internet.
What is unusual about Best Buy's case is that the systems were part of a company-approved system designed to handle customer dataand they still didn't use encryption. Home Depot and Wal-Mart also use in-store wireless networks, as do a growing number of retail chains. But they are used, in most cases, for performing inventory functions and price checks with handheld barcode scanners. "There are some companies with wireless terminals that take credit cards, like Hertz, but they are definitely encrypted," says Hellgren.
The real security threat to most companies from WiFi is how easy and inexpensive it is for anyone to set up a wireless network. "It's the same problem companies used to have with modems," says Hellgren. You can buy a wireless access point for less than $150, and a laptop wireless card for under $100. You don't need much, if any, specialized knowledge to set them up. As a result, departments or even individuals can quickly extend the corporate network into the wireless domain.
And often, these extensions are left unsecured; sometimes their default identification and password settings remain unchanged. That leaves the door wide open to "war drivers"mobile hackers armed with a laptop, wireless card, external antenna and shareware softwareto detect unprotected WiFi networks and monitor their traffic, and in some cases even use them to gain access to corporate networks.
While the range of 802.11b networks may be advertised as only 100 to 200 feet, external antennae can in some cases extend that range to as much as a quarter-mile.
Some WiFi equipment vendors are enhancing the built-in security within their products. Nokia, for example, is using smart cards within its latest line of 802.11 network cards to authenticate wireless devices and provide a higher level of encryption.
And other vendors are developing dynamic key distribution systemssystems that send out multiple and constantly changing encryption keys rather than just one, to improve the security of WEP. But for now, the best way to secure WiFi networks is simply to take the time to implement and enforce the use of security measures already available.
Because, as Best Buy now knows all too well, haste makes wasteand very bad PR, to say the least.