Retail Wi-Fi wide open to hackers, study finds

A study has discovered that while retailers are physically securing their businesses to prevent theft, they are not taking the same precautions with their wireless security.

The "2007 Retail Shopping Wireless Security Survey" conducted by AirDefense, tested the wireless "perimeters" of 3,000 shops across the United States and parts of Europe. It discovered that of 2,500 wireless devices such as laptops, hand-helds, and barcode scanners detected, 85 percent of these were wide open to hacking.

This is mostly down to data leakage, misconfigured access points, outdated access point firmware, poor naming choices for access points, and a "cookie-cutter" technology approach by large retailers.

The survey also monitored nearly 5,000 access points, and AirDefense discovered that 25 percent were unencrypted. The good news was that 74 percent were encrypted, but 25 percent used Wired Equivalent Privacy (WEP), one of the weakest protocols for wireless data encryption. Forty-nine percent used Wi-Fi Protected Access (WPA) or WPA 2, the two strongest encryption protocols.

As would be expected, the study found that retailers maintained much stronger physical security measures than wireless security.

"Retailers today are much more adept at preventing or minimizing shoplifting by using a layered security approach, but the same can't be said for wireless security, where misconfigured or unencrypted access points were evident in every city," said Mike Potts, president and CEO of AirDefense.

Indeed, it seems that the most common data security lapses involved misconfigured access points that open backdoors to data. Some of the networks were discovered to be fresh out of the box, using default configurations and SSID (Service Set Identification), such as retail wireless, POS Wi-Fi, or store#1234. This is especially dangerous, as it shows hackers that nothing has been changed on these wireless networks.

The importance of securing networks was highlighted last week when a study by security vendor Sophos found that 54 percent of computer users had "piggybacked" on other people's Wi-Fi connections.

Retailer TJX was hit earlier this year by a highly damaging data breach when at least 94 million credit and debit card accounts were stolen from its computers by hackers.

In an effort to help, AirDefense has unveiled a list of 'best practices' that consumers and retailers can use to protect themselves while using their wireless devices at locations offering Wi-Fi networks.

Techworld.com is an InfoWorld affiliate.