Do you know the dangers of wireless networks?
I came across a story about an old case from 2007 where hackers infiltrated T.J. Maxx’s wireless network at one of the outlets and stole over 45 million credit card numbers. Those involved got caught and convicted.
While it’s true that apparently the outlet involved didn’t even encrypt the wireless link and as such any novice hacker could have hacked into it; even if the outlet had employed encryption I still believe the whole setup was a very bad idea.
Wireless has its uses of course, but should be heavily avoided in certain scenarios. Do not connect a wireless network to a network that transfers confidential information. If you have no other way around it, do not simply rely on the encryption provided by the wireless system, use encrypted tunnels such as VPN or SSH to further protect your valuable data.
The reason for this is that perhaps the most important aspect for a secure system is physical security. Wireless kills that outright. Wireless is the equivalent of offering connectivity to your network on the street. This means that if credit card numbers or any other information is flowing on the same network, hackers will only need to listen in from a safe distance and you will be sending the credit card details directly to them; they do not even need to expose themselves, they can simple hide a laptop in the boot of the car, leaving it recording while they browse your store… 100% undetectable.
What if I use WEP or WPA/2, am I safe then?
WEP is the equivalent of having your wireless network unencrypted; vulnerabilities allow everyone with the right tools to break the encryption in less than 10 minutes. WPA it is a little bit more challenging but not much. Hackers can still record the traffic and crack it comfortably in the safety of their homes and once again this is totally undetectable. The time required can vary especially if one uses a good password. If the password used is a dictionary word (which is the first thing a hacker will try) your password will be quickly discovered.
A Russian-based company has released software which utilises GPGPU to help with WPA cracking. They claim speeds of 52k passwords per second using a GOOD GPU. Using this software an attacker can attempt the entire English dictionary in 10 seconds. 52k attempts per second makes brute force attack a viable option as well. GPGPU has an additional advantage of being modular. Insert two graphic cards and you just speeded up the whole process by double. It’s possible to have up to 4 cards per system and it is possible to split the load between multiple machines. While it will not be very cheap to use such a setup, criminals intended on exploiting this might still find it worth the investment since this will more than pay for itself at the very first successful attack. It is also important to remember that in most cases this will be a one time effort since people do not generally change WPA passwords once set.
I believe it is very dangerous to have wireless networks with confidential information going through them. My recommendation is that even if you are using encryption on it, think of it as already compromised and act accordingly. If possible I would recommend that wireless networks and physical networks should be physically segregated as much as possible with confidential information only flowing through physical networks.
I work from home and have a secured wireless network. In my neighborhood there are 14 others. Only 5 are secure. The rest are wide open and have their default names like “Linksys”. I shudder to think of the people who own them doing their banking or other such tasks on those wide open networks!
Yes, It’s unbelievable. I think vendors should be proactive here and realise their users might be beginners who are afraid to configure anything so as such once they hook it up and it works that’s it.
I think vendors should by default secure the access point with a password or pass phrase which is required on installation unless you specifically state you want it open at which point a little document like a disclaimer explaining what that will really mean should be displayed to the user.
Or else the trend will continue
@Sue
I agree. A lot of people seem to take wireless security for granted, or they just don’t know what they’re doing (or not doing for that matter).
In my neighborhood, I can pick up at least 10 networks, most of them didn’t bother changing the network name (linksys, netgear, etc), a few i got access to because they didn’t bother changing password (password IS password) or something so easily guessed like admin, or 12345678. A couple even not password protected at all! I almost didn’t get my own internet connection because it was too easy to just use the neighbor’s.
People must be educated on network security. IMMEDIATELY.
@Emmanuel
While I agree that vendors should incorporate a default password on their system, I think they should randomize it and not create a generic/uniform password. You can even find a list of generic passwords for most of the wireless modems and router online.
@Gaultney
You’re right, ideally it should be randomized as it would definitely be stronger then what a user would choose. The only issue with that is it will be hard to remember for the user and unfortunately it’s a password you will not get to use often so it needs to be something that a user will remember 3 – 6 months down the line when he buys a new device and needs to join it with his network. While certainly weaker having the user select the password is probably a good compromise here between convenience and security.
Thanks for this article. This was a sobering way up call for my end. I forwarded this article to our networking specialist as soon as I read it. Although a lot of our company’s sensitive material is still hardwired, I can’t account for all the information saved on our wireless network. I’ll be making sure to check with our specialists first thing tomorrow morning.
We’ve had some minor security breaches before, but hopefully it doesn’t escalate to a magnitude that makes us regret not addressing it sooner.
I think that’s the trade off for the massive amount of convenience and accessibility afforded by wireless networking. I’m proud to say that our company has been very strict with our policies with regards to wireless server technology, but I can imagine the possibilities of having to work without the restrictions of a remote connection. Hopefully, in the future, developments in the technology will offer better security solutions.