Network World: Scan Finds Security Holes in NYC Retailers’ Wireless Nets

There’s bad news for some retailers at this week’s National Retail Federation trade show in New York City, where WLAN security company AirDefense disclosed the findings of its four-day scan of local retailers’ wireless nets.

Security for retail wireless nets is still bad, though improving, AirDefense found after scanning nearly 800 stores in the five NYC boroughs between Thursday, Jan. 10 and Sunday, Jan. 13.

About one third of the stores had no security at all, not even the minimal encryption provided by the flawed Wired Equivalent Privacy (WEP) protocol. Another third had weak encryption, such as WEP or the pre-shared key mode of the Wi-Fi Protected Access (WPA PSK) specification, which was originally intended as basic security for home or SOHO WLANs.

The final third showed a quantum improvement, according to AirDefense Chief Security Officer Richard Rushing: the more advanced WPA2 specification, with 802.1X authentication brought down to every device, including handhelds, on the WLAN, and AES encryption, the strongest commercially available today. “These are the first retail stores we’ve seen with bulletproof [wireless] security,” Rushing says.

Rushing has surveyed large retailers in sections of Manhattan in the past. The new scan was focused on smaller stores, 771 in all, in malls and shopping centers throughout the five boroughs. Rushing walked around with his notebook PC running the AirDefense monitoring and analysis software, simply observing the WLAN traffic in each store. No attempt was made to connect to any of the nets or launch penetration attacks.

In many of the sites, where the only network may be a DSL broadband router, Rushing also frequently found unprotected rogue access points deployed. He speculates that many of them are brought into stores so employees can run applications, make VoIP calls or get Internet access when not dealing with customers. But apparently, these unprotected devices are unknown to the store owners or managers, creating gaping net security holes. (Learn more about WLAN security in our Wireless LAN Security Buyer’s Guide.)

Another noticeable problem with the first two groups was that radio signals — and thus access to the unprotected access points and unencrypted traffic — spilled well beyond the walls of the store. Attackers could set up shop outside, snoop on the WLAN traffic, and collect MAC addresses and other data that could be used to hack deeper into the store’s net, servers and data.

Based on the survey findings, many of these stores that take credit cards may not measure up to the PCI Data Security Standard, mandated by payment card companies.

Rushing is sympathetic, up to a point, to the special issues that hamper retail wireless security. Few retailers can afford to scrap legacy nets and devices and replace them wholesale. In addition, older wireless barcode scanners and other handhelds often lack the memory or processing power to support any security other than WEP, for example. These devices would have to be replaced with new ones that can.

In addition, stores may need to add much more complex security frameworks, such as Public Key Infrastructure, RADIUS servers and the like.

Finally, point-of-sale devices such as cash registers are still clearly visible on these weakly defended retail nets, according to Rushing. “This tells me that segmenting these devices behind firewalls on secure nets is not being done, even though PCI mandates this,” he says. “Or, if it is being done, it’s being done ineffectively.”

While the survey clearly is intended as a marketing tool for AirDefense’s WLAN security software, the new results are broadly similar to findings of a 2007 survey of 3,000 stores in eight U.S. and European cities, also done by AirDefense.

Weak WLAN security was the entry point for hackers in the TJX Corp. data theft, in which nearly 46 million credit card numbers were stolen.

By John Cox, Network World