“We took one man, a bike, a computer, a GPS, two dynamos and some solar panels to the streets of London to see how many unsecured wireless networks we could find,” said Sophos. The man was James Lyne, director of technology strategy at Sophos; and for every mile he cycled, he passed 1000 wireless hotspots. Sophos stresses that it remained within the law – unlike Google’s Street View wardriving, the Sophos warbiking collected only high-level data; but enough to demonstrate the state of London’s WiFi security. And it’s not good enough.
Overall Sophos detected more than 100,000 hotspots. Of these, more than 8000 had no security at all, and around 20,000 more used the obsolete WEP encryption. “With the tools available we could have gone much further but we carefully stayed in the confines of the law. This exercise doesn’t paint the complete picture, but it shows enough to demonstrate that security best practice and education still need a lot of focus”, said Lyne.
Weak access is not a minor problem. It allows outsiders to piggy-back broadband access; which could allow copyright thieves to download illegal files. If this is monitored by the rightsholders, the finger will be pointed at the IP address holder, not the the thief. But for businesses, it allows hackers to gain access to company data. “Enabling an attacker access to your network like this also makes it possible for them to launch other nasty attacks like ‘man in the middle’. This enables attackers to sniff your usernames, passwords or other sensitive data while you think you are using a secure and private connection,” said Lyne.
He adds that the minimum level of protection should be WPA2 encryption with a strong password. The Sophos investigation did not go deep enough to test the strength of passwords being used (that would have been illegal), but Sophos points out that there are tools available that can attack WPA2 protected networks with massive wordlists at high speed. The company also notes that coffee shops and similar establishments often have intentionally open WiFi to attract customers, so users of such services should ensure they are configured to use a VPN to protect their own communications.
Next time you see a cyclist kerb-crawling in London, it may be worth asking just what he hopes to pick up. |