A study by AirTight Networks Inc. of financial districts in seven cities revealed numerous wireless vulnerabilities and a lack of wireless computer security best practices.
Researchers at the Mountain View, Calif.-based wireless security vendor conducted five-minute wireless vulnerability scans at 30 random locations in the financial districts of New York, Chicago, Boston, Wilmington, Del., Philadelphia, San Francisco and London. More than 3,600 wireless network access points were scanned near banks and stock exchanges.
Access points that were open or using weak WEP encryption made up 57% of the airspace scanned, putting them at risk for data leakage, according to the study. Almost 40% of those open or WEP-secured access points were enterprise grade. The rest were consumer or SOHO grade, which can't be centrally managed, AirTight executives said.
"A lot of best practices were simply being skipped," said Mike Baglietto, director of product marketing at AirTight Networks.
Twenty percent of the open wireless network access points were simply hiding their service set identifier (SSID) for security, he said. The SSID is a character sequence that names a wireless network.
"Open access points create a front door to your enterprise; hackers can gain access to your infrastructure and scan devices for vulnerabilities," Baglietto said. Researchers saw instances in which open access points leaked unencrypted packets attached to a financial internal network, he said.
"We're just using commonly available tools that you can download from the Internet," he added. "People with more sophisticated tools pose a bigger threat."
Also, researchers found that more than half of Wi-Fi clients were broadcasting SSIDs and 34% were willing to connect to free and highly insecure Wi-Fi.
"To me, this indicates that the major unsolved problem is risky user behavior and misconfigured clients," said Lisa Phifer, president of Core Competence Inc., a Chester Springs, Pa.-based consulting firm specializing in network and security technologies.
"Employees may be improperly using their own or another company's open visitor WLAN without a VPN or SSL to protect their data. Far too many are apparently willing to associate with hotspot, home or ad hoc SSIDs without really knowing to whom they've connected."
Many businesses today understand how to lock down their own access points, even those that decide to allow open or WEP access for certain applications and devices, Phifer said.
"But I don't think enterprises fully appreciate -- much less take steps to remedy -- these client-side vulnerabilities. And that gap will only grow wider with the proliferation of unmanaged Wi-Fi enabled mobile devices like iPhones."
Phifer noted that of the 39% of open or WEP access points that were enterprise-grade in AirTight's study, many could have been private guest/visitor networks that rely on other security measures such as SSL, VPN or WEP-protected VoIP networks.
Baglietto acknowledged that the districts obviously include other types of businesses, but said the study indicates that financial institutions would do well by implementing wireless security best practices. Those include using strong standards for authentication and encryption like WPA, conducting ongoing wireless security audits and monitoring guest Wi-Fi access.
"With the financial crisis, financial institutions already have one black eye," he said. "They don't need anymore headaches."