Weak wireless security on display at retail convention

Share this article:
Updated Thursday, Jan. 17, 2008, at 1:20 p.m. EST.

Wireless LAN vendor AirDefense disparaged vendors at the National Retail Federation (NRF) Convention and Expo, which took place this week in New York, for slipshod airborne web-security practices.  

The Atlanta-based vendor, one of the handful of security suppliers with a booth at the Javits Center this week, reported Tuesday that less than 10 percent of the 458 access points (APs) featured “bullet-proof” encryption, such as WPA2.

Almost six in 10 APs used Wired Equivalent Privacy (WEP) encryption, considered the weakest airborne data protection, and nearly 80 percent of 1,693 wireless devices, such as laptops, PDAs, phones and PCs, were vulnerable to “evil twin” attacks, a version of email phishing scams, according to AirDefense.

Richard Rushing, chief security officer, told SCMagazineUS.com today that many vendors choose convenience over security when setting up convention booths.

“It's a typical show environment, and it's kind of interesting in the retail space that's trying to move towards being strong security-wise, that you still had a number of devices using WEP, and you have a number of devices that could be compromised,” he said. “The convenience factor wins out over the non-convenience factor.”

Representatives of the Javits Center and the NRF could not be immediately reached for comment.

AirDefense researchers also reported that attack tools such as Karma, Hotspotter and Airsnarf were seen in the expo floor's airwaves, and 94 mobile devices altered their Media Access Control addresses to bypass Javits' Wi-Fi hotspot security.

Rushing added that it's unlikely the APs could be used for a data-stealing operation, but said he was surprised that retailers, eager to show off wireless security in the wake of the massive TJX Companies breach, would dismiss best practices at the show.

“Some of the retail sectors are overlooking the fact that [the Payment Card Industry Data Security Standard and well-known breaches are] on everyone's mind, so why would you not want to go forward with [increased security] at the show,” he said.

Mike Paquette, chief strategy officer at Top Layer Networks, an intrusion-prevention vendor that has worked with Javits, told SCMagazineUS.com that “certainly there is no expectation that any convention center can control the ‘Wild Wireless West' that its exhibitors choose to implement within their displays on the floor.”

“The vast majority of the 450-plus access points observed are likely owned by the exhibitors, not the Javits Center, so the observations are about the state of wireless security amongst the exhibitor teams of retailers,” he said. “This may well extend to enterprises, but it could also be that enterprises outfit the exhibitor equipment pool with older wireless gear, as a kind of technology recycling. Certainly there would be risks associated with such an approach if actual business is carried over these networks.”


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.