Million of retail customers are no doubt still troubled by the massive 2005 data breach at TJX Companies and the cost of monitoring their accounts. However, security professionals, especially those using outdated wireless encryption, are likely more anguished about the attack method used than the mountains of lost data.
That’s because, nearly two years after the attack occurred, it’s apparent that the malicious hackers used simple technology – a laptop and a telescope-shaped antenna – to crack the obsolete wireless connection at a Marshalls outlet in Minnesota.
That St. Paul branch – like other retail outlets – was, according to investigators, running the Wired Equivalent Privacy (WEP) encryption standard, which was superseded nearly five years ago by the more robust Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) guidelines.
The use of WEP encryption by retail chains was, in retrospect, a massive data breach waiting to happen, say wireless experts. Although the more recently created WPA and WPA2 offer stronger protection and meet most of the requirements of the IEEE 802.11 encryption standard — as well as being recommended by the Wi-Fi Alliance, a wireless industry trade group — many retailers are still comfortable with WEP, in use since 1999. However, the aging standard is rife with problems, and has been from the start, says David King, chairman and chief executive officer at AirTight, a wireless security vendor.
“Even from its earliest inception, WEP was controversial because it was behind other existing standards. WEP had already been hacked, but what the standards groups were thinking about was how important was security going to become, and they wanted something that was as cheap as possible,” he says. “By about 2000, there were already all these academic articles about people exploiting WEP vulnerabilities, man-in-the-middle attacks and cracking attacks.”
The newer WPA features 128-bit key encryption and a 48-bit initialization server and is certified on all laptops and wireless devices. Required for mobile PCs since 2003, WPA and WPA2 are the suitable security standards for the corporate world, says Kelly David-Felner, senior marketing manager at the Wi-Fi Alliance, who calls WEP “broken and absolutely not acceptable for enterprises.”
“WEP was widely known to have security flaws by late 2000 and early 2001, and by that point [developers] were already working on IEEE 802.11i. April 2003 was when we announced the first version of WPA and that was in response to a market need for a security Wi-Fi that had not been cracked. WPA2 encompasses the entire [802.11] standard,” she says. “WPA has yet to be cracked and any enterprise should absolutely be using WPA2 security.”
An acceptable investment
Although the specter of massive data breaches – and costs ranging in the millions to repair the damage – hangs over every enterprise that stores consumer data, an upgrade from WEP to WPA is not as simple as downloading new software. Due to the proliferation of handheld wireless devices, such as barcode scanners and registers at use in grocery stores and high-end clothing outlets, an upgrade to WPA can cost millions of dollars in new equipment and training for employees, says David Thomas, vice president of product strategy at AirDefense.
WEP is a protocol of the past, as far as its cryptography strength goes, but unfortunately wireless being the physical thing that it is, it’s very difficult for people to migrate. So it’s extremely unlikely that there would be a WEP deployment again. There might be some smaller businesses that, due to a lack of education, might use WEP because they used it recently and they don’t know the difference – it’s actually harder to configure and use,” he says. “It all boils down to cost at the end of the day – and another thing is training. When you deploy many different handheld devices, there is a lot of training involved and it might be quite a migration.”
While some corporate executives see headlines describing data breaches and feel an extreme sense of urgency, others must answer to a higher power: business cycles. With WPA nearing its five-year anniversary as the wireless encryption standard of choice, enterprises not scheduled to implement the technology for years risk upgrading on the eve of the introduction of another security yardstick. They also lay their businesses bare to vulnerable endpoints, says Michael Argast, analyst at anti-virus vendor Sophos.
“Legacy equipment can be a big challenge here. For example, I run WPA2 at my house, but often visitors with older laptops are unable to connect because their wireless network interface cards aren’t new enough to support the stronger crypto requirements. If you extend that to a retail environment, it could mean changing hardware in endpoints, which can be quite time-consuming and expensive, and devices may not be due to be replaced due to business cycles,” he says. “So, the security manager was often asking the business to break into an upgrade cycle early due to a vulnerability.”
In the case of a wireless encryption upgrade, compliance standards – usually an ally to security officers making the case for additional funding – are not necessarily a talking point of choice. The Payment Card Industry Data Security Standard, which has spurred retailers and merchants to improve their data security out of fear of fines from Visa and other credit giants, leaves a considerable gray area in reference to wireless security, says Josh Wright, senior security analyst at Aruba Networks.
“From our position, we see different issues. When we talk about WPA and WPA2 we can also talk about WPA enterprise and WPA personal. When we start dealing with PCI, it says everyone should use WPA, but it doesn’t differentiate between enterprise and personal,” he says.
To make matters more complicated, some enterprises use WEP – in coordination with other anti-intrusion technologies – to meet their PCI DSS requirements, which mandates that businesses rotate encryption keys on a regular basis. That routine does not present much of a hurdle for practiced cyberattackers, says Wright.
“I’ve read a number of reports and empirical analysis and realized that some stores out there are still running WEP. Apparently a lot of people still haven’t made the transition,” he says. “The PCI standard doesn’t actually require WPA or WPA2, but you can use WEP as long as you rotate the keys, at least quarterly. It takes a hacker at least 10 minutes tops to break a web key.”
TXJ as selling point
The massive TJX data breach – which sent millions of American, Canadian and British shoppers scurrying to protect their credit – may have a silver lining when it comes to wireless security. Although WEP’s vulnerabilities were already on the minds of executives before news of the data loss broke, the threat of a copycat intrusion has given security professionals extra ammunition to sell upgraded encryption to the corporate boardroom, says Argast.
The media coverage of the TJX breach has helped increase visibility to the executive levels of these businesses, but largely the security departments in retailers were already quite aware of the vulnerabilities associated with WEP,” says Argast. “What this coverage has done is help the security and network departments push through and prioritize projects to upgrade their infrastructure.”
Steve Alexander, information security architect at Circuit City, says that his company had zero doubt it would employ WPA2, as opposed to an earlier standard. Costly data breaches only reinforced that WEP was no longer useful, he says.
“On hearing about the TJX breach I wasn’t surprised it happened, but I was surprised that it wasn’t noticed for such a long period of time,” he says. “If you haven’t yet replaced WEP, you have to understand that the cost of replacing it is unparalleled by the cost of not replacing it.”
By the statistics
When wireless security vendor AirDefense conducted a survey of retail outlets prior to January’s National Retail Federation Convention and Expo in New York, the supplier found that an alarming 81 percent of 887 devices in all five boroughs could be compromised.
- Nearly 40 percent of the surveyed devices were unencrypted;
- Almost 30 percent of equipment were encrypted with Wired Equivalent Privacy protection, which can be compromised in minutes;
- 35 percent of service set identifications listed the store’s name, revealing retailers’ identities;
- 23 percent of devices had data leakage occur;
- 50 percent of retailers offered free Wi-Fi service
Source: AirDefense, “2008 New York City Retail Wireless Security Survey”