Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Weak wireless security on display at retail convention

Updated Thursday, Jan. 17, 2008, at 1:20 p.m. EST.

Wireless LAN vendor AirDefense disparaged vendors at the National Retail Federation (NRF) Convention and Expo, which took place this week in New York, for slipshod airborne web-security practices.  

The Atlanta-based vendor, one of the handful of security suppliers with a booth at the Javits Center this week, reported Tuesday that less than 10 percent of the 458 access points (APs) featured “bullet-proof” encryption, such as WPA2.

Almost six in 10 APs used Wired Equivalent Privacy (WEP) encryption, considered the weakest airborne data protection, and nearly 80 percent of 1,693 wireless devices, such as laptops, PDAs, phones and PCs, were vulnerable to “evil twin” attacks, a version of email phishing scams, according to AirDefense.

Richard Rushing, chief security officer, told today that many vendors choose convenience over security when setting up convention booths.

“It's a typical show environment, and it's kind of interesting in the retail space that's trying to move towards being strong security-wise, that you still had a number of devices using WEP, and you have a number of devices that could be compromised,” he said. “The convenience factor wins out over the non-convenience factor.”

Representatives of the Javits Center and the NRF could not be immediately reached for comment.

AirDefense researchers also reported that attack tools such as Karma, Hotspotter and Airsnarf were seen in the expo floor's airwaves, and 94 mobile devices altered their Media Access Control addresses to bypass Javits' Wi-Fi hotspot security.

Rushing added that it's unlikely the APs could be used for a data-stealing operation, but said he was surprised that retailers, eager to show off wireless security in the wake of the massive TJX Companies breach, would dismiss best practices at the show.

“Some of the retail sectors are overlooking the fact that [the Payment Card Industry Data Security Standard and well-known breaches are] on everyone's mind, so why would you not want to go forward with [increased security] at the show,” he said.

Mike Paquette, chief strategy officer at Top Layer Networks, an intrusion-prevention vendor that has worked with Javits, told that “certainly there is no expectation that any convention center can control the ‘Wild Wireless West' that its exhibitors choose to implement within their displays on the floor.”

“The vast majority of the 450-plus access points observed are likely owned by the exhibitors, not the Javits Center, so the observations are about the state of wireless security amongst the exhibitor teams of retailers,” he said. “This may well extend to enterprises, but it could also be that enterprises outfit the exhibitor equipment pool with older wireless gear, as a kind of technology recycling. Certainly there would be risks associated with such an approach if actual business is carried over these networks.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.