Wireless network admins wising up

But drive-by surveys in New York, London and Paris still spot lots of unsecured hot spots


Owners of wireless hot spots are doing better at securing their networks, but about a fifth of corporate access points in London, Paris, and New York remain open to all comers, RSA Security Inc. reported Thursday.

Reprising past surveys, RSA personnel drove or walked through swaths of each city, logging each wireless access point detected by a specially-equipped laptop, and recording data including the service set identifier (SSID), security protocol, signal strength, and operational mode. In New York, for example, the team covered Manhattan's Midtown and Downtown, and parts of Uptown as far north as 125th Street.

On average, survey results were encouraging, said Toffer Winslow, a vice president of product management at RSA. "Folks are securing their access points more, and more with advanced encryption such as WPA rather than plain old WEP," he said.

Wired Equivalent Privacy (WEP) is a 1999-era data encryption standard now considered inadequate, and has been supplanted by WPA, or Wi-Fi Protected Access, which requires stronger passwords and uses a 128-bit key rather than WEP's 40-bit key. However, WEP is still offered as the default security technique by most wireless hardware.

In all three cities, the percentage of hot spots that were secured by some kind of encryption was higher than last year. In London, the numbers improved from 76% to 81%, while New York climbed from 75% to 76%, and Paris moved from 78% to 80%. WPA use also grew, Winslow said, with 49% of the business wireless networks in New York locked down with tighter security. London and Paris came in second and third, with 48% and 41% WPA usage, respectively.

But a substantial percentage of business wireless networks still run without security. Eighteen percent of the detected corporate hot spots in both Paris and London were unsecured, while New York topped that at 21%. "This strikes me as very foolish," said Winslow.

Living almost as dangerously were significant minorities of hot spots that used default SSIDs and media access control (MAC) addresses. In London, 30% of the wireless networks relied on the manufacturer's SSID -- usually the name of the hardware maker, such as Linksys -- or preset MAC address. New York ranked slightly better, at 24%, but Paris beat both by a wide margin: Only 13% of the wireless access points sniffed by RSA in the city of light used defaults.

"Change the default network settings, that's No. 1," said Winslow when asked to list recommendations for wireless users. "Use [encryption] protocols stronger than WEP, and when you're at a public hot spot, VPN is essential.

"I wouldn't even call these 'best practices' anymore" he said. "They're just the reasonable practices."