Taking the lid off Wi-Fi potholes

When it comes to finding the weak point in a network, James Lyne and Gerhard Eschelbeck can mix it up with the best of them.

Fortunately, both are in the business of finding vulnerabilities in a network and closing them down in their respective roles at information security vendor Sophos.

The Sophos team, led by head of security Lyne, has been busy around the streets of Sydney of late. Their objective is to uncover the holes in the primary circuitry of connectivity that many of us are starting to take for granted: Wi-Fi.

Lyne’s latest ‘warbiking’ expedition across Sydney has unearthed some interesting results. Warbiking is somewhat of a menacing term for the uninitiated, but the idea is actually pretty simple. Get a mountain bike, equip it with a Wi-Fi enabled device (smartphone, tablet) and away you go -- perusing the streets for Wi-Fi networks.

It’s a relatively straightforward exercise as far as scanning for Wi-Fi hotspots is concerned and Sophos’ Sydney ride reveals some important points that users, network operators and security vendors would be well advised to follow.

Eschelbeck, Sophos’ chief technology officer, says that while Sydney fares a lot better than some of the other destinations on the vendor’s warbiking roadmap (San Francisco, London, Las Vegas), there is some cause for concern.

Of the 34,476 networks surveyed, almost 28 per cent were using either the easily-broken Wireless Equivalent Privacy (WEP) algorithm, or no security encryption at all.

The worry, according to Eschelbeck, is that almost 4 per cent of the networks are still using WEP, despite the fact that it’s well past its use by date.

“WEP has been broken for a long time, it’s the default in a lot of systems,” he says.

Can’t get enough of Wi-Fi

So why are some networks still stuck in default mode right when Australian consumers can’t get enough of Wi-Fi?

The latest research from Roy Morgan illustrates how Wi-Fi is quickly becoming a necessity for those of us in the metros, with Perth currently taking out the crown of the wireless hotspot capital of Australia. 

According to the research, Sydney -- the city with the highest proportion of residents owning a smartphone -- now has the lowest rate of hotspot usage, or just 23 per cent of smartphone owners. 

Meanwhile, the popularity of hotspots in Melbourne is up 27 per cent and in Adelaide up 25 per cent over the last six months.

Proportion of smartphone users connecting at Wi-Fi hotspots in an average three months

Source: Roy Morgan Single Source (Australia). April 2013 – September 2013 n = 2548, October 2013 – March 2014 n = 2188 Australians aged 14 with a smartphone as main mobile phone.

With the likes of iiNet and Telstra seriously pursuing a Wi-Fi agenda, the technology is quickly moving up in the popularity stakes. However, as Sophos points out, having a network and ensuring that it’s safe are two very different things.

The illusion of ubiquitous security

The biggest concern, according to Sophos, is that in some cases basic security best practice is not being implemented and there are a lot of faulty assumptions at play when it comes to wireless security.

Eschelbeck says that it’s this illusion of ubiquitous security that leads to poor consumer behaviour, adding that security vendors also have a responsibility to break out of legacy thinking.

“There’s no reason why any equipment or solution should be shipping with default settings,” he says, adding that security needs to reach of level of compatibility and automation where there’s no chance of anyone running an outdated protocol.

Until then, users need to exercise a modicum of common sense when it comes to protecting themselves on wireless networks. Sophos’ research indicates that Sydney has a relatively high number of open networks, and while many of them use a captive portal to register users, the data isn’t encrypted.

Sophos’ research also points out just how lax many of us are when it comes to connecting to an open wireless network, without any idea of who owns it or whether it is trustworthy.

According to James Lyne, this willingness to connect blindly is tantamount to screaming sensitive personal information out the window for all to hear.

“With a few extra command line arguments, it would have been trivial to attack nearly everyone in our Sydney hotspot study,” Lyne warns.

The Internet of Things (IoT) may not mean a whole lot right now, but suffice to say that the number of end-point devices -- and yes, that includes fridges and toasters -- connected to the network will be more than ever before.

Consumers and security vendors will have to work together to navigate this expanded infrastructure, and Eschelbeck says that securing the IoT will require the development of robust standards that truly give consumers a sense of security.

“How we create this standardised environment is the key challenge for all of us,” he says.