Retailer Wireless Devices Largely Unprotected


A new survey shows 44 percent of the wireless devices used by retailers are vulnerable to attacks by data thieves. And that’s the good news. A year ago, the same Motorola survey showed 85 percent of retailers were sitting targets for drive-by data attacks. New PCI standards phasing out Wireless Equivalent Protocol–the weakest form of encryption this side of no encryption at all–may hold the key to improved retailer wireless security.

The good news: A new survey shows retailers are beefing up their wireless security. The bad news: The same survey shows 44 percent of the wireless devices used by retailers are sitting targets for data thieves, suffering from weak encryption, data leakage, misconfigured access points and outdated access point firmware.

While that 44 percent number may seem shockingly high, Richard Rushing of Motorola’s Enterprise Mobility unit points to last year’s results that found 85 percent of retailers’ wireless devices were begging to be compromised.

“Retailers nationwide are improving wireless security, as quantified by the significant drop in vulnerable wireless devices that were discovered during this year’s monitoring efforts,” said Rushing, Motorola’s senior director of information security for mobile devices. “However, a significant majority of retailers are still susceptible to a network intrusion—a sign that wireless security remains an afterthought for many.”

The Motorola survey conducted by Rushing included a review of wireless data security at more than 4,000 stores in some of the world’s busiest shopping cities, including Atlanta; Boston; Chicago; Los Angeles; New York; San Francisco; London; Paris; Seoul, South Korea; and Sydney, Australia. While 68 percent of the sites were using some form of encryption for their laptops, mobile computers and bar-code scanners, 25 percent of those were still using outdated WEP (Wired Equivalent Protocol) deployments, the weakest protocol for wireless data encryption.

Altogether, Motorola discovered almost 8,000 APs, with 22 percent of them misconfigured. Another 10 percent of the AP’s SSIDs (Service Set Identifiers) were poorly named, which makes it relatively easy for potential data thieves to zero in on the store’s identity. More than 32 percent of retailers had unencrypted data leakage, while 34 percent had encrypted data leakage.

“As wireless exploded over the last few years, retailers had a bunch of devices that connected to the [store’s] network,” Rushing said. “Then, you didn’t have people who knew both wireless and security. The security model is just coming into play the last two to three years.”

Rushing said one of the more overlooked security issues with large retailers is the cookie-cutter approach to wireless technology. By using the same technology, configuration, security and/or naming conventions at all retail locations, vulnerabilities repeat themselves across the entire store chain, rendering them susceptible to attacks.

“The bad guys had a huge head start,” Rushing said. “We’ve caught up with them, but we’re not necessarily ahead of them.”

Helping the retailers play catch-up are companies like Motorola and Aruba Networks. Both have recently introduced wireless enterprise security product lines that store, process, transmit and protect wireless data, including credit card information.

Also pushing the retailers to greater wireless security is the Payment Card Industry council, which issues requirements for security management, policies and procedures. With PCI members including VISA, American Express, Discover Financial Services and MasterCard Worldwide, the council leverages the standards to force retailers to improve their wireless security.

If a breach happens, retailers not deploying PCI security standards run the risk of losing the ability of processing customers’ credit and debit cards or incurring fines or restrictions on the use of customers’ cards. Both Motorola’s and Aruba’s enterprise wireless security systems are PCI-compliant.

Included in the PCI’s newest standards is a prohibition against new WEP deployments in the Cardholder Data Environment beyond the 31st March 2009, and a requirement of the elimination of WEP from the CDE beyond the 30th June 2010.

“Retailers are moving away from WEP more and more,” Rushing said. “Things are now moving in a different direction. It’s all becoming more mature. You have to deploy layered secured security.”

Still, 44 percent of retailers’ wireless devices are susceptible to unwelcome intrusions.

“If you’ve looked at wireless as long as I have, the shock goes away,” Rushing said. “It’s certainly better than it was, but, in my opinion, it’s a wonder there haven’t been more data thefts.”