HUNDREDS OF commercial wireless hotspots in Dublin, Limerick and Cork are insecure, leaving users susceptible to having data such as usernames, passwords and bank account details revealed to other users on the network.
An annual “war walk” by consultants Deloitte has found that 70 per cent of public wireless networks have no encryption in place, while 80 per cent are “insecure”, meaning they have no encryption or use the WEP standard which is trivial to crack.
The annual “war walk”, which involves walking down commercial streets in the centre of Dublin, Cork and Limerick and scanning for available Wi-Fi networks, found that, of 6,545 networks discovered, 56 per cent were insecure.
“These include many well-known wireless hotspot providers, as well as the wireless networks at many well-known hotels, restaurants and conference centres,” the Deloitte report says.
Of the insecure public networks, “a significant number” are owned by commercial providers, according to Colm McDonnell, Deloitte’s partner for Enterprise Risk Services.
“Users wouldn’t be aware but, while they are sitting in a cafe, a hacker can sniff all the information that’s going around the network,” says McDonnell.
“If there is no encryption, they can also steal a paid for session by taking the cookie off a legitimate users PC.” Cookies are plain-text files stored by a user’s web browser to identify them to a site.
This is the third year of Deloitte’s annual survey of wireless security.
This year, the study branched out from Dublin to cover Cork and Limerick and also looked at residential networks as well as those in business premises.
In Dublin, 63 per cent of home networks were found to be secure compared to 51 per cent of businesses.
The pattern was repeated in Cork (60 versus 50 per cent) and Limerick (66 versus 60).
McDonnell says businesses may be leaving their networks open as a matter of “expediency”, making it easy for staff and visitors to access the network without having to worry about configurations.
“The frustrating thing here is that there is not a big cost involved in being secure – these people have already bought the hardware, they just need to configure it,” said McDonnell.
On a regional basis Limerick has the most secure networks (62 per cent), compared to Dublin (54 per cent) and Cork (53 per cent).
The analysis also found that just 13 per cent of networks do not broadcast their network identifier or SSID. The SSID may contain information like a company name which makes it easier for hackers to guess weak passwords.
A security flaw was discovered in Eircom wireless routers in late 2007, which meant the SSID contained a unique eight-digit number which could be used to generate the password for that network.
Users were advised to upgrade their security settings as a result but 63 per cent, or 861 Eircom routers discovered still used the old protocol. Software is freely available online that will provide the password to these networks.
“People have to realise the goals are constantly changing,” said McDonnell.
“Just because it was secure six months ago doesn’t mean it’s still secure. At this point in time, the individual user or business are the weak points in security.”