Feeds

Study: Wi-Fi users still don't encrypt

Silly Billies

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Think you've heard more than enough about war driving and Wi-Fi insecurity? Two days of electronic eavesdropping at the 802.11 Planet Expo in Boston last week sniffed out more evidence that most Wi-Fi users still aren't getting the message -- or are comfortable broadcasting their e-mail into the ether.

Security vendor AirDefense set up two of its commercial "AirDefense Guard" sensors at opposite corners of the exhibit hall at the Boston World Trade Center, the site of the conference, and for two days analyzed the traffic flowing between conference-goers and 141 unencrypted access points set up by the conference for public use, and by vendors on the floor.

What they found was that users checking their e-mail through unencrypted POP connections vastly outnumbered those using a VPN or another encrypted tunnel. Only three percent of e-mail downloads were encrypted on the first day of the conference, 12 percent on the second day. (The company says it counted all VPN or tunneled traffic as e-mail).

That means the other 88% could easily be intercepted by eavesdroppers using commonly-available tools, compromising both the e-mail and the user's passwords.

Additionally, 84 out of the 523 users monitored were configured to allow ad hoc networking, and 74 were configured to automatically connect to the access point with the strongest signal strength -- a default mode that could leave a laptop prey to a rogue access point.

And then there was the hacking. Passive eavesdropping is undetectable, but AirDefense picked-up 149 active scans from war driving tools like Netstumbler, 105 denial-of-service attacks, eight probes for known exploits against access points, and thirty-two attempted man-in-the-middle attacks -- three of the successful.

"People were probably having a little fun, but I'm not sure it was all malicious," says AirDefense's Brian Moran. "The real shocking part was how many people attached to their corporate e-mails without any kind of encryption."

Wi-Fi eavesdropping for any purpose is usually frowned upon in legal circles, but AirDefense was a sponsor and the "official security provider" at the conference, and Moran say the company provided attendees with ample notice of the study. "There were huge signs throughout the place saying AirDefense is monitoring all conference traffic."

© SecurityFocus

Security for virtualized datacentres

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
Bonking with Apple has POUNDED mobe operators' wallets
... into submission. Weve squeals, ditches payment plans
This flashlight app requires: Your contacts list, identity, access to your camera...
Who us, dodgy? Vast majority of mobile apps fail privacy test
Apple Watch will CONQUER smartwatch world – analysts
After Applelocalypse, other wristputers will get stuck in
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.