Many retail stores not encrypting Wi-Fi, or using WEP

November 18, 2007

Half of 3,045 retail stores in major shopping areas across the U.S. and Europe use wireless data systems that are vulnerable to hacking, according to AirDefense. Their study found that about 25 percent of the stores' 4,748 wireless access points were exchanging data with no encryption at all. Meanwhile another 25 percent were using the outdated WEP (Wireless Equivalent Privacy) encryption method that is easily cracked and can no longer be relied upon for ensuring confidentiality of communications.1

Mathematicians demonstrated in 2001 that the RC4 key scheduling algorithm underlying the WEP protocol was flawed, but attacks on it required the interception of around 4 million packets of data in order to calculate the full WEP security key (this made it possible to recover the WEP key in slightly under one hour assuming a data rate of 11 Mbps and an average packet length of 1 Kbyte)2. Further flaws discovered in the algorithm later on reduced the amount of time required to find the key down to a matter of minutes, although that was not necessarily fast enough to break into systems configured to continuously change their security keys every five minutes. However in April 2007 in a paper titled "Breaking 104 bit WEP in less than 60 seconds", German security researchers demonstrated just how quickly a WEP key can be cracked. With less than one minute of captured traffic, they were able to extract a 104-bit WEP key in just 3 seconds using a 1.7 GHz Pentium M processor. This new attack requires so much less computing power than previous attacks that it could even be performed in real time by someone walking through an office.3

Wireless systems are believed to have been the entry points for recent large-scale data thefts at retailers, including a massive heist at discount retailer TJX Cos. TJX said in March that at least 45.7 million cards were exposed, although recent court filings by banks suing TJX estimate the figure at more than 100 million. Canadian investigators concluded in September that TJX had failed to upgrade its encryption from the older WEP method by the time the eavesdropping began in July 2005.1

The six-week undercover project conducted by AirDefense was conducted across 3,045 stores in Atlanta, Boston, Chicago, Los Angeles, New York, San Francisco, London and Paris. While the retail outlets surveyed included many large, high-end stores, they also included smaller merchants. The surveyors carried backpacks containing laptop computers with 4-inch-long radio signal-intercepting antennae. After walking through the stores, they downloaded the information the laptops had gathered and examined the data for security holes using tools that unscramble encrypted data.1

But despite these shortcomings, retailers in general are becoming more aware of wireless security issues. Until fairly recently, it wasn't at all unusual for store managers to install (sometimes incorrectly) their own wireless gear at their locations. Similarly, during the holiday shopping rush, stores would routinely set up ad hoc point of sale systems, and those too were poorly secured. But companies are now well aware of the wireless requirements for PCI regulations, and have been trying to address it.4

1. "Many Retailers Easy to Hack, Study Finds", The Sydney Morning Herald, November 16, 2007

2. "Securing Wireless LANs", Gilbert Held, Wiley, 2003, pp. 107

3. "Researchers crack WEP WiFi security in record time", Techworld, April 4, 2007

4. "What retail wireless security?", Computerworld, November 15, 2007