RSA, the security division of EMC, likes to commission wardrivers to cruise the streets of London, New York City, and Paris each year to see whether folks have gotten clued in when it comes to WiFi security. This year's results surprised them: They found that, of the networks they identified as belonging to businesses, 94 percent in Paris and 97 percent in New York were secured in some fashion; for unknown reasons, London lagged at 76 percent.



In Paris, most private personal and business

networks were secured. (Image: RSA)

Sean Kline, an RSA director who deals with identity and access security, said, "It seems to me that there have been many more articles about the importance of securing wireless access in the past year than in past years." He attributed a hunk of the improvement to the apparent improved ease with which consumer gear allows encryption to be turned on.

"The consumer-oriented products are absolutely getting easier to use as they have to," Kline said. "People are scared, probably, of putting up wireless access points, yet if the companies make it easy, they feel comfortable."

The company that has driven the router around over the last few years, WiFoo, reported to RSA that a tiny sliver of companies are using the gold standard of enterprise protection: 802.1X in the form of WPA/WPA2 Enterprise. (This standard requires a form of authentication before a device can gain access to the network: a certificate, a user name and password, an RSA token, or other methods. Each authenticated user is then assigned a master key distinct from all other users on the network.)

Perhaps less surprising, despite the high levels of encrypted and protected networks the wardrivers found, the long-broken WEP (Wired Equivalent Privacy) was in use on about half of all secured networks (combined consumer and business) in New York and London, but only a quarter of the networks in Paris. Most networks employing improved encryption were using WPA Personal (WPA-PSK), although a good subset were using the combined WPA/WPA2 Personal mode in which the better encryption would be used if available. (WPA, a Wi-Fi Alliance certified standard, supports the TKIP algorithm; WPA2 supports either TKIP or the more secure AES.)



New York's networks, personal and corporate,

nearly half of all secured networks relied on

the broken WEP standard. (Image: RSA)

"WEP is absolutely no longer a viable security mechanism, and we need to continue to raise awareness here," Kline said. Effective WEP cracks started to appear in 2001, and simple and fast cracking was available perhaps as early as 2004.

Kline said that companies were apparently relying on internal security methods, and disregarding external access to its wireless networks, which violates RSA's "defense in depth" strategy. "It's one thing to take action and think that you're secure, but what I think we've uncovered here: you may think that you're secure, but you're not really."

Kline noted that the company's surveys showed that Paris had the biggest jump in WiFi hardware along the route, which has been driven consistently over the last four years. In 2006, the WiFoo writers found 573 access points; 825, in 2007; and a whopping 4,481 in 2008. About three quarters of those access points were used for business.

RSA's interest in this market is in promoting its security solutions, which involve two-factor authentication—typically a password plus a token entered manually or automatically from a device that constantly generates a new code. This can be used with 802.1X/WPA Enterprise, or with VPNs that tunnel over WiFi networks into enterprise networks.