Comprehensive study of wireless security in Las Vegas

AirDefense unveiled results from its comprehensive study of the wireless airwaves at hundreds of Las Vegas retailers and hotels/casinos. AirDefense found the majority of retailers in Las Vegas using strong encryption protocols to protect data with 65 percent of the 640 Access Points discovered encrypted with WPA or WPA2. In stark contrast, 82 percent of the 1,557 APs discovered in Las Vegas hotels/casinos were using either no encryption or WEP, the weakest protocol for wireless data encryption.

AirDefense conducted its study by capturing the data as it leaked out of the buildings. While consequences of the wireless security vulnerabilities found in AirDefense’s Las Vegas study are difficult to quantify, unauthorized individuals with a desire to steal consumer information, retailer data or to disrupt networks are likely to look for the weakest link in the network, such as mis-configured access points.

On the downside, many instances were discovered where retailers continue to use their store name in the Service Set Identification (SSID). An SSID is the name assigned by the equipment vendor to the wireless network during installation. SSIDs can easily be reconfigured but often times are not. Store SSIDs emit a broadcast signal for potential intruders to quickly pick up and fraudulently connect to default settings that haven’t been changed. In addition, AirDefense discovered high levels of data leakage as wireless functionality was added and left unprotected increasing the risk of exposing point-of-sale information and consumer credit card information.

Study anecdotes:

• A greater number of high end retailers are offering free wireless to customers, inviting more traffic into stores. However, many consumers simply fail to turn on the encryption features of their personal wireless devices.
• Rogue APs present a huge threat with many interference and performance issues percolating creating the perfect cover for hackers.
• Unencrypted and encrypted wired sided leakage of security protocols (Spanning Tree, HSRP, CDP, VTP, DTP, VRRP, and NetBios, is a critical problem in the hotels and casinos as a leaking path is not just one way, it’s bi-directional, what leaks out can leak back in.
• Many of the hotels/casinos have deployed some of the newest wireless switches and AP hardware and are some of the only sites discovered to be using 802.11a.
• Hotels/casinos along the strip are battling between high powered outdoor wireless networks and internal wireless networks.
• A minimal amount of mis-configured APs were discovered as had been seen in past surveys. However, Linksys, Netgear and Dlink were found playing the role of rogue APs.
• Numerous interference and performance problems were discovered with the wireless networks throughout the city.