Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Infrastructure

12:19 PM
Gregg Keizer, TechWeb News, InformationWeek
Gregg Keizer, TechWeb News, InformationWeek
News
Connect Directly
RSS
E-Mail
50%
50%

Wireless Laptops at Democratic Convention May Pose Big Risk

Tests by Newbury Networks, a wireless security provider, found hundreds of unsecured access points near the FleetCenter.

Thousands of people will gather in Boston beginning Sunday for the Democratic National Convention -- many of them armed with wireless-enabled laptops that could present major security problems, a Boston-area firm says.

Although the convention itself will rely on a wired network, there are hundreds of unsecured wireless access points and cards around and about the FleetCenter, home to the convention, according to tests done by Newbury Networks, a provider of location-based wireless security solutions.

In a pair of day-long drives around the FleetCenter in July, Newbury easily found thousands of unsecured access points and hundreds in the immediate area of the FleetCenter, says Matthew Gray, the company's chief technology officer, who adds that the unsecured access points and cards could pose a serious problem at the convention.

Hackers could loiter outside of the FleetCenter, then use the unsecured hotspots to gain access to Wi-Fi-enabled laptops carried by journalists, delegates and others, perhaps by exploiting vulnerabilities on un-patched machines. From there, attackers could use the compromised machines to gain access to the convention's wired network, where they might be able to dig up sensitive information or launch a denial-of-service attack on the network to throw a wrench into the proceedings.

The leap from compromised wireless laptops to the convention's wired network is possible, says Gray, because most Wi-Fi notebooks automatically connect to any access point within range, even as they're on the wired network. "Laptops could be on both networks -- wireless and wired -- at the same time," he says. "That's a much more insidious kind of threat than a rogue user simply connecting to an access point."

As Gray and others drove near the FleetCenter and at times parked in lots close to the site, they detected unsecured access points and cards using the traditional "war drive" tactic of using a Wi-Fi notebook of their own, as well as with slightly more sophisticated gear and the company's WiFi Watchdog software.

"We used a high-gain antenna to draw in signals from access points as far away as two or three miles," he said. Such antennas are inexpensive--$30--and can even be made out of a Pringles can. "Just type 'Pringles' and 'wireless' on Google," said Gray. "You'll be amazed."

Even though physical security at the convention is expected to be tight, Gray was surprised that their forays didn't raise any eyebrows. "We were never stopped by police, even with an antenna pointed out the window of the car," he said. "That was a little distressing."

The wireless security problem is exacerbated, Gray said, because four years ago, when the Democrats last put on their convention, wireless was a rarity. "Wireless security issues aren't really new, but to a group like this that puts on an event only every four years, they're very new."

The convention will essentially be a wireless-free zone, with no open access available. But select users such as media photographers will have access to hot spots near their workstations. These nodes, as well as those deployed around each state's delegation, will be managed by convention's own technology group. It's the access points outside their control that worry security experts like Gray.

Information stored on the convention's own computers may not contain confidential information, but if it does, the data may be at risk to theft. More troublesome, says Gray, would be a denial-of-service attack unleashed via vulnerable laptops linked to the wired network inside the FleetCenter. A determined attack could bring down the convention's computer network, crippling the event.

As an example of the pervasiveness of wireless devices around the FleetCenter, Gray noted that during their war drives, a wireless card tried to connect with the open access point they had set up in the car about every two minutes. Some laptops or other devices tried to connect repeatedly, likely without the user even knowing it was happening.

More disturbing, however, was that two out of every three wireless networks they detected sported no encryption or had it disabled, making exploitation relatively easy. "I thought we'd find some unsecured access points and cards," Gray said. "But unfortunately, my expectations were greatly exceeded."

The Democratic National Convention Committee did not return a call for comment.

This article appeared in the July 23, 2004 issue of InformationWeek.

Register for Bank Systems & Technology Newsletters
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.