The Middle East is a major hotspot of new technology adoption. Both consumers and enterprises are rapidly adopting new technologies and using new devices, which mean they are connected all the time, wherever they are. However, many still aren’t doing the basics to make sure they are secure. To confirm our suspicions and measure the general state of security awareness, we conducted a wireless audit across London in the UK, using a bike fitted with solar panels, dynamos and a wireless sniffing kit. We called the exercise ‘warbiking’.
Our London warbiking experiment revealed primarily two things: firstly that many users still don’t appropriately secure their wireless networks and secondly and more generally, that there is still a lot of work to be done in building security awareness. Of the nearly 107,000 wireless networks we detected, over a quarter had poor security configuration. These networks varied from being completely open to using outdated, easily broken security standards.
While some of these networks could have used alternative means of protecting the network, most of them are leaving their users exposed. In general, the attitude towards sharing wireless network passwords is very lax. For example, if you ask someone for their personal information or a credit card they usually recognise its sensitivity. Yet, many will hand over their wireless network key to a guest who is a relative stranger.
Unfortunately, access to a wireless network can mean much more than just getting access to the internet, and many people don’t understand that if someone breaks into your network they may be able to monitor your web browsing, redirect you to malware or phishing sites or monitor private conversations. Most networks are hard on the outside but soft on the inside.
This means that once the attacker is inside they can exploit the weak trust relationships to gain astonishing amounts of information. While some of these networks are intentionally open, such as hotspots provided by cafes or hotels, they still leave traffic unencrypted and unless sites force https, the information can be exposed. In some situations you can also use this network access to circumvent https sites too.
Perhaps more concerning than the open networks were the substantial number of people using WEP, a protection standard to encrypt network traffic that has for a long time been completely broken. There are readily available, simple-to-use tools which enable anyone to break a WEP key within a very short space of time. Where open networks may be intentionally open and users may be taking other steps to secure themselves, WEP users are likely living with a false sense of security.
Global connect
Although this particular experiment was conducted in London, the results are applicable globally. In the Middle East, consumers, small businesses and enterprises make extensive use of the latest technology. This drive to use latest technology and the fast organic expansion can lead to a sprawl of network infrastructure with varying configurations across the network. For example, it can be common for enterprises to have well-configured corporate wireless, but for small branch offices or home workers to leave themselves exposed and provide a back door to the enterprise network.
Furthermore, after meeting with CIOs and IT Security managers in the Middle East I also found the prevalence of BYOD or unmanaged consumer devices to be significantly higher than many other regions. This means the occurrences of easy-to-access wireless networks could be even higher in the Middle East.
Small businesses, consumers and enterprises alike should take simple steps to protect themselves, making sure they invest in security capabilities that span endpoint, network and mobile.
— The author is Director of Technology Strategy, Sophos
