A notable percentage of London’s WiFi hotspots have been found to have poor, or no security.
Research by James Lyne, director of technology at Sophos found that, of the nearly 107,000 wireless hotspots in the capital, eight per cent of the hotspots used no encryption (appearing as either home or business networks), while 19 per cent of the hotspots used ‘WEP’ style encryption. The remaining 81 per cent used WPA or WPA2 encryption.
Lyne conducted the experiment using a bike equipped with dynamos and solar panels which powered a computer which scanned for wireless networks. A GPS-enabled device was also employed during the experiment to inform the creation of a heat map; depicting the various levels Wi-Fi network security around central London.
Worryingly, nine per cent were using either a default network name or the vendor or business name; allowing password hacking to be even faster and easier. According to the research, this figure increased to over 21 per cent when taking into account networks using the default name with some random elements per device. “Pretty much every wireless device can be configured to use secure wireless networking out of the box, so poorly configured devices show a lack of awareness rather than a lack of capability to be secure” Lyne told SC Magazine recently.
Lyne advises those responsible for networks to take simple steps to protect them with the aim of making it a far less attractive target for anyone trying to snoop on a user’s internet activities or steal personal information. “If an attacker gains access to a wireless network they can cause a lot of damage, such as intercepting usernames/passwords, taking control of computers on the network, changing browsing to websites (for example to deliver malware or capture credentials) or using the network to perform any manner of anonymous or illegal activities,” he explained.
It is worth noting that during this experiment, Sophos only collected data of a level within the confines of the law. Therefore, this experiment did not test the strength of the passwords used, as no access attempts were made.