Fixing Wi-Fi Security Problems: Hire Wardrivers

Posted by: Olga Kharif on April 25, 2006

On April 20, Westchester County in New York approved a law that will slap local business owners with a warning or a fine for not securing their Wi-Fi networks. The legislation takes effect in 180 days.

Apparently, to prove just how vulnerable Wi-Fi networks are, a team from the local department of information technology drove around downtown White Plains. In half an hour, they discovered 248 hot spots. Of those, 120 lacked any security.

Soon, the county will be able to issue warnings to business owners whose networks aren’t secure. Owners who don’t comply within 30 days will be slapped with a $250 fine. Further violations will result in a $500 fine. That’s not much; still, small businesses will feel it. And I wouldn’t be surprised if similar measures spring up around the country: After all, identity theft is a growing concern. There have been plenty of cases where criminals used Wi-Fi networks to steal customer information. And yet, about 60% of Wi-Fi networks remain unsecured.

What I’d like to know is, how the county plans to enforce this law. Right now, it has two investigators focused, full time, on cybercrime. I wonder if, perhaps, counties could put wardrivers to good use. Wardrivers are geek enthusiasts who drive around locating Wi-Fi access points and trying to get information from them. Legality of wardriving is not clear. But perhaps wardrivers could get a percentage of the $500 reward for detecting Wi-Fi law offenders? They would functions as headhunters of the wireless world. I think that would fix the Wi-Fi security problem. What do you think?

TrackBack URL for this entry: http://blogs.businessweek.com/mt/mt-tb.cgi/

Reader Comments

isadore

April 25, 2006 01:25 PM

So at what point does this interfere with my rights to free speech, as an intentional broadcaster of my wireless access service?

jwolter

May 5, 2006 02:52 PM

I can see both sides of this one. On the one hand, probably 90% of those whose networks are unsecured are unsecured simply because they lack the knowledge of the threat or of how to secure them. Certainly for a business that is moving sensitive information (such as customers' credit card numbers) around their network, there is a responsibility the secure their network. In such a situation, it's not only the business that suffers if someone sniffs their network.

On the other hand, there is probably a percentage of businesses that might want to offer their network to the world. My home WiFi is secured, because there's stuff that passes between my computers that I don't want the world to see. But I wouldn't mind, for example, if there were a wireless router that supported two networks: an inner, secured network to which all my computers connect, and an outer, public network to which anyone could connect. The public network might be bandwidth limited, so that it didn't interfere with my use of the service, but I have no problem with a passerby with a laptop or WiFi PDA getting directions through my router.

The other issue with all of this is enforcement. Because they are set to factory defaults, the vast majority of unsecured networks have names like linksys, belkin54g, and 2WIRE848. Not exactly clear if that's the securities firm or the apartment above it. To really figure out if that network is a business network requires entering the premeses to locate the router or looking inside the packets, both of which have serious privacy implications.

James

May 17, 2006 11:41 AM

There are companies that fix this easily and on the cheap. witopia.net offers a service called SecureMYWiFi that puts enterprise-grade security (wpa-enterprise/wpa2-enterprise) on your access point for $9.99 a year. other packages exist for businesses with more than a few users. It's a solvable issue, but you have to know where to look.

Andy

May 22, 2006 02:46 PM

So would places that offer free wi-fi, like IHOP and Panera bread, now have to secure their wireless? Is this able to be done in a way to still offer it freely to the public, without configuration? This would significantly lower laptop users of the internet in these locations if they have to type in a 50-character WEP key to connect to the network (of course, WEP isn't secure either...).

Ryan Metcalf

July 31, 2006 11:09 AM

Speaking as a wardriver, I think it's a great idea to hire wardrivers to scope data. We're out there anyways, might as well make ourselves useful to a broader audience (other than uploading to wigle.net and wifimaps.com) My question is though, why should they require all networks to be secure, or are they going to specify and only go with networks that actually process customer data?

About

BusinessWeek writers Peter Burrows, Cliff Edwards, Olga Kharif, Aaron Ricadela, Douglas MacMillan, and Spencer Ante dig behind the headlines to analyze what’s really happening throughout the world of technology. One of the first mainstream media tech blogs, Tech Beat covers everything from tech bellwethers like Apple, Google, and Intel and emerging new leaders such as Facebook to new technologies, trends, and controversies.

RSS Feed: Tech Beat

BW Mall - Sponsored Links

Buy a link now!

On a Baltic Island, Holiday Homes That Hitler Built

After Birchbox, the Sample Box Bubble

How Fast Does Your Phone Lose Value?

How to Invest Like a Bluth

How to Farm Fish in the Nevada Desert

Firebird Management's Die-Hard Mongolia Bull

Charts

Ben Franklin's Face-Lift: The New $100 Bill

Have Credit Unions Become Stealth Banks?

Is Apple Losing Its Innovative Edge?

Breaking Down Bitcoin Mining

Facebook, Twitter Unveil Tools for Google Glass

EU Delaying Banking Stress Tests Until 2014