May 10th, 2007
Retailers haven't learned from TJX - still running WEP
When I blogged earlier this week about TJX's failure to secure their wireless LAN and how it may end up costing TJX a billion dollars, I knew that it was merely the tip of the iceberg with so many retailers still running WEP encryption. As if WEP wasn't already broken enough, WEP is now about 20 times faster to crack than in mid-2005 when TJX's WEP-based wireless LAN was broken and I knew from experience that most retailers were still running WEP. I decided to stroll through town and check on some of the largest retail stores in the country to see how they're doing today. The reason I looked at the large retailers is because they're the big juicy targets with millions of credit card transactions that the TJX hackers love. What I found was truly disturbing and I'm going to tell you what I found.
DISCLAIMER: Using KISMET wireless LAN surveying tool, I scanned some of the major retailers in my own neighborhood. I couldn't do any active surveying because that would have been against the law, so I merely analyzed the packets coming from the store to see if they were still relying on WEP for wireless LAN insecurity.
Of course it's theoretically possible that the store is using VPN on top of WEP but that's usually not the case because it's costly and cumbersome to deploy a VPN gateway in hundreds of retail outlets and VPN really isn't the best solution for wireless LANs in the first place. It's also possible that the stores are using WEP inside a special DMZ that's only used for legacy devices like barcode scanners and label printers, but that's unlikely too because deploying a DMZ inside hundreds of retail stores is hard.
The retail store network is very cost- and complexity-sensitive because you have hundreds of micro-deployments rather than a few centralized locations where you can get more mileage for your infrastructure. So the fact that a retail store is using WEP isn't 100% proof that something is wrong with the wireless LAN security of that store, but it certainly is cause for concern.
Lowes:
I saw a combination of WPA and WEP coming from Lowes Home Improvement store. The problem is that almost all of the wireless clients were connected using WEP and actively transmitting data. Even if no one is using WEP but the WEP network exists and gets broken into, the hacker will come in via WEP and it doesn't matter if WPA is mostly being used. While the infrastructure supports WPA, the majority of devices on Lowes' wireless LAN were using WEP. Because the WEP network is active, I think it's unlikely that this is some sort of temporary or isolated network designed for limited use. Whatever the case may be, this doesn't look good.
Sears:
For Sears, I only saw a wireless LAN using WPA with no WEP network. While it's still possible to implement WPA incorrectly with a weak easy-to-guess pass phrase or with a weak authentication protocol such as Cisco's proprietary LEAP or EAP-FAST, I can't scan that far without breaking some laws. But it's clear that Sears at least has the basics right by not using WEP on their network and Sears turns out to be one of the much better stores on wireless LAN security. If Sears is running a strong shared-key PSK (which is OK if the PSK isn't leaked) or if they're not running LEAP or EAP-FAST in WPA Enterprise mode, then good job Sears.
JCPenny:
JCPenny only used WEP on their network and it was actively being used by many wireless LAN clients. It does not look good at all.
Macy's:
Macy's only used WEP on their network and it was very active. I could see a lot of Cisco and Symbol clients connected to the access points. These clients may be the cash registers. Macy's does not look good.
Best Buy:
Best Buy was sort of an odd case. The first network I saw from them was labeled "BestBuy" for the SSID and it was in the clear with zero security. I walked in to ask them if they were offering free Wi-Fi access and the nice employ told me no. Then he wanted to be helpful so told me to go ahead and try to get on the network to get access and I had to hold my laughter back. He then added that there really wasn't any place to hang out and surf the web and he didn't know anything about free Wi-Fi access. I scanned some more and then found lots of devices using no encryption and some devices using WEP. Clearly this looked like a WEP-optional network with most devices opting out. Whatever it was, I could see the IP network scheme in the clear and WEP isn't much better than clear-text no security these days. Theoretically "BestBuy" is a free hotspot service that Best Buy is running but I didn't see any customers using their laptop in the store. Definitely strange and disturbing if this is the production network for Best Buy's network.
PetSmart pet store:
PetSmart only showed a WPA network. However, WEP and WEP40 compatibility was also detected so it isn't clear what the risk is without doing a penetration test which I can't legally do. I'm really not sure why WEP 40-bit and WEP 104-bit is showing up on their network.
Office Depot:
Office Depot actually had a "Free Wi-Fi" sign with a two-page instruction sheet on how to get free Wi-Fi service in their store. I didn't see any customers using it but I found it strange that so many devices where actively using it. I almost have to wonder if the store employees are using the "guest" hotspot for actual business. Seeing WEP encrypted traffic even though the instructions say no need for WEP key makes me wonder what's going on here. There were just too many wireless LANs clients connected. [UPDATE 12:20PM - Someone pointed out that it could be the demo laptops connected to the free Wi-Fi. It's possible this could be Best Buy's situation as well. If these networks are isolated from the production network, that's OK.]
So here we have a list of major retailers where most of them haven't learned a single thing since the TJX incident. Is it going to take another billion dollars of damage before stores realize that they must tan WEP?
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
