Survey: 88% of Mumbai's wireless networks easy to compromise

Survey: 88% of Mumbai's wireless networks easy to compromise

Summary: Deloitte's recently released Wireless Security Survey assessing Mumbai's -- India's financial capital -- state of security awareness in respect to wireless security, shows an ugly picture of insecure wireless networks in both, business, and residential districts. With Mumbai being the home of India's most important financial institutions, next to the majority of multinational corporations, it may also turn into the playground for the next high profile data breach.

SHARE:
TOPICS: Security
4

Deloitte Mumbai Wireless SecurityDeloitte's recently released Wireless Security Survey assessing Mumbai's -- India's financial capital -- state of security awareness in respect to wireless security, shows an ugly picture of insecure wireless networks in both, business, and residential districts. With Mumbai being the home of India's most important financial institutions, next to the majority of multinational corporations, it may also turn into the playground for the next high profile data breach.

The key findings of the survey are:

  • Of the 6729 wireless networks seen, 36% appeared to be unprotected i.e. without any encryption
  • 52% were using low level of protection i.e. Wired Equivalent Privacy (WEP) encryption
  • Over 95% of the networks broadcast their SSID, with 25% of these using their router's default SSID
  • Balance 12% were using the more secure Wi-Fi Protected Access (WPA)

What's the practical applicability of these insecurities?

Last week, it became evident that a group of Indian militants took unethical hacking courses, and once learning the basics of wardriving, used the insecure wireless network of a U.S expatriate to send emails claiming responsibility for serial bombings that took place in July and September :

"Roaming around Mumbai with Wi-Fi detectors, the suspects looked for open Wi-Fi signals and programmed the e-mail messages to be sent from hacked wireless networks prior to the blasts, the Indian police said. The technique used by the militants is similar to "wardriving," where hackers roam around to detect and access Wi-Fi networks with security weaknesses.

They would roam in a car to sites where wireless internet was available and then send the emails at designated timings, he said. "The police have seized a laptop, six computers, a radio frequency detector, a wireless router, anesthetic injections and tablets from the trio," said Gaffoor. Mohammed Akbar Ismail Chaudhary, the driver of the vehicle in which they travelled to send the threatening emails, has also been arrested. "Chaudhary had taken a house in Surat on rent under a fictitious name prior to planting bombs there," said Maria."

And whereas Deloitte didn't attempt to verify whether or not the wireless networks with default SSIDs were also using the default router passwords, that may web be the case as well. Living in Mumbai or not, consider going through the WiFi Security Awareness booklet accompanying the survey.

Sadly, Mumbai isn't an exception to the overall rule that best practices supposed to have been implemented, are not, since the same lack of basic security awareness can be seen literally all over the world - Caracas (Venezuela); London; Paris; China; Monterrey — Mexico; Sao Paulo – Brazil; England; Germany - CeBIT2006; Warsaw.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • SSID broadcasting

    Broadcasting your SSID isn't necessarily a security issue in that all it does is hide it from Microsoft's default wifi network listing and configuration tool. Any other OS and almost all other wifi networking tools will still easily see wireless access points with SSID turned off.

    In fact I've read several articles that indicate that turning SSID off actually makes your wireless network more visible to packet sniffing tools in that the client and the WAP have to send more data to each other, especially in areas where there may be multiple WAPs. The WAP and the client device always send header data in each packet that identifies each device uniquely anyway, regardless if the SSID header is blank or has a name.

    Using the default SSID though can be a problem in that it implies (often correctly) that the entire WAP and the router that it is connected to are using default settings.

    Personally I prefer playing with social engineering and give my network the SSID "Virus Infected Network".
    mikey3211
  • Agree & LOL! (nt)

    (nt)
    Tazjhe
  • RE: Survey: 88% of Mumbai's wireless networks easy to compromise

    From what I understand, turning off SSID broadcasting makes it easier to compromise the computers connecting to the wireless network... in that they "look" for the network instead of "listening" for it and can in some cases be tricked into connecting to a fake wireless network.

    Having reviewed the document written by Delloite, it seems to basically mirror the PCI standard, which is, imho, full of security-through-obscurity myths. (MAC address filtering is a joke, and turning off SSIDs really does nothing - a sniffer should pick up both valid MACs and the SSID).
    s_southern
  • Try US Army Bases...

    One of the best sources of open, unencrypted and often totally default WiFi access points are the areas surrounding the single quarters on US Military bases (world-wide).

    As a security trainer for the US Military, prior to class, I would often drive around the base with NetStumbler and catalog what I found. Sometimes I'd make a few VoIP calls to my home in Russia -- demonstrating just how easily it could have been to make the same calls buddies in Iraq, Afghanistan or Iran -- compliments of the US Army.

    No need to slam India when you don't even have to leave US soil to find the same thing - even from people who SHOULD know better.
    Marty R. Milette