Wi-Fi's Achilles heel
Out of the box, Wi-Fi hardware is designed for ease of use and not security. Basic Wi-Fi implementations include some security controls, and while far from perfect, they do provide a deterrent to hackers. However, unless the security controls are turned on, they're about as useless as a screen door on a submarine.
Wi-Fi also completely changes the concept of physical security. In a wireless world, security guards and surveillance cameras count for very little.
Consider the following scenario:
You're a network administrator at a midsized company moving into a new office who needs to establish network access quickly on a minimal budget. After procuring the necessary hardware, you set up a wireless access point for a Wi-Fi network. It works like a charm and employees can now access company resources while working outside in the courtyard.
Security has never been a problem for the company, but a week later the FBI shows up investigating a hacking attempt at a defense contractor 3,000 miles away. After conducting an extensive forensic investigation, the bureau is convinced the attack originated from your network.
Here was the weak link: The network administrator mistakenly assumed that the physical security controls put in place to protect the wired LAN would also do for the Wi-Fi network. Bad assumption. If employees can access these resources from the company courtyard, the chances are that hackers can access them from the company parking lot.
When conducting an attack, hackers employ various methods to cover their tracks. Another approach is to hide behind the use of someone else's network. Attackers don't need to be subtle or care whether the attack gets traced back to its source because the source isn't theirs.
During a recent 15-minute cab ride in Manhattan, 77 of the 106 Wi-Fi networks I found used no encryption. If attackers use a Wi-Fi network as a launching pad, there's very little chance that they'll be caught. As with traditional attacks, log files will lead authorities back to the source network. Once they arrive, the hacker will be long gone.
It's a corporate nightmare scenario: All signs point to your network as the source even though you have no knowledge of any wrongdoing. Even if an outside perpetrator is suspected, the network owner may not be able to escape liability. After all, he or she still provided the resources used by the attacker.
Companies with insecure Wi-Fi networks used in hacking attacks could become vulnerable to lawsuits. The cleanup from an attack can be very costly, and victims will be looking for someone to foot the bill. Since the hacker who perpetrated the attack might never be found, victims will target corporations that unknowingly aided the hacker.
A plaintiff may convince a court to award damages after demonstrating that the network owner failed to exercise "reasonable due care" securing the system. There is not a significant body of legal precedents in this area, but the Computer Emergency Response Team (CERT) Coordination Center co-authored a report on downstream liability in which it theorized that companies could be held liable if their networks are used in attacks.
The concept of downstream liability is being tested in Scottish courts. FirstNet Online Management, a Scottish Internet service provider, sued Nike last year after hackers redirected Nike's Web site traffic to the protest Internet site s11.org, resulting in a temporary service disruption for some of FirstNet's clients. FirstNet blamed Nike's poor security for the incident.
Further underscoring just how seriously corporations consider these risks, insurance companies now offer protection from downstream liability lawsuits.
The Wi-Fi encryption scheme can be cracked, and unencrypted networks can easily be identified during "war driving" expeditions. However, the weakest link in Wi-Fi networks continues to be the human factor.
If the objective is to locate an insecure network to launch an attack from, a hacker is likely to ignore networks with basic security controls and search for "out of the box" implementations.
Corporations will find it hard to argue against negligence when even the most basic security controls were not implemented. Even though hackers can penetrate insecure Wi-Fi networks, basic security measures such as enabling encryption still go a long way toward preventing a network from being used in an attack.
Michael Sutton is senior security engineer for iDefense, a security intelligence company in Chantilly, Va.