'Warbiking' reveals increasing need for Sydneysiders to change wireless security habits
Announcement posted by Sophos 02 Jul 2014
Cycle-bound security expert uncovers the insecure truth about our insatiable need to stay connected, despite readily available security tools
Sydney, Australia – July 2, 2014 – IT security company Sophos this week highlighted the worrying state of wireless security in Australia’s largest city, when it sent security expert James Lyne and his computer-equipped bicycle onto the streets of Sydney to test how safe homes, businesses, and even people on mobiles phones are from cybercriminals.
Lyne, Global Head of Security Research at Sophos, went “warbiking” across the city to track down unsecure wireless networks and spotlight user behaviours that could be exploited by rogue hackers, and he discovered some alarming results: “Incredibly, conventional wireless network security is still a major concern, despite the security industry assuming such issues had been resolved years ago. Many would assume these methods are ‘old hat’ but it is still a very viable attack vector that demonstrates basic security best practice is not being adopted,” says Lyne.
Sydney is the latest stop on the “World of Warbiking” tour – a global research project targeting major cities across the globe. Conducted over two days around the streets of the city, Lyne’s warbiking exercise revealed that of 34,476 networks surveyed, almost 28 percent were using either the known-broken Wireless Equivalent Privacy (WEP) algorithm, or no security encryption at all, a relatively lower rate of deployment when compared with other major cities.
A further 28 percent of networks were using Wi-Fi Protected Access (WPA) – a no longer recommended security algorithm. An encouraging result however, was Sydney’s high rate of deployment of WPA2, although given that Sophos worked within the bounds of the law, Lyne was unable to test password strength.
“Of greatest interest during our Warbiking exercise, was that Sydney had a relatively high number of open networks. Whilst many were intentionally open, users may wrongly assume this means their personal information is encrypted and protected, when in reality it is available for anyone to pick up.”
“It’s clear from our Warbiking exercise in Sydney that there are a large number of businesses and home users employing insecure, poorly implemented, or even defunct wireless security protocols. With our increasing desire to be online at all times, this is leaving millions of people, companies and their valuable data open to attack.”
Lyne continued: “Even within the security industry, there are myths and misunderstanding about what the real risks are with wireless. Many argue that the unencrypted, intentionally open networks are ‘OK’ as they use a captive portal to register users. Unfortunately the standard user doesn’t recognise that major brand XYZ wireless is not encrypted and that their information can be picked up by anyone with $40 piece of equipment available on Amazon,” said Lyne.
Users want the internet and they don’t care where they get it
Just as worrying was many people’s total disregard for basic security when out and about. “Our experiment found a large number of people willing to connect to an open wireless network we created, without any idea of who owned it or whether it was trustworthy. Compounded by the growing number of devices that are permanently identifying themselves via technology like Bluetooth, this kind of behaviour is increasingly putting everyone’s valuable data at risk.
“This willingness to connect to any wireless network that professes to offer free Wi-Fi, without ensuring you have some kind of security measures in place,” explains Lyne, “is like shouting your personal or company information out of the nearest window and being surprised when someone abuses it. With a few extra command line arguments, it would have been trivial to attack nearly everyone in our Sydney hotspot study.”
What Sydneysiders are connecting to when out and about
The open wireless network created during the Sydney experiment also offered an insight into what people are connecting to when they are out and about in the New South Wales state capital. Social media sites such as Facebook and Twitter were high on the list of most requested pages, along with webmail access and random web searches. But worryingly, it appears many people are also choosing to access websites and services that could prove even more attractive to cybercriminals.
“Despite the fact that this was an open network, once connected many people seemed happy to access online banking sites, even though they had no idea who was running the access point. Only a tiny minority (1.20 percent) actually took responsibility for their own security by using a Virtual Private Network (VPN) or forcing secure web standards.
“Our test was conducted strictly within the confines of the law,” emphasised Lyne, “but the cybercriminals won't have the same concerns, so our experiment shows why people need to be much more aware of the potential dangers of connecting to open Wi-Fi networks when they are out and about.”
James Lyne revealed the results of the Warbiking Sydney experiment during a special presentation at Aqua Dining, Milson’s Point overlooking the iconic Sydney Harbour Bridge. Details about the methodology used and results so far from the World of Warbiking project – along with tips on how to be more secure – are available at www.sophos.com/warbiking.
###
About Sophos
More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs – a global network of threat intelligence centres.
Sophos is headquartered in Oxford, UK. More information is available at www.sophos.com.
Media Contacts:
Amanda Conroy
Espresso Communications
+61 2 8016 2200
+61 422 472 883
amanda@espressocomms.com.au
Luisa Regattieri
Espresso Communications
+61 2 8016 2200
+61 403 729 343
luisa@espressocomms.com.au
World of Warbiking Sydney – Headline Results
Wireless Networks Surveyed:
Total Networks: 1,371 (3.98%)
Hotspot Experiment:
SSIDs offered:
Lyne, Global Head of Security Research at Sophos, went “warbiking” across the city to track down unsecure wireless networks and spotlight user behaviours that could be exploited by rogue hackers, and he discovered some alarming results: “Incredibly, conventional wireless network security is still a major concern, despite the security industry assuming such issues had been resolved years ago. Many would assume these methods are ‘old hat’ but it is still a very viable attack vector that demonstrates basic security best practice is not being adopted,” says Lyne.
Sydney is the latest stop on the “World of Warbiking” tour – a global research project targeting major cities across the globe. Conducted over two days around the streets of the city, Lyne’s warbiking exercise revealed that of 34,476 networks surveyed, almost 28 percent were using either the known-broken Wireless Equivalent Privacy (WEP) algorithm, or no security encryption at all, a relatively lower rate of deployment when compared with other major cities.
A further 28 percent of networks were using Wi-Fi Protected Access (WPA) – a no longer recommended security algorithm. An encouraging result however, was Sydney’s high rate of deployment of WPA2, although given that Sophos worked within the bounds of the law, Lyne was unable to test password strength.
“Of greatest interest during our Warbiking exercise, was that Sydney had a relatively high number of open networks. Whilst many were intentionally open, users may wrongly assume this means their personal information is encrypted and protected, when in reality it is available for anyone to pick up.”
“It’s clear from our Warbiking exercise in Sydney that there are a large number of businesses and home users employing insecure, poorly implemented, or even defunct wireless security protocols. With our increasing desire to be online at all times, this is leaving millions of people, companies and their valuable data open to attack.”
Lyne continued: “Even within the security industry, there are myths and misunderstanding about what the real risks are with wireless. Many argue that the unencrypted, intentionally open networks are ‘OK’ as they use a captive portal to register users. Unfortunately the standard user doesn’t recognise that major brand XYZ wireless is not encrypted and that their information can be picked up by anyone with $40 piece of equipment available on Amazon,” said Lyne.
Users want the internet and they don’t care where they get it
Just as worrying was many people’s total disregard for basic security when out and about. “Our experiment found a large number of people willing to connect to an open wireless network we created, without any idea of who owned it or whether it was trustworthy. Compounded by the growing number of devices that are permanently identifying themselves via technology like Bluetooth, this kind of behaviour is increasingly putting everyone’s valuable data at risk.
“This willingness to connect to any wireless network that professes to offer free Wi-Fi, without ensuring you have some kind of security measures in place,” explains Lyne, “is like shouting your personal or company information out of the nearest window and being surprised when someone abuses it. With a few extra command line arguments, it would have been trivial to attack nearly everyone in our Sydney hotspot study.”
What Sydneysiders are connecting to when out and about
The open wireless network created during the Sydney experiment also offered an insight into what people are connecting to when they are out and about in the New South Wales state capital. Social media sites such as Facebook and Twitter were high on the list of most requested pages, along with webmail access and random web searches. But worryingly, it appears many people are also choosing to access websites and services that could prove even more attractive to cybercriminals.
“Despite the fact that this was an open network, once connected many people seemed happy to access online banking sites, even though they had no idea who was running the access point. Only a tiny minority (1.20 percent) actually took responsibility for their own security by using a Virtual Private Network (VPN) or forcing secure web standards.
“Our test was conducted strictly within the confines of the law,” emphasised Lyne, “but the cybercriminals won't have the same concerns, so our experiment shows why people need to be much more aware of the potential dangers of connecting to open Wi-Fi networks when they are out and about.”
James Lyne revealed the results of the Warbiking Sydney experiment during a special presentation at Aqua Dining, Milson’s Point overlooking the iconic Sydney Harbour Bridge. Details about the methodology used and results so far from the World of Warbiking project – along with tips on how to be more secure – are available at www.sophos.com/warbiking.
###
About Sophos
More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs – a global network of threat intelligence centres.
Sophos is headquartered in Oxford, UK. More information is available at www.sophos.com.
Media Contacts:
Amanda Conroy
Espresso Communications
+61 2 8016 2200
+61 422 472 883
amanda@espressocomms.com.au
Luisa Regattieri
Espresso Communications
+61 2 8016 2200
+61 403 729 343
luisa@espressocomms.com.au
World of Warbiking Sydney – Headline Results
Wireless Networks Surveyed:
Total Networks: 1,371 (3.98%)
- No Encryption: 8,224 (23.85%)
- WPA: 9,704 (28.15%)
- WPA2: 15,177 (44.02%)
Hotspot Experiment:
SSIDs offered:
- ‘FreePublicWifi’, ‘Free Internet’, ‘DO NOT CONNECT’
- Used HTTPS: 608 (61.20%)
- Used HTTP: 992 (99.80%)
- Used Insecure Mail protocols: 73 (7.30%)
- Used a VPN: 12 (1.20%)
- Social Media: Facebook and in particular Twitter
- Requests for Internet Banking Sites (which could have been redirected to non-secure copies bypassing the use of https://)
- Random web searches
- Webmail Services - it was lower than in other regions globally but still a top contender
- A large number of those connecting were not searching for something specific, rather people were more hungry for Wifi to achieve any given mundane task