There's a gaping hole in the much-hyped security measures taken for this week's Democratic National Convention: Thousands of wireless devices around the FleetCenter could be used as pawns in a cyberattack.
Wireless security provider Newbury Networks Inc. of Boston issued that warning after detecting the heavy concentration of devices during a three-hour "war driving" exercise through the city. Many of the unsecured wireless networks and 802.11 client cards were in a one-block radius of the FleetCenter, where thousands of delegates will gather for the convention Monday through Thursday.
"The proliferation of open wireless network access poses a significant security challenge for the DNC, not just near the convention site but throughout the city," said Matthew Gray, founder and chief technology officer of Newbury Networks. "With so much emphasis being placed on physical security at the convention, it will be important for organizers to also consider the implications of wireless security risks at this high-profile global event."
During the "war drive," Gray and some colleagues drove through the city and periodically parked in lots near the FleetCenter, detecting the open access points and cards with a wireless laptop and the firm's Wi-Fi Watchdog software. While security inside the center is expected to be tight and measures taken to ensure safety throughout the city have been well publicized, Gray was shocked to find their exercise generated no attention. "We were never stopped by police, even with an antenna pointed out the window of the car," he said. "That was a little distressing."
Gray said a single three-hour drive throughout Boston the week of July 12 found:
- A total of 3,683 unique Wi-Fi devices, approximately 60% were wireless access points and 40% wireless network cards.
- An average of one wireless network card every two minutes accidentally associated with Newbury's open access point throughout Boston and at the convention site.
- About 65% of the wireless networks detected had no encryption, leaving them vulnerable to attacks and security breaches.
- Four-hundred, fifty-seven unique wireless access points, the majority of which were unsecured, surrounding the FleetCenter.
"With an estimated 35,000 delegates, media and elected officials planning to attend the four-day event, wireless network technology will play a key role in the distribution and exchange of information throughout the convention site," Gray said. "Given the proliferation of wireless access points and the number of anticipated wireless devices in the area, the DNC's official 'no Wi-Fi' policy inside the FleetCenter will be very difficult to enforce and manage."
Robust Wi-Fi access at most hotels, restaurants and coffee shops throughout the city means countless conventioneers will access 802.11 networks from their laptops and carry those same devices into the FleetCenter, Gray added. Since most Wi-Fi security breaches occur when the laptop's operating system automatically seeks out available wireless networks when it's turned on, this is a recipe for danger given the level of open Wi-Fi networks in range of the facility.
"There won't be any Wi-Fi access inside the FleetCenter. But with so many devices in a one-block radius, my biggest concern is that a laptop plugged into the DNC's wired network will still be able to access wireless devices outside," Gray said. "An attacker could make a bridge between an outside wireless connection and the wired network inside. Then they could use infected laptops to disrupt the proceedings."
His advice to conventioneers: "Recognize that access at places like Starbucks is not encrypted and that e-mail passwords and other information can be stolen. It usually isn't a big deal, but the DNC will bring in more interesting targets."
Users should make sure their wireless devices are turned off when not in use, and consider changing their passwords once they return to their homes and offices, he added.