Mobile working Toolkit

Security fears over London's blanket Wi-Fi

Tags:
Wi-Fi

Tom Espiner ZDNet.co.uk

Published: 22 Feb 2006 14:15 GMT

Security company McAfee on Tuesday raised security concerns over the City of London's plan to install a Wi-Fi network throughout the Square Mile.

The system will be constructed by The Cloud, and should give most of The City's workers always-on wireless access within six months.

The Wi-Fi network will be installed in existing street furniture including lamp posts and street signs, and will "allow City workers and visitors with Wi-Fi enabled devices to access the Internet on streets and in open spaces," the City of London said in a statement on Monday.

However, McAfee has raised concerns about the security implications of the project.

"Our big concern is that most people care more about connectivity than security. Always-on broadband makes it easier for hackers to find and target people. There is also a knowledge gap — most people aren't that savvy when it comes to this technology," said Sal Viveros, security expert at McAfee.

McAfee recommended that companies prepare themselves for always-on wireless access by learning about the techniques that hackers are using to target susceptible mobile employees, as the City is a tempting target for hackers.

Last month, a security researcher warned that a hacker could take advantage of a Windows feature that automatically searches for Wi-Fi connections.

"There's a lot of financial data flowing around the City, and there are risks associated with that. The latest laptops have Wi-Fi built into them, and depending on how they are configured, can automatically connect without the users knowledge, using the Windows Wi-Fi feature for example. This means that laptops can be accessed without the users knowledge," said Viveros.

"In the City contacts are vital, and the high density of mobile devices will mean more risks, and more sensitive information flowing," added Viveros.

The Cloud hit back at McAfee's claims on Wednesday afternoon, insisting that its network would be as secure as possible, and would include support for WPA.

WPA is based on the 802.11i standard and encrypts data sent between a user's laptop and the access point. It is more secure than the earlier wireless security protocol WEP, which is much more vulnerable to hackers.

"The City of London network will offer advanced security capabilities, including support for WPA," said Niall Murphy, chief technical officer of The Cloud. "These methods ensure the authenticity of connections with the network and provide encryption on a per user basis, conforming to the highest standards of network security and privacy management."

"The Cloud employs a number of on-network methods to protect user privacy and act against potential abuse and infringement. Authentication methods are employed for user access through a variety of service providers. A key benefit of connecting through commercial networks like The Cloud is the confidence users can have in the management of the integrity of the infrastructure and traffic flowing across it," Murphy added.

Last October, iBahn said it had installed WPA at all its wireless hot spots, in an attempt to give mobile workers more security.

There are also legal implications to unauthorised access to company systems, according to law firm Charles Russell. If an unauthorised person gains access through a wireless network, a company could face serious legal and commercial consequences if its clients' or business partners' confidential data were exposed, the law firm said.

"The country's hotels and waiting rooms are full of people rummaging through the contents of each others' laptops. The technical risks can be avoided by installing and using the necessary systems, and the legal risks can also be minimised by including the necessary legal wording in business contracts," Robin Bynoe, partner at Charles Russell, said last week.

"Whenever Wi-Fi access is available, there are several organisations involved: the site owner, the service provider, the person with the laptop, their employer, the client or the contact with the valuable data. If yours is the only organisation that doesn't have the necessary wording in all relevant contracts and data is stolen, you could end up shouldering the whole of the liability for the loss," added Bynoe.