Annual RSA Wireless Security Survey with Encrypted Wi Fi Vulnerable How Companies and Individuals Are Risking Their Assets and Reputations

RSA® CONFERENCE EUROPE 2008/LONDON, U.K. - October 27, 2008 -

• The ‘wireless explosion’ continues, in the office and at home
• Growth of 543% in Paris, but London has the most access points – by far
• Dramatic improvements in wireless security in New York City
• Security of in-home networks outpacing the corporate sector

The seventh annual Wireless Security Survey from RSA, The Security Division of EMC (NYSE: EMC), is published today, and reveals the continued, dramatic growth of wireless networks in the world's major financial centres. The survey of London, New York City and Paris examines the proliferation and inherent security of corporate wireless access points, public hotspots and- for the first time this year- in-home networks.

Best practices in wireless security have never been more pertinent to businesses and consumers than they are today. In August 2008, an international ring of hackers was indicted in the United States for allegedly exploiting a number of businesses' poorly-secured wireless networks to steal more than 40 million credit card numbers.

"Clearly, in this era of unrelenting regulatory compliance and a sharp focus on effectively managing the risk to sensitive proprietary and customer information, it is more important than ever to close the wireless loophole and ensure that the countless investments being made in securing networks everywhere are not undone by leaving the back-door wide-open," comments Sam Curry, Vice President, Identity and Access Assurance at RSA.

Paris broke all the records with a 543% year-over-year increase in the number of wireless access points detected in the city. Growth in London and New York City, while still substantial, was slower than in 2007: in London the number of access points grew 72% (down from 160% last year) and New York City saw a rise of 45% (down from 49%). London retains its position as the 'most wireless city', however, with a total of 12,276 access points detected- exceeding the number we found in New York City by more than 3,000.

Public hotspots- designed to allow anyone with a wireless device to access the Internet on a pay-as-you-go or pre-paid basis- continue to grow in prevalence across all three cities, and in each case the growth of available hotspots accelerated significantly in 2008 compared with development in the preceding year. Paris saw the largest jump, with numbers increasing by over 300% and comfortably outstripping the comparative growth in New York City (44%) and London (34%).

However, New York City remains the leader in regards to its concentration of hotspots. At 15%, New York City is well clear of London where just 5% of wireless access points were found to be hotspots. In Paris, hotspots represented 6% of all the access points we located.

As in previous editions, the survey examined how many of the wireless access points detected were secured with some form of encryption (hotspots excluded). At face value, the 2008 results show some dramatic improvements in security practice here: in New York City, 97% of corporate access points had encryption in place- up from 76% last year, and by far the best results in the survey's history. In Paris, 94% of corporate access points were encrypted- although in London, 20% of all business access points continue to be completely unprotected by any form of wireless encryption.

However, with WEP- Wired Equivalent Privacy, the original wireless encryption standard- now discredited, the 2008 survey paid close attention to the types of encryption in-play, and the relative adoption of more advanced forms of wireless encryption, including Wi-Fi Protected Access (WPA) or WPA2. Overall, the adoption of non-WEP advanced encryption is encouraging. Paris once again led the way, with 72% of access points (excluding public hotspots) found to be using advanced security; however the numbers in New York City and London were more modest at 49% and 48% respectively, with a majority of wireless access points relying either on WEP or using no encryption at all.

"Such is the speed at which WEP can be routinely cracked that it barely constitutes paper-thin protection in the face of today's sophisticated hackers. We would strongly urge wireless network administrators to discount WEP as a viable security mechanism and upgrade to WPA- or stronger- without delay," continues Mr. Curry. "It is also critical that business access points are protected by encryption- even if the corporate network itself can only be accessed via an encrypted VPN. Not using WPA1 or WPA2 can leave the organizations involved vulnerable to whole classes of attacks against both access points and wireless client computers."

For the first time, the RSA Wireless Security Survey identified the number of personal wireless networks in evidence on the routes around London, New York City and Paris- and how secure they were:

• In London, the volume of personal wireless access points was greater even than the number of corporate ones: a total of 6,730- or 55% of all access points detected- were identified as belonging to home-users
• In New York City, 18% of access points were in-home and in Paris the figure was 21%

Most impressively, home network users appear to be more security-savvy than their corporate counterparts. In Paris, 98% of in-home networks are encrypted- an excellent result- with New Yorkers just behind at 97%, followed by 90% of Londoners who have deployed encryption at home. Digging deeper on the types of encryption found within in-home networks:

• Paris: 75% are using advanced encryption (better than WEP), compared with 72% of the city's business access points
• New York City: 61% of home users have deployed advanced encryption, with just 50% of business access points protected in the same way
• London: 48% are using advanced encryption in the home- the same percentage as in London's business sector

"As wireless networks continue to improve in terms of speed, bandwidth, safety- and ubiquity- this is good news for businesses and consumers alike. However, the potential consequences of unidentified users and applications accessing sensitive, private information are simply too serious to be ignored. We look forward to seeing deployments of advanced encryption outpacing the adoption of wireless itself in the year ahead," concludes Mr. Curry.

For more information and a full copy of the survey, please go to http://www.rsa.com/go/wireless

The research, commissioned by RSA, The Security Division of EMC, and undertaken by a team of independent information security specialists, was conducted as part of an ongoing study to quantify both the extent to which wireless usage is growing in the world's major financial hubs, and how many wireless networks freely 'leak' data traffic into the street, providing potential access to hackers from their car or a nearby building.

The survey was carried out with a laptop computer and commercial software. The laptop and software scanner detected both broadcasting and non-broadcasting APs in the 802.11a, b, g and n frequencies. When devices were detected, the software identified the channel, extended service set identifier (ESSID) and other network information before moving on from that source. The software had no way of capturing or retaining the data content of sessions detected.