Please Stop using WEP: Lesson from the Field
Recently I had the pleasure of attending GrrCON, a regional InfoSec conference in Michigan. The venue, talks, vendors, etc. were exceptional and the event well planned. During an evening while at the event, the group I attended with elected to visit a local Chinese restaurant. While at the establishment, the connectivity was asked for. Once connected, the Wi Fi protocol was quickly reviewed. The restaurant allowed the guests on the same network as the waitress stations, workers personal BYOD devices, and other clearly restaurant owned devices on the same Wi Fi. The Wi Fi protocol used was WEP.
WEP has been clearly been insecure for an extended period and should not be used. This is not nuclear physics or organic chemistry. This fact has been clearly publicized for years. The restaurant industry is more focused on feeding the patrons, which is a good thing. The management however should have a slight focus on information security for their establishments. There have been numerous restaurants, individual and chains, that have been compromised with their patron’s credit card information being sold multiple times through the Dark Web. This is another example of the industry not being focused on security.
With a small amount of expense, it would not be an issue to update the Wi FI and not expose the restaurant and every patron using the Wi Fi due to the poor, outdated protocol being in use. This may not be a significant issue for the restaurant management, until something happens. At that point, it is important to act to minimize the exposure and further risk. With your clients, please review their Wi Fi, and use this as a case study if the need presents itself, also enumerating the issues with using the prior technology.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.