Warbiking in London - insecure WiFi hotspots exposed [VIDEO]

Filed Under: Data loss, Featured, Mobile, Privacy, Vulnerability

Many wireless networks in London are still using either outdated weak encryption or no encryption at all, according to research released today.

James Lyne changed out of the tweed jacket he normally wears when giving presentations for Sophos, and jumped on his bicycle for a 91 mile (147 km) cycle ride across central London.

Part of the Warbike route

With help from a GPS, two dynamos, and a computer pimped up with solar panels, thousands of unsecured wireless networks were discovered as you can see in the video below.

Here's a quick summary of the top findings of Project Warbike:

  • 106,874 individual hotspots detected across more than 91 miles of central London
  • 8 percent of the hotspots used no encryption and appear to be both home and business networks (this figure excludes a large number of coffee shops and other open hotspots which were identified by name of hotspot)
  • 19 percent of the hotspots used WEP, an obsolete encryption technology that can be cracked by hackers in seconds. WEP is obsolete, and more secure options are available.
  • The remaining networks used WPA or WPA2 encryption, which represents acceptable security, providing they are not configured with default or easy to guess passwords

Security strength of Wifi networks

A wireless network that isn't properly protected runs the risk of being snooped upon - meaning your data is open for anyone to see. So think twice and always use a VPN (virtual private network) or SSL (secure sockets layer) if you have to use an insecure wireless network.

The warbiking experiment found the highest density of poorly-secured networks along streets which had a high number of small businesses. However, wireless security levels were pretty similar across all areas of London.

At the very least, wireless networks should be using WPA or WPA2 encryption. Even with those make sure that the network has a strong password, and don't use a predictable default name for your SSID.

Find out more about Project Warbike, its findings, and tips on how to secure your wireless network.

, , , , , , , , , , , ,

You might like

6 Responses to Warbiking in London - insecure WiFi hotspots exposed [VIDEO]

  1. @sambowne · 1087 days ago

    In San Franciso, only 12% of networks are unencrypted:

    • Nigel · 1087 days ago

      The data shown don't differentiate between public (open), business, and home networks, nor is it clear whether the study sample is representative of the city as a whole. Hence, it's not clear whether "only 12% of networks are unencrypted" is a fair statement.

      Actually, if 12% is representative of the entire population of San Francisco (~813,000 people as of July 2011), that's almost 100,000 people using unencrypted networks.

      In fact, if 12% is representative of the entire state of California (~40 million people), that's ~4.8 million people using unencrypted connections. That's a potential goldmine for ne'er-do-wells.

  2. Gavin · 1087 days ago

    Are we not yet at the point of suggesting that WPA is also as good as obsolete from a security perspective? The implementation issues surrounding that protocol are very well understood.

    I suspect that it's still so often bundled in with WPA2 as a 'recommended setting' only because the names are similar and the commentators are worried about confusion for the end-user. Perhaps if WPA was called WEP2 (which is probably more accurate), the IT community would be more forthright in schooling against its use too?

  3. Ian Farquharson · 1087 days ago

    Great video James and team, delivered with usual excellent balance of fact and humour.

  4. Calum · 1086 days ago

    Wonder how many of those WEP networks exist to service a Nintendo handheld... that's the only reason I still have one.

  5. Laurence Marks · 1086 days ago

    Well, a lot of top-chain hotels I stay at provide an open network with all ports blocked except 80 and 443. When you attempt to use those your connection is highjacked and connected to a sign-in screen where you give a hotel-provided password, consent to terms-of-service, and possibly agree to charges.

    A trivial test like the one reported here counts those as open, but that's hardly reasonable.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley