A busines’ wireless access points offer the potential as a simple vector for network ingress by an attacker. They don’t require specific vulnerabilities, physical access or end user engagement.
All that is required is poor security configuration - either via the employed encryption standard or associated passwords.
The 3 broad access control mechanisms utilised today are:
What follows is a general wireless analysis of Sydney’s George Street.
1,514 total unique access points were discovered:
While the open access points need to be taken with a grain of salt (often intentionally open and guest networks), there is a subtle security concern associated with these networks - if your business blocks access to certain sites, a user can trivially bypass this control by connecting to an open network, downloading a potentially (or forced via man in the middle) harmful file and then reconnecting to the corporate network - introducing blocked resources into the environment.
Similarly WEP (particularly) or WPA can introduce a false sense of security at your corporate perimeter, where a WEP or WPA key can be cracked, guessed or read (yes, we can all seen the yellow post-it notes) - unpatched internal systems can be used as pivots to further explore your network and systems.
The most active access points (based on active connections) were:
The distribution of WPA protected access points (with names intentionally removed) can be seen below (similar diagrams for WEP and open networks will not be published):
This analysis has shown that while 83% of access points are protected by strong access control mechanisms, some 17% are still utilising legacy or no protection - which while insecure in themselves, can also introduce vulnerabilities into your network by geographical association.