For Now, Wi-Fi Is A Hacker's Delight

You've heard of a drive-by shooting, but maybe not drive-by hacking. It's a worrisome sort of cybercrime in which burglars sit in a car outside a company and use laptop computers with antennas to hack into cash registers and corporate records by snagging data as they travel over the airwaves. That's how two men allegedly snatched the credit-card numbers of customers of a Lowe's Home Improvement (LOW ) store in Southfield, Mich., recently. Another mobile thief pleaded guilty just before the holidays to hacking into patient records at Wake Internal Medicine Consultants Inc. in Raleigh, N.C. -- just to show how vulnerable such records are to hackers.

It happens all the time, according to network security experts. Thanks to the booming popularity of Wi-Fi networks -- which let untethered laptop users gain access to the Net from the living room, the airport lounge, or a parked car -- keeping such networks secure has become one of the technology industry's biggest problems.

The players who make wireless equipment are racing to limit the potential for damage. Improved security standards should be ratified later this year by the association that sets tech industry standards, the Institute of Electrical & Electronics Engineers (IEEE). By mid-2004, Wi-Fi component makers such as Intel Corp. (INTC ) and Cisco Systems Inc. (CSCO ) will release products with the emerging standards. In the interim, the nation's biggest operator of public Wi-Fi networks, T-Mobile (DT ) HotSpot, plans to deadbolt its systems with upgraded encryption. "Security is of paramount concern to everybody," says Joe D. Sims, general manager of T-Mobile HotSpot.

The new security standards will help, although they won't plug all of Wi-Fi's security gaps. Security keys will be changed every time data are transmitted, instead of staying the same throughout a Wi-Fi session. And the encryption of data will be beefed up from the old 64 kilobits to 256 and will use next-generation cryptography. Still, Wi-Fi networks likely will remain vulnerable to sophisticated hackers. "There's no way you can contain the Wi-Fi signal so people can't get to it," says Paul Brock, a managing director at brokerage firm Bear, Stearns & Co.

Even these limited safeguards can't come fast enough. After beginning as a grassroots movement among home PC users, Wi-Fi was brought into the office by workers who didn't want to be anchored to their desks. Almost a third of U.S. companies either used Wi-Fi or conducted pilot programs last year, according to Boston researcher Yankee Group (RTRSY ). An additional 14% plans to implement the technology in 2004. The concern is that these corporate Wi-Fi networks -- sometimes installed by eager techies without the knowledge of the IT department -- have exposed companies to outside thieves. "They punch a huge hole in the corporate security system," says Pankaj Manglik, founder of wireless security firm Aruba Wireless Networks Inc.

Even before the new security standards come out, businesses and individuals can help protect themselves. Any Wi-Fi system comes with built-in encryption, called WEP, for wired equivalent privacy. But it must be turned on, and many users neglect to do so. Still, WEP encryption is weak. A determined hacker can unscramble key passwords in hours, if not minutes. "Break-ins are as common as breathing," says Bruce Schneier, founder of Counterpane Internet Security Inc. (BSC ). For the wireless future to get safer, it's a good policy to keep as many padlocks on corporate airwaves as possible.

By Roger O. Crockett in Chicago

    Before it's here, it's on the Bloomberg Terminal.