Security for retail wireless LANs

George Ou blogged an interesting survey of retail wireless LAN security in his neighborhood, and rhetorically asks the question of whether we need another gazillion dollars in damage before the industry wakes up and does something about it. The problem is that features and convenience, as always, outweigh security.

With my current company, I’ve worked with a couple of retail stores to implement wireless LANs. One of the major advantages that stores perceive is the ability to add devices whenever it’s necessary to respond to demand. One of the classic examples that always came up was the idea of a store wanting to use cash registers, connected wirelessly, during sales or the busy holiday season to add check-out capacity.

The problem? Most cash registers don’t have 802.1X supplicants, and they run a motley collection of old operating systems that may not allow easy addition of 802.1X. OS/2 was a common operating system, but there was significant presence for Windows95, Windows 2000, and even (shudder) DOS. You just don’t have good options for using the right sort of wireless LAN security protocols. Most retail companies were either unaware of the risk, or willing to take the risk given the apparent high cost of upgrading to devices that were capable of supporting WPA.

Or, from the organizational perspective, it doesn’t help that retail stores are not monolithic entities. There may (or may not) be somebody in the IT department who understands the risks of using poor wireless security protocols, but I don’t think it’s a stretch to say that such a person probably isn’t involved in the details of picking out cash registers. It’s almost certain that the stores are not demanding features like WPA2 from their cash register vendors.

(Yes, this is one of the things that could be addressed in part by the OpenSEA Alliance and the Open1X Project.)

3 Responses to “Security for retail wireless LANs”

  1. Moschops says:

    Why can’t you just install a WPA2 enabled 802.11 to ethernet bridge? Then they can just plug in a regular ethernet connection to it and no hardware upgrade is required. For $100 you can get a DWL-3150 that fits the bill supporting WEP (snicker!), WPA, WPA-Enterprise, WPA2, and WPA2-Enterprise, plus its centrally manageable via SNMP. I’m sure there are plenty of others like it that you could use.

  2. matthew says:

    From a technology perspective, 802.11 client bridges work fine to solve the problem. (Well, not quite. They mess with ARP in funny ways, but for the most part, those effects are not observable as long as you use them exactly as they were intended.)

    However, from a security view, they provide a great way into the network because you typically configure the bridge, attach it to the client computer, and forget about it. Attackers interested in attaching to the network can steal a bridge and get on, or gain access to the bridge’s configuration for credentials.

    Furthermore, the incremental cost for any type of client can be large compared to the cost of the cash register. A search on cash registers with Ethernet led me to the Sharp UP-600, which sells for around $900. (I have no idea how comparable the Sharp is compared to the other registers that I was discussing.) If the unit is an “overflow” unit used only for big sales a few times a year, maintaining, configuring, and managing a second part at 10% of the cost is not worth it to most stores.

    Finally, the cost of an Ethernet hardware bridge is substantially more than client software. The bridge costs $100, but the list pricing for commercial client software is generally $30-40 per unit. Big stores could get better pricing than that, but there is greater ability to heavily discount large software orders, or use a zero-cost alternative.

  3. mary fouts says:

    Retailers don’t always think about the proper stop shoplifting equipment needed, much less about needing extra cash registers via wireless. I think it is up to the cash regester industry to promote this aspect of their products. –mary, http://www.sensortags.com

Leave a Reply