I came across a story about an old case from 2007 where hackers infiltrated T.J. Maxx’s wireless network at one of the outlets and stole over 45 million credit card numbers. Those involved got caught and convicted.
While it’s true that apparently the outlet involved didn’t even encrypt the wireless link and as such any novice hacker could have hacked into it; even if the outlet had employed encryption I still believe the whole setup was a very bad idea.
Wireless has its uses of course, but should be heavily avoided in certain scenarios. Do not connect a wireless network to a network that transfers confidential information. If you have no other way around it, do not simply rely on the encryption provided by the wireless system, use encrypted tunnels such as VPN or SSH to further protect your valuable data.
The reason for this is that perhaps the most important aspect for a secure system is physical security. Wireless kills that outright. Wireless is the equivalent of offering connectivity to your network on the street. This means that if credit card numbers or any other information is flowing on the same network, hackers will only need to listen in from a safe distance and you will be sending the credit card details directly to them; they do not even need to expose themselves, they can simple hide a laptop in the boot of the car, leaving it recording while they browse your store… 100% undetectable.
What if I use WEP or WPA/2, am I safe then?
WEP is the equivalent of having your wireless network unencrypted; vulnerabilities allow everyone with the right tools to break the encryption in less than 10 minutes. WPA it is a little bit more challenging but not much. Hackers can still record the traffic and crack it comfortably in the safety of their homes and once again this is totally undetectable. The time required can vary especially if one uses a good password. If the password used is a dictionary word (which is the first thing a hacker will try) your password will be quickly discovered.
A Russian-based company has released software which utilises GPGPU to help with WPA cracking. They claim speeds of 52k passwords per second using a GOOD GPU. Using this software an attacker can attempt the entire English dictionary in 10 seconds. 52k attempts per second makes brute force attack a viable option as well. GPGPU has an additional advantage of being modular. Insert two graphic cards and you just speeded up the whole process by double. It’s possible to have up to 4 cards per system and it is possible to split the load between multiple machines. While it will not be very cheap to use such a setup, criminals intended on exploiting this might still find it worth the investment since this will more than pay for itself at the very first successful attack. It is also important to remember that in most cases this will be a one time effort since people do not generally change WPA passwords once set.
I believe it is very dangerous to have wireless networks with confidential information going through them. My recommendation is that even if you are using encryption on it, think of it as already compromised and act accordingly. If possible I would recommend that wireless networks and physical networks should be physically segregated as much as possible with confidential information only flowing through physical networks.