Retailers Defend Low-Level Security on Wireless LANs

Computerworld - More high-profile retail chains are being fingered by white-hat hackers for not fully securing wireless LANs installed in their stores. But several retailers said they're not exposing any sensitive data, and some security analysts agreed that the risks don't appear to be great.

While retailers have quickly embraced wireless LAN technology to support applications such as inventory control and pricing management, officials at companies such as CVS Corp. and The Home Depot Inc. last week said that bulletproof security isn't currently seen as a must-have item.

For example, a security consultant last week claimed that Woonsocket, R.I.-based CVS was operating unencrypted LANs in the Raleigh/Durham area in North Carolina.

Alan Clegg, who works at Firehouse Network Consulting in Apex, N.C., said he detected numerous CVS stores that didn't even have basic Wired Equivalent Privacy (WEP) encryption turned on.

But CVS spokesman Todd Andrews said the company doesn't transmit customer data over wireless devices.

"We use wireless technology strictly for internal item management," Andrews said via e-mail. "If we were to ever move in the direction of transmitting [customer] information via in-store wireless LANs, we would encrypt the data."

Clegg said he also detected an unencrypted wireless LAN at a store owned by Phoenix-based Petsmart Inc.

He noted that it was easy to pinpoint the LANs because their access points broadcast easy-to-decipher Service Set Identifiers: "cvsretail" for CVS and "PETsMART" for the pet supply retailer.

Home Depot in Atlanta and Best Buy Co. in Eden Prairie, Minn., were cited earlier last month by white-hat hackers as users of wireless LANs that could be accessed by network-sniffing tools. Best Buy said it deactivated some wireless cash registers after the reports surfaced .

But like CVS, Petsmart and Home Depot said they're not worried about the security levels on their wireless LANs.

Esther Caceres, a spokeswoman at Petsmart, said the company decided two years ago not to install wireless cash registers because of concerns about the security of customer data. The wireless LANs used in Petsmart's 560 stores don't carry customer information and are isolated from back-end systems, she said.

Low-Risk Uses

Home Depot spokesman Don Harrison said the retailer uses wireless LANs to manage inventory and print price tickets. That information "is not proprietary," he noted.

Craig Mathias, an analyst at Farpoint Group in Ashland, Mass., said the approaches used by retailers like CVS make sense for a low-risk bar-code-scanning application. "All the information a hacker is going to get is how many bottles of shampoo that store has in its inventory," Mathias said.

Companies need to weigh the cost of building a truly bulletproof wireless network, said Chris Kozup, an analyst at Meta Group Inc. in Stamford, Conn. Kozup said such an effort could equal the cost of deploying the LAN hardware—not a sensible proposition for nonsensitive data, he added.