Computerworld - More high-profile retail chains are being fingered for not fully securing wireless LANs installed in their stores. But several retailers said they're not exposing any sensitive data, and some security analysts agreed that the risks don't appear to be great.
While retailers have quickly embraced wireless LAN technology to support applications such as inventory control and pricing management, officials at companies such as CVS Corp. and The Home Depot Inc. last week said bulletproof security isn't seen as a must-have item.
For example, a security consultant last week claimed that Woonsocket, R.I.-based CVS was operating unencrypted LANs in the Raleigh/Durham, N.C. area. Alan Clegg, who works at Firehouse Network Consulting in Apex, N.C., said he detected "numerous" CVS stores that didn't have basic Wired Equivalent Privacy encryption turned on.
CVS in January detailed plans to deploy wireless LANs at all 4,100 of its drugstores. But CVS spokesman Todd Andrews said the company doesn't transmit customer data over wireless devices.
"We use wireless technology strictly for internal item management," Andrews said via e-mail. "If we were to ever move in the direction of transmitting [customer] information via in-store wireless LANs, we would encrypt the data."
Clegg said he also detected an unencrypted wireless LAN at a store owned by Phoenix-based Petsmart Inc. He added that it was easy to pinpoint wireless LANs used by CVS and Petsmart because their access points broadcast easy-to-decipher Service Set Identifiers: "cvsretail" for CVS and "PETsMART" for the pet supply retailer.
Home Depot in Atlanta and Best Buy Co. in Eden Prairie, Minn., were cited earlier last month by white-hat hackers as users of wireless LANs that could be accessed by network-sniffing tools. Best Buy said it deactivated some "wireless temporary cash registers" after the reports surfaced (see story).
But like CVS, Petsmart and Home Depot said they're not worried about the security levels on their wireless LANs.
Esther Caceres, a spokeswoman for Petsmart, said the company decided two years ago not to install wireless cash registers because of concerns about the security of customer data. The wireless LANs used in Petsmart's 560 stores don't carry customer information and are isolated from its back-end systems, she said.
Home Depot spokesman Don Harrison said the retailer uses wireless LANs to manage inventory and print price tickets. That information "is not proprietary," he added.
Craig Mathias, an analyst at Farpoint Group in Ashland, Mass., said the approaches used by retailers such as CVS make sense for a low-risk bar-code scanning application. "All the information a hacker is goingto get is how many bottles of shampoo that store has in its inventory," Mathias said.
Companies need to weigh the cost of building a truly bulletproof wireless network, said Chris Kozup, an analyst at Meta Group Inc. in Stamford, Conn. Kozup said that could equal the cost of deploying the LAN hardware -- not a sensible proposition for nonsensitive data, he added.
Read more about Mobile and Wireless in Computerworld's Mobile and Wireless Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
