It is a Friday afternoon, and Peter Shipley and Matt Peterson are sitting in a late-model Saturn in a Silicon Valley parking lot, balancing notebook computers on their laps, checking out email and looking after files.
Not their own email and files, but those of Sun Microsystems, in whose lot the two are sitting and on whose corporate network they are, in effect, spying.
"Look, there's someone transferring a file," says Peterson, looking down at his computer. Shipley sees even more: "There--someone just turned on an NT machine and is getting mail."
Despite outward appearances, Shipley and Peterson aren't malevolent hackers. To the contrary, their aim is utterly benign: to expose one of the newest and potentially most dangerous security holes in US business, in the form of wireless computer networks.
These are the increasingly popular systems that connect computers in offices or homes to other computers, or to printers, by using radio signals, much as cellphones do. These networks are remarkably convenient; they not only dispense with cables but also allow someone to roam around an office with a laptop computer while staying connected to the Internet.
More affordable
While wireless technology isn't new, prices have dropped dramatically in the last year or so; a small network can be set up for a few hundred dollars. And so usage has taken off: About 6.2 million wireless devices will be shipped world-wide this year, according to market researcher Cahners In-Stat, and double that in two years.
The problem is that many companies appear to be setting up these networks forgetting about the fact that--unless special steps are taken--anyone can detect what is being said on them, even strangers just sitting out in the parking lot.
Which is precisely the point of the demonstration by Shipley and Peterson. In the course of a recent 90-minute drive around a small stretch of Silicon Valley, using mostly standard personal-computer equipment, the two men found more than 40 corporate networks where basic security steps did not appear to have been taken. The men say they have spotted hundreds more on other trips and can find 10 or more on a single block in downtown San Francisco.
Security specialists aren't surprised. One estimates that a majority of the wireless networks in operation today have no security whatsoever. That means anyone in the neighborhood can likely read the network's email and files, says Shipley, and, worse yet, probably be able to gain access to corporate passwords, log on to servers, take over a Web site--or shut the network down entirely.
"Wireless security today is worse than cellular security was years ago," says Alan Paller, of the System Administration, Networking and Security Institute, a computer-security outfit that has just scheduled its first seminar on security issues posed by corporate wireless networks.
It is easy to make a wireless network secure; the "virtual private network" software, or VPN, commonly used over the Internet will keep a wireless network hidden from prying eyes. But the software is often never turned on. John Drewry, a senior director of business development at 3Com says many wireless users are so enamored of the convenience of their devices that "security is often an afterthought. A lot of education needs to happen."
