Speaking at a hacking workshop in Sydney on Friday, WhiteHat's chief executive Jason Hart explained how he and a colleague drove around the CBD for 30 minutes on Thursday with a laptop to scan for wireless networks.
To conduct the 'Wardrive', Hart used a standard IBM laptop loaded with NetStumbler and Kismet -- both of which are freeware WLAN detection tools. Of the 751 wireless networks discovered, 75 percent were unencrypted and 35 percent were broadcasting their default station ID (SSID), which Hart said is a sign that they were 'rogue' access points unknown to administrators of the systems on which they resided.
Hart said he was not surprised by the results of the test: "No, it is not a surprise. But my concern is how many companies are aware that those access points are within their business? Probably in the majority of cases [administrators] do not know about them."
According to Hart, the test demonstrated that although companies spend millions of dollars buying security products to protect their business, far too many still 'leave the back door open'.
He advises administrators to 'sweep' their buildings for wireless networks at least once a month but preferably once a week.
"It should be part of somebody's job description to sweep the building. It doesn't cost anything except a bit of time -- and you are minimising risk within the business. Download NetStumbler and walk about your building," added Hart.
I run an unencrypted business wireless network. Well, it looks unencrypted to someone driving by, anyway, and would be included in statistics such as this.
If you attempt to connect to the network, you'll find that you get almost nowhere. The only service available from the outside world is DNS, and that's done via a local DNS server. Everything else requires you to use SSH tunnels to the server, or set up an IPSec VPN (using a certificate provided to you by the company).
I can give a client who needs 'net access temporary use of the connection for Internet access by authorizing their MAC address. This doesn't permit them to see the internal network, as the wireless and core networks are on different segments connected only via the rather paranoid border gateway.
Schemes like this, with varying degrees of complexity, are common. WEP is almost entirely useless, and WPA1 in pre-shared key mode almost as bad. Both degrade network performance, and arguably gain you little security. Worse, they introduce additional complexity and compatibility problems when joining a network. It's entirely reasonable for an administrator to forgo such link-layer schemes in favour of higher level, more secure VPN systems that can be standardized across services for wireless access, roaming users access, and user access from home.
In summary, statistics like this are superficial hype. Without an investigation of what you can /do/ when you connect to an access point, they mean little.