Federal WLANs Found To Be Insecure

Wireless LANs operated by many federal government agencies have security problems and the WLANs in the headquarters of six specific agencies have "significant security weaknesses," a Government Accounting Office (GAO) study released this week found.

"Federal agencies have not fully implemented key controls such as policies, practices and tools that would enable them to operate wireless networks securely," the GAO's report to the House of Representatives concluded. Specifically, the GAO pointed to severe security WLAN security problems in six unnamed agencies.

"We were able to detect wireless networks at each of the agencies from outside their facilities," the report said. "Wireless-enabled devices were operating with insecure configurations at all six of the agencies. For example, in one agency we found over 90 laptops that were not configured appropriately. Finally, there was unauthorized wireless activity at all of the agencies that had not been detected by their monitoring programs."

The unauthorized devices included access points and ad hoc networks in all six of the agencies.

"In all six agencies, we found wireless devices operating in ad hoc mode," the report said. "In over half of these cases the ad hoc networks could be detected outside of the building and could have provided access to the agency's networks."In addition, the study found that nine federal agencies have no specific policies on wireless networks and 13 agencies that don't have specific requirements for securely setting up WLANs. In addition, 18 agencies don't have wireless security training programs for employees and contractors.

"Further, the majority of federal agencies lack wireless network monitoring to ensure compliance with agency policies, prevent signal leakage, and detect unauthorized wireless devices," the report said.

The report recommended that the Office of Management and Budget instruct agencies how to secure their wireless LANs.