PROTECTING YOUR WIRELESS DEVICES
At a time when the Internet has been under relentless attack from hackers, retailers are rightly concerned about the security of their Web-based networks. But just as vulnerable -- if not more so -- are their in-store wireless LANs (local area networks), which are used to support their wireless terminals, scales, registers and other devices."We've read that wireless networks are wide open and vulnerable
September 1, 2003
MICHAEL GARRY
At a time when the Internet has been under relentless attack from hackers, retailers are rightly concerned about the security of their Web-based networks. But just as vulnerable -- if not more so -- are their in-store wireless LANs (local area networks), which are used to support their wireless terminals, scales, registers and other devices.
"We've read that wireless networks are wide open and vulnerable to attack," said Jim Dekle, MIS director for ABC Fine Wine and Spirits, Orlando, Fla., a 149-store chain that sells gourmet foods, snacks and cigars along with wine, beer and liquor. "So we've been very cautious in that area."
Thus, when ABC deployed a chainwide network of wireless terminals to reorder and track inventory last September, the chain included wireless security management systems from Wavelink, Kirkland, Wash. These included the Avalanche system for managing the handheld terminals (Palm Pilot scanning devices from Symbol Technologies) and Mobile Manager for overseeing the radio access points in the ceiling that act as the gateway for wireless communication into the store's wired (Ethernet) network.
"Wavelink is the control cop -- for security and enabling the Palm Pilots to be recognized on the network," said Dekle. Unauthorized devices on the network, for example, can be detected.
The most basic security mechanism for wireless networks today is the WEP (Wired Equivalent Privacy) algorithm, part of the common 802.11 standard for wireless radio-frequency communication used in stores. WEP, while still a "good deterrent for casual snoopers," has been shown to have several vulnerabilities, said Colleen Fitzpatrick, product marketing manager, Cisco Systems, San Jose, Calif.
A more secure solution -- and one that the Wavelink system offers -- is what is known as WEP key rotation, which makes intruding upon a wireless network much more difficult, she said.
Fitzpatrick spoke on wireless security in retail stores at the Food Marketing Institute's Marketechnics show in February. Many retailers today find themselves deploying their third generation of wireless LANs, and naturally "want to protect their investment in the wireless devices they have already purchased," she said. The problem is that many of these devices are limited to WEP, which is also the "lowest common denominator" for a retailer that has LAN products from multiple vendors, as many retailers do.
Although Wavelink offers WEP key rotation, ABC Fine Wine is not able to apply it to the Symbol Palm 1846 devices it has rolled out in its stores, said Guy Ledbetter, help desk manager for ABC Fine Wine. Consequently, the chain uses a standard WEP key, he said.
Ledbetter told SN that "I'd love to use the rotating key but we just keep track of [the WEP key] and try to be as secure as possible." That requires changing the key regularly for all devices, something the rotating key would do automatically.
"Can I have a lot more [security]?" mused Ledbetter. "Oh, yeah."
Another reason for greater security, noted Fitzpatrick, is that retailers must now comply with the federal government's HIPAA security requirements in the pharmacy and wherever patient records are kept. If retailers use wireless devices in these areas, such as inventory terminals or even wireless registers, WEP security won't be sufficient to meet the new standards, she said, though WEP key rotation will.
In March, a Swedish company, Columbitech, with offices in New York, announced a security solution for wireless retail applications, including legacy DOS devices. Using a virtual private network, or "encrypted tunnel," the system can secure handheld devices while offering greater transmission speed and "always-on" connectivity, said Asa Holmstrom, president.
Other acronym-heavy security measures are emerging to remedy the pitfalls of WEP. For example, TKIP (Temporal Key Integrity Protocol) is considered the next generation of WEP for securing wireless LANs. Another standard, which combines encryption and authentication (device access control), is known as WPA (Wi-Fi Protected Access), established earlier this year by the Wi-Fi Alliance, the standards group for the wireless LAN industry that created WEP.
The Wi-Fi Alliance on its Web site said that "many cryptographers are confident that [WPA] addresses all the known attacks on WEP." But WPA is designed for newer equipment rather than the legacy equipment often found in stores, noted Fitzpatrick. Indeed, by the end of this month, any system certified by the Wi-Fi Alliance will have to support WPA, she said.
WPA is actually the draft for the more formal wireless security standard coming over the next year -- 802.11i, the enhanced security standard for 802.11 devices (see accompanying story). "The Wi-Fi Alliance lost patience waiting for 802.11i and implemented WPA," said Kirkpatrick, noting that WPA will be upgradable to 802.11i. Finally, 802.11i will be followed by AES (Advanced Encryption Standard), the "gold standard" of encryption, which will require new hardware.
The Wavelink system used by ABC Fine Wine and Spirits offers both security and management functions, noted Dekle. "It controls the whole network of Palm Pilots" across 149 stores, which average around 7,000 square feet, he said. "We're a very centralized company; we try to keep the intelligence in the central office."
Previously, said Dekle, the chain's security and maintenance needs were much less for wireless devices because only one or two inventory counts would take place daily; orders were keyed into PCs. But the decision to roll out devices and access points chainwide necessitated the investment in security and management, he said. ABC now uses handhelds to do reordering on a daily basis.
Dekle said the system can be used to troubleshoot malfunctioning devices or access points remotely from headquarters. Devices can be "re-enabled" remotely or repaired in person.
According to Wavelink, Mobile Manager and Avalanche cost $500 per server; Avalanche also costs $50 per device, while Mobile Manager runs $110 per access point. Dekle said that ROI for ABC's investment (roughly one device and access point per store) was not analyzed because of the necessity for the technology.
Novel applications
As the prices of the routers and circuit cards that support wireless networks continue to drop, retailers are beginning to use Wi-Fi applications in stores in non-traditional ways. For example, since last November, Hannaford Bros., Scarborough, Maine, has been using wireless Symbol Pocket PC devices to gather pricing information at competing stores, reducing a laborious process to one that takes a few hours, according to Donna Osburn, owner of Software Plus, Vicksburg, Miss. Software Plus provides the application that runs on the handheld and on corporate PCs, telling associates which competitive prices to record. (Hannaford declined to comment.)
Osburn said that after recording the prices, price checkers return to the Hannaford store's parking lot and send the information wirelessly to the store's 802.11b network, which transfers it to corporate headquarters. Also running on the handheld are a mini-database and data synchronization application from Sybase subsidiary iAnywhere Solutions, which enables the data to be gathered on the handheld and then synchronized with a SQL database at corporate headquarters.
Osburn said the system employs ESSID authentication, which controls and distributes unique network IDs for wireless devices.
Software Plus began offering a wireless communication capability to its devices in April of last year, with Kmart as the first customer, said Osburn, adding that Wakefern is the latest customer for the wireless application.
In the traditional method, used by most Software Plus customers, price checkers hook up their handhelds to a modem to transmit the pricing data to headquarters.
Here Comes 802.11g
In addition to security standards, retailers are looking at the pros and cons of the overall standards that govern the world of retail wireless devices.
Today, the most common standard used by wireless devices is 802.11b (used by ABC Fine Wine and Spirits, for example -- see main story), which followed the original standard, 802.11, released in 1996 by the Institute of Electrical and Electronics Engineers (IEEE).
The successor to 802.11b is 802.11a, which offers more bandwidth than 802.11b (54 megabits compared to 11 megabits) and can therefore transmit more robust applications like streaming video. However, 802.11a runs at a frequency (5 gigahertz) that many devices don't support, noted Colleen Fitzpatrick, product marketing manager, Cisco Systems, San Jose, Calif.
As a result, said Fitzpatrick, another standard -- 802.11g -- is becoming popular in retail because it offers the larger bandwidth of 802.11a but at the same frequency of 802.11b. "Retailers all want to upgrade to 802.11g," which will also work with 802.11b devices, she said. Cisco will be shipping an upgrade module this fall.
Still another wireless standard, 802.16, popularly known as Bluetooth, is beginning to find use in retail. Bluetooth enables devices that rely on cords or cables to dispense with them and communicate wirelessly. In stores, it could be used to link scanners and registers. Last month, Digi International, Minnetonka, Minn., launched its Wavespeed /S Wireless Serial Adapter, which uses Bluetooth to connect a PC with a scanner, printer or scale.
Federal Express is using Bluetooth in some distribution centers to connect wireless key scanners with terminals belted to operators so that "wires don't get caught in the machinery," said Fitzpatrick.
About the Author
You May Also Like