Not all ISPs equally secure home users: An empirical study comparing Wi-Fi security provided by UK ISPs

Abstract

A majority of home users rely on their Internet service providers (ISPs) to provide them with wireless equipment that is secure, and assume that they are appropriately protected from threats such as piggybacking and eavesdropping. In this paper we present the results of an empirical study comparing the security provided to home users by their ISPs. Passive wireless data collection was used to gather information on 7,847 unique wireless access points within Leeds, UK. Non-parametric inferential statistical analysis was used to compare the security provided by the corresponding ISPs, as identified via the SSID naming used by ISPs in the UK. The ISPs identified included BT, O2, Orange, Plus Net, Sky, TalkTalk, and Virgin Media. Statistically significant differences in the security of the networks were found between ISPs, which we contend can in part be explained by their upgrade policies. These results are contrasted with the security configuration provided by three of the largest ISPs to new customers. For example, BT (the largest ISP in the UK) was found to have a greater number of access points configured with the cryptographically broken Wireless Equivalent Privacy (WEP) encryption method in use, compared to most of the other large ISPs, and this is in contrast to the favourable security configuration of the routers that are provided to new customers. The paper concludes with recommendations for when ISPs provide Wi-Fi enabled routers to home users.