Electro/Telecom Industry Trends
September 2003
Playing it safe: Industry groups scramble to make wireless networks more secure
 |
| Issue Table of Contents |
|
|
If you’re like most people, you’d never dream of leaving your car unlocked or your wallet in plain view on the front seat. It would leave you dangerously exposed to invasion of privacy and theft. But surprisingly, most consumers and many companies don’t activate even the simplest anti-hacking measures on their wireless networks and devices. The result? Many WLANs are wide open to penetration from unauthorized users, and industry organizations are now focused on closing the door to drive-by hackers.
Warpath weapons: a laptop, antenna and Pringles can
One of today’s hacker hobbies is finding wireless access through a process called wardriving. Named in honor of war dialing, the practice of automatically dialing phone numbers in search of those that answer with a modem’s handshake, war driving is remarkably simple: It can be done with a wireless enabled laptop, some easily downloadable “sniffer” software and a beefed-up antenna.
“You don’t even need to be all that close to a Wi-Fi access point to find it,” says engineer Bill Rose, president of WJR Consulting. “You can stick a Pringles can on your antenna and it will function like an old-fashioned hearing aid cone. Plus, there are commercial antennas out there that pick up signals down the block. After I’ve breached your network once, I can come back any time I want and get Internet access through your back door.”
Part of the security problem for IT officers and home networking buffs is inherent in Wi-Fi’s wireless nature. The transmission moves through air, so just because an access point resides in your home or office, that doesn’t mean the signal will stay there.
But Wi-Fi’s ability to move through walls is only part of the security problem. A bigger culprit responsible for network vulnerability is a disabled security feature. When the second annual “Worldwide Wardrive” took place in October 2002, event organizers found that 72 percent of the nearly 25,000 access points the wardivers found did not have basic Wired Equivalence Privacy (WEP) encryption enabled.
“The first problem with Wi-Fi security is that you have to turn it on,” says Rose. “Most equipment is shipped disabled, and often activation is complicated for consumers. I just bought a product that needed to be activated with hexadecimal code. People don’t want to be bothered.” On top of user indifference, there have been problems with the security measures available. WEP has been criticized as ineffective. However, there is protection available and more on the way.
Making security simpler
Long aware of security issues, the 802.11i-working group of the Institute of Electrical and Electronics Engineers, Inc. has been charged with creating new standards to close the gaps now apparent in WEP encryption. “Through the 802.11i standard, we’ll be addressing security via enhancements to the Media Access Control (MAC) layers of the devices,” notes Brian Mathews, publicity chair for IEEE’s 802.11 working group. The new standard will offer advanced technologies that automatically change encryption codes to keep access a moving target.
And because that standard is still under development, the Wi-Fi Alliance introduced an interim solution last spring. Called Wi-Fi Protected Access™ or WPA, the new standard offers a more robust encryption system for IEEE 802.11a, b and g networking technology. “We wrapped a specification around a subset of the IEEE 802.11i standard to address known issues with WEP,” says Frank Hanzlik, managing director for the Wi-Fi Alliance. “Key management was the biggest issue. Previously, it was easy to compromise key integrity. Now we’ve made it more difficult using dynamic keying governed by sophisticated algorithms.”
Recognizing the large base of 802.11a and 802.11b users already up and surfing wirelessly, the Wi-Fi Alliance packaged its new specification for easy upgrades. “Most manufacturers made it simple for users to get WPA with a software upgrade,” Hanzlik notes. “We don’t want people apprehensive about security,” he adds. “There are simple ways to protect yourself.”