Watch out for these flaws in wireless LAN security

Some recent discoveries raise new questions about the security of the current implementations of 802.11 wireless LANs. John McCormick has the details, suggestions for improving wireless networking security, and a look at upcoming protocol changes.

Recent discoveries show that 802.11 access control is easily compromised by trivial attacks. The latest blow to the 802.11 wireless network protocol comes from several university researchers. We’re going to take a closer look at these security flaws, which can make wireless LANs a risky proposition for many organizations.

Wireless security flaws
We all know how vulnerable Internet traffic can be, but at least it’s mostly carried in wires or fiber. Wireless traffic is even more vulnerable, because it’s also being put into the air so anyone with any interest can intercept it.

The Wireless Equivalent Privacy (WEP) protocol, which was developed to function with the IEEE 802.11 wireless LAN protocols, addresses some of the problems. But a number of wireless LAN vendors have failed to install even this relatively weak security protocol on their systems. WEP relies on a highly vulnerable 40-bit encryption and the use of static keys.

Disclosures earlier this year by the University of Berkeley raised serious questions about whether a business should trust sensitive data to a standard wireless network installation. Now, a new revelation from a University of Maryland team deals a further blow to the wireless LAN’s security protocols by detailing completely different problems.

The biggest potential threat the Maryland team found is the way some wireless LAN installations rely on the name of the network as a security code to authenticate users. The main problem with this (other than the fact that 802.11 uses a static key) is that the systems that use network names as an authentication token also broadcast the network’s name in clear text, making it easy for anyone to identify it using a packet sniffer.

Another problem is posed by the use of the unique Media Access Control (MAC) address on wireless LAN cards as another security tool to restrict access to the network. It turns out that the MAC is also broadcast in clear text, which makes it easy for someone to spoof the network.

Threat level—extreme
As mentioned above, several of the wireless LAN vendors use access control codes that are broadcast in plain text. Making use of these codes to impersonate legitimate users may not be quite at the level where script kiddies are going to be doing this next week, but it’s certainly a wide-open invitation for anyone with real hacker skills and a bit of wireless LAN hardware. This is compounded by the fact that many wireless LAN products don’t encrypt their data.

Given all the currently known holes in the IEEE 802.11 (802.11b is the current version) and the ease with which some of them can be exploited, it’s questionable whether many wireless installations based on this protocol should be implemented by any business or government agency unless further steps are taken to secure the system using nonstandard encryption tools.

At best, 802.11b is suitable only for home users or small businesses that are sharing nonsensitive information over the network, unless it’s further enhanced with security tools, such as IPSec.

This isn’t really a fault with the basic standard. After all, neither the Institute of Electrical and Electronics Engineers or the Wireless Ethernet Compatibility Alliance ever intended the basic 802.11 or the associated Wireless Equivalent Privacy (WEP) protocols to provide robust security on their own. The protocols were designed to provide no more than the same level of security as a standard wired LAN installation. Securing the protocols was left to the companies that designed the hardware and software to build physical wireless LAN installations.

The security flaws in 802.11, even when WEP is also installed, should not be blamed on the standards committees but rather on companies such as Lucent, which failed to build additional security into their wireless LAN products. Fortunately, some companies, including Cisco, recognized this need and did add robust security to their wireless LAN systems, as we will see below.

What can be done?
There is no specific fix because there is no single flaw here to be exploited; fixes will also vary depending on the particular wireless LAN vendor. In general, any wireless LAN installation must utilize strong encryption techniques for any piece of information that it also uses as an authentication token. You can either encrypt the network and MAC information or use some other authentication method.

In addition, no unencrypted data should be placed on any wireless LAN. There are various encryption tools available that can be used to make wireless LAN installations secure. The latest information from academia shows that no large business should consider installing a wireless LAN unless there is a strong cryptographic component added to the basic 802.11 protocols. This does not include WEP, which is currently a weak security tool and not suitable for protecting sensitive data. The big advantage of WEP is that it is a standard and nearly guarantees interoperability. The many strong encryption tools available to build a secure wireless network are based on proprietary systems.

WEP2, a new wireless LAN security protocol, will include 128-bit encryption. It appears that the protocol won’t address all the access control problems that are already well known, but it will be compatible with WEP. A major weakness in WEP is the use of static authentication keys. Cisco’s LEAP overcomes this by generating unique keys at each login to a Aironet wireless device.

A future wireless standard already far along in development is the LEAP-compatible Enhanced Security Network, which will use dynamic key assignment, strong encryption, and Kerberos authentication technology.

What do you think about wireless LAN security?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.


Editor's Picks