Wireless LAN vulnerabilities are no longer merely theoretical. Recently, academic researchers cracked the encryption protocol of a real-world WLAN. And IT professionals have published a tool called AirSnort to make cracking wireless encryption passwords a simple process. Let’s take a closer look at these two WLAN security problems.

Going beyond theory
Last spring, one of my Locksmith columns looked at some theoretical flaws in 802.11 related to WEP’s (Wireless Equivalent Privacy) weak 40-bit encryption. This discussion included discoveries by a Berkeley team and a University of Maryland report that some wireless networks actually use the network’s name as the security password. This password and an alternative password, the Media Access Control (MAC) address on WAN PC Cards, are both transmitted in the clear, so the level of security they offer is about the same as a safe with the combination scratched into the black paint beside the dial.

One academic study is no longer merely theoretical. A team at Rice University recently recovered the 802.11 Wired Equivalent Privacy 128-bit security key used by an active network. Adam Stubblefield, John Ioannidis, and Aviel D. Rubin wrote a paper describing their results. They based their attack on a theoretical attack described in a recent paper by Fluhrer, Mantin, and Shamir. The Rice group detailed the way that they implemented the attack and concluded that “802.11 WEP is totally insecure.” They also described some recommendations, although the only real solution for now is to avoid using 802.11 for sensitive data.

WEP is popular because it is easy to administer, but that’s precisely the problem with WEP. For one thing, all devices on the network use the same key. For another, many of the WEP PC Cards reset to the same starting point every time they are initialized, so they regularly generate the identical keys. The latter is the flaw that the Rice group took advantage of to conduct a passive attack, which proved the merely theoretical flaws described by Fluhrer, Mantin, and Shamir.

Although these academics at Rice were merely testing a theory advanced by other academics, they have, in my opinion, actually increased the vulnerability of WEP by publishing such a detailed description of exactly what hardware is needed to perform the attack along with a list of changes that would make a brute force attack much more efficient. Of course, they didn’t publish all the details needed to perform the crack, but the release of the AirSnort tool has taken care of that missing information. (We’ll talk about AirSnort in a minute.)

So, not only have the Rice researchers proved that a theoretical attack is possible in the real world, they have made it much more likely that it will be implemented by showing that breaking the 802.11 WEP is almost a trivial exercise.

Their recommendations are not all that useful or easy for the average WEP user to implement, but they do provide a strong incentive to avoid wireless if you haven’t already built a network based on it. The recommendations in the paper include the assumption that the link layer essentially offers zero security, and that anyone within reception range will be able to communicate as an authorized user. They also recommend against using WEP for security if you must use a wireless LAN.

Another recommendation is to place all access points outside a firewall, although I’m not certain just how much help this would be since the attackers will, for all practical purposes, be legitimate users as far as the network is concerned. Finally, they recommend the use of IPSec or SSH instead of WEP. But is that a good idea?

After the Rice study was published, a CNET report revealed that another group of researchers at Berkeley had announced its discovery of a method that makes it 50 times easier to crack SSH passwords. SSH Communications disputes this. The theoretical attack is highly sophisticated, relying on the timing of keystrokes on a QWERTY keyboard and would not work for those using macros to enter passwords or those with hunt-and-peck typing skills. Nevertheless, it is an interesting report and indicates just how difficult it is to design a really secure password protocol.

Automated password attacks
As if all that weren’t bad enough, some programmers have just released an automatic WEP/802.11 encryption-breaking tool called AirSnort. As usual, the authors (Jeremy Bruestle and Blake Hegerle) claim they did this to point out the flaws in WEP. But as with the extremely detailed academic paper published by the Rice University researchers, their work doesn’t simply point out a theoretical flaw—it makes it almost certain that system attackers will take advantage of the vulnerability.

What were once theoretical flaws in WEP and 802.11—vulnerabilities that required skill and knowledge to implement—have been reduced to simple hacks that script kiddies can use. If your wireless network was ever the least bit secure, you must now presume that it’s wide open to virtually anyone with the least interest in learning what traffic your wireless LAN carries.

AirSnort collects wireless data streams and uses the accumulated data, 100M to 1G worth, to “guess the encryption password in under a second.” If you don’t happen to like AirSnort, another program in alpha release, WEPCrack, does about the same thing.

Additional information on wireless insecurity
The Wireless Ethernet Compatibility Alliance (WiFi) has posted links to white papers at http://www.wi-fi.net/whitepapers.asp.

For details on the Borisov, Goldberg, and Wagner Berkeley study, see the summary report, “Security of the WEP Algorithm,” or the complete paper,  “Intercepting Mobile Communications: The Insecurity of 802.11.”

For more on WEP, see the Black Hat 2001 presentation on cracking WEP.

Bottom line
According to an Aug. 20, 2001 article in Government Computer News, the U.S. Army has placed a moratorium on the use of wireless LAN. Maj. David A. Nash, an electrical engineering and computer sciences instructor for the U.S. Military Academy at West Point said, “You would not want to trust anything sensitive to today’s 802.11b” wireless LAN standard.”

How do you feel about wireless LAN security?

We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.