Wireless network security leak

This New York Times article describes a "Flaw in Popular Wireless Standard. The flaws could make it possible for an intruder who is physically close to a wireless computer network to masquerade as a legitimate user in a supposedly private network."

We also received this related information (written by William Arbaugh):

Name: RG-1000 default network name and WEP key exposure
Product: Orinoco RG-1000
Severity: An attacker can determine the network name (SSID), and current WEP encryption key-- allowing unrestricted access to the LAN.

Vendor Status: Vendor informed of the problem on April 1, 2001 via electronic mail. Vendor responded on April 2, 2001 that users should change their default password via electronic mail.

Details: The Orinoco RG-1000 residential gateway ships by default with WEP enabled. Unfortunately, the default WEP key is set to the default network name, SSID. The SSID appears in several 802.11 management frames in the clear-- even when WEP is enabled. Therefore, an attacker with a sniffer capable of capturing management frames can determine the current WEP key which is the last five digits of the network name, (provided the default has not been changed). Armed with the network name, and the current WEP key the attacker can easily gain access to the users wireless LAN. Additionally, the default network name for the unit studied was the last six nibbles of the MAC address converted into ASCII [1]. As a result even if the key were not the network name, an attacker could determine it by sniffing the MAC address of the unit.

To Lucent/Ornioco's credit, the fact that the default encryption key should be changed is strongly encouraged in the manual. However, the fact that the default key is disclosed in the clear as part of the network name is unfortunate. The default encryption key should be changed to a randomly generated value set at the factory.