Safety: Open networks pose dilemma By Robert Lemos Staff Writer, CNET News.com February 5, 2003, 4:00 AM PT If you want to know how insecure today's wireless networks are, just ask the people who make it their mission to locate the access points designated by companies and consumers around the world. Armed with laptops, special software and some makeshift hardware, these wireless explorers drive through cities, suburbs and business parks in search of the signals that connect computers to wired networks and the Internet. The practice is called "wardriving," a term derived from the "wardialing" tactic of the movie "War Games," where a hacker dials every number in an area to find a modem. "Wardrivers don't pose much of a threat," said Chip Coy, executive consultant for IBM Global Services' Security and Privacy Consulting Practice. "They are collecting information about access points and publishing maps. However, they do show that someone could just pop an antenna on top of their vehicle and get data." But this open season on wireless networks may be nearing a close. Almost four years after the 802.11b standard--now referred to as Wi-Fi--was established, wireless equipment makers are nearly ready to sell second-generation products that have better security out of the box. An industry-standards group known as the Wi-Fi Alliance a set of interim security specifications for wireless networks last fall. Called Wi-Fi Protected Access, the measures improve encryption and ways to recognize devices that are authorized to join the network. Devices including the new protections are expected to be available by April if not sooner. So far, the of convenient protections hasn't stunted the success of Wi-Fi networks. Although have slowed corporate adoption of wireless technologies, consumers have continued to use them. As these networks become more popular in both companies and the home, however, the need for more security will be inevitable. According to numbers posted by the Worldwide Wireless Wardrive in November, more than 72 percent of the nearly 25,000 access points found by wardrivers around the planet didn't even have the flawed wireless security standard known as Wired Equivalent Privacy, or WEP, turned on. "If people didn't take the five minutes to turn WEP on in their access points, I doubt they have other security that can protect the network," Coy said. "They really need to be doing something more proactive to make sure their wireless networks are more locked down." Finding a solution to the insecurity of wireless networks could be a pivotal factor in determining whether the wireless industry has a profitable year, said Dennis Eaton, chairman of the Wi-Fi Alliance. Sales of wireless hardware to companies have flattened in recent quarters, while consumer purchases have grown. "The consumer segment is not that concerned about security today," Eaton said. "On the enterprise side it has affected sales, but in most cases it has caused them to defer the decision until a security solution is found." The only way to secure communications today is to either use WEP, a technique that allows the data transmitted to and from the central network hub, or access point, to be encrypted. But the encryption can be with relative ease, often in as little as five hours. A part of the Wi-Fi Alliance's interim standard called Temporal Key Integrity Protocol will address WEP weaknesses by adding stronger security and protecting the encryption keys. In addition, the standard will add a new way to limit who has access to a network. Using components of a new standard from the Institute of Electrical and Electronics Engineers, companies can create a system that distributes digital keys only to those people allowed to connect to a specific network. A simpler version of this technology called Pre-Shared Key will be available for home use. Under that system, a password can be created as a master key for each PC on the network. From then on, Wi-Fi Protected Access will bar anyone who isn't using a device with the matching password. With the new technologies, David Pollino, managing security architect for digital security firm @Stake, expects to be able to offer customers less complicated and less costly ways to bolster wireless protection. "From a security perspective, (the future) is all positive," Pollino said. "Currently, if you roll out wireless securely in your campus, you can do it, but you might have to jump through more hoops than you might want." Yet even simple security might not be enough to persuade everyone to use wireless networks, said Steve Kirschbaum, president of independent consultancy Secure Information Systems International. He points to the lack of security on the wireless connection points, known as , offered by T-Mobile. The company, which provides Internet access at Starbucks outlets in partnership with the ubiquitous coffee chain, doesn't secure surfer communications. "The way things are now, it's a dicey proposition," Kirschbaum said. "You have to assume that each keystroke is something someone is going to see." It is no surprise, therefore, that wireless technology companies are trying to get secure products to market as quickly as possible. "When people talk about wireless networking, the first thing that pops into their mind is security, and we recognize that is a barrier," said Eaton of the Wi-Fi Alliance. "Everyone in the industry sees security as the No. 1 issue for growth." DAY 1 DAY 2 DAY 3 Safety: Open networks pose dilemma DAY 4 DAY 5 Back to intro Depending on the access point's security level, hackers can break into a wireless network quite easily. Security: None Attack: Sniffing 1. User connects to his wireless access point and the Internet. 2. The attacker intercepts, or sniffs, the unencrypted data, grabbing passwords, credit card numbers and personal data. 3. Attacker has full access to the network, but not to encrypted data, such as information on secure Web sites.* Security: Access control list Attack: Spoofing 1. User connects to her wireless access point, which checks to make sure the user's network hardware identifier (known as a media access control, or MAC, address) matches its list of allowed addresses. 2. The attacker can intercept the MAC identifier and send it along with his own data. The access point believes the data is coming from a valid network device. 3. Attacker has full access to the network, but not to encrypted data, such as information on secure Web sites.* Security: Wired Equivalent Privacy Attack: Brute force 1. User connects to his wireless access point and the Internet on a wireless channel encrypted with the Wired Equivalent Privacy (WEP) protocol. 2. The attacker listens to the data and attempts to break the code. Some active techniques, where the attacker sends probe packets to the wireless access point, can find the encryption key in as little as five hours for many popular access points. 3. Attacker has full access to the network using the stolen WEP key, but can't access data that has additional encryption, such as information on secure Web sites.* *A man-in-the-middle attack could bypass protections (such as the secure sockets layer, SSL) used by secure Web sites. In such an attack, a hacker who has already broken into a wireless network intercepts data sent by the user then forwards it onto the access point, and vice versa. Wireless security will see major improvements in the next two years with the arrival of new specifications for protecting LAN connections. Wi-Fi Protected Access Essentially a replacement for the flawed Wired Equivalent Privacy, Wi-Fi Protected Access offers the ability to secure connections with better encryption and stronger keys. The precursor to the full-blown 802.11i, the advantage of WPA is that access point owners can add security to their hardware with a simple software upgrade (provided that the manufacturer supplies the software). New products with the technology should be available in early 2003. 802.11i The successor to Wi-Fi Protected Access, 802.11i adds stronger encryption in the form of support for the U.S.-government-approved Advanced Encryption Standard. The standard will add security to wired, as well as wireless, networks but requires new hardware to support it. The standard could be finalized by fall 2003. 802.1x While Wi-Fi Protected Access and the more complete 802.11i secure the connections between computers, 802.1x is a standard for using digital certificates to authenticate which computers are allowed to connect to the networks. Currently, the only way to do this is by limiting who can connect by using the MAC (media access control) address--a unique ID assigned to every network card. However, MAC addresses can be intercepted then faked by a knowledgeable attacker, making the adoption of the encryption-based 802.1x important.