Black Hat: Users warned about wireless LAN holes

Computerworld - LAS VEGAS -- A cryptologist who helped discover several gaping holes in the international wireless LAN standard and the encryption algorithm meant to protect such networks yesterday detailed the vulnerabilities that could be leaving corporate systems open to hackers.

Ian Goldberg, who now works for Montreal-based security and privacy software vendor Zero-Knowledge Systems Inc., was one of three researchers at the University of California, Berkeley, who uncovered the flaws in the IEEE 802.11 wireless LAN standard earlier this year. The group published a report on the findings in February (see story), and Goldberg made one of his first public appearances about the issue at the annual Black Hat Briefings conference here.

Hardware and software vendors use 802.11 to develop wireless Ethernet cards, and the Wired Equivalent Privacy (WEP) algorithm is designed to provide the same level of security for wireless devices as a physical network cable does. But Goldberg said he and fellow researchers "have demonstrated attacks on WEP that defeat each of the security goals" it was designed to address.

That includes data confidentiality, network access control and data integrity, said Goldberg, who showed slides containing the mathematical proof that such exploits are possible to an applauding crowd of hackers and IT security professionals. "We can read WEP-protected traffic, we can inject traffic onto WEP-protected networks, we can modify WEP-protected data," he said.

To counter this threat, Goldberg and other security experts at the Black Hat conference recommended that companies use additional authentication systems, such as virtual private networks or the IPSec security protocol, before allowing data to cross from a wireless network to an intranet or other corporate system.

"WEP is assumed to be cracked now," said Chris Rouland, director of the X-Force vulnerability research unit at Internet Security Systems Inc. in Atlanta. "If you watch enough good traffic on a WEP network, you can crack everything in about 12 hours." To protect themselves, he said, companies should use personal firewalls or intrusion detection systems on their wireless LANs.

Goldberg said malicious hackers often can simply park their cars in a company's parking lot and essentially become a node on its wireless network, a technique known as authentication spoofing. "Unlike physical cables, it's really difficult to control how far radio waves go," he said, adding that hackers also can pick up wireless LAN signals while driving around.

Mandy Andress, president of security consulting firm ArcSec Technologies Inc. in Dublin, Calif., agreed that WEP is particularly vulnerable to hackers in cars. Andress said there have been cases in which