Flaws in Wireless Security Detailed

Cracked algorithm, holes in 802.11 spec mean companies need more authentication

Las Vegas

A cryptologist who discovered several gaping holes in the international standard governing the design of wireless network devices and the encryption algorithm meant to protect those networks last week detailed vulnerabilities that could be leaving corporate systems open to hackers.

Ian Goldberg, a cryptologist at Montreal-based security and privacy software developer Zero-Knowledge Systems Inc., along with researchers at the University of California, Berkeley, uncovered flaws in the IEEE 802.11 standard. Goldberg published a paper (www.isaac.cs.berkeley.edu/isaac/wep-faq.html) on the findings earlier this year and made one of his first public appearances about it at the annual Black Hat hacker conference here.

Hardware and software vendors use 802.11 to develop wireless Ethernet cards. The Wired Equivalent Privacy (WEP) algorithm is designed to provide the same level of security for wireless devices that a physical network cable can.

"We have demonstrated attacks on WEP that defeat each of the security goals" it was designed to address, including data confidentiality, network- access control and data integrity, said Goldberg, who showed slides demonstrating the mathematical proof that such exploits are possible to an applauding crowd of hackers and security professionals.

"We can read WEP-protected traffic, we can inject traffic onto WEP-protected networks, we can modify WEP-protected data," he said.

Goldberg and other security experts recommended that to counter the threat, all companies should use additional authentication systems, such as virtual private networks or IPSec, before allowing data to cross from a wireless network to an intranet or other corporate system. He said some products will be coming out soon to address these vulnerabilities, but they will be proprietary.

Drive-by Hacking

Hackers can often park their cars in a company's parking lot and simply "become a node" on the firm's wireless network - known as authentication spoofing, said Goldberg. "Unlike physical cables, it's really difficult to control how far radio waves go," he said.

Hackers can travel the entire length of Market Street in San Francisco "and basically not lose 802.11 coverage" while picking up wireless LAN signals in their cars, he said.

Mandy Andress, president of Dublin, Calif.-based ArcSec Technologies Inc., said WEP is particularly vulnerable to hackers in cars. She said there have been cases where hackers have used parabolic dishes to pick up wireless network signals from as far as eight miles away.

One of the most significant problems found in the WEP algorithm includes weaknesses in the way WEP encrypts packets of data using a stream cipher.

Through a series of computations, hackers can eventually uncover the plain text of certain encrypted messages and use those packets to intercept and decrypt messages encrypted with the same key, which is known as an Initialization Vector packet collision.

In addition, many commercial wireless Ethernet cards are vulnerable to hacks stemming from use by all mobile network clients of the same encryption key, said Goldberg.

"Attackers just need to know a single plain-text packet and its corresponding encrypted packet," which can be attained by pinging a company's network or sending spam traffic, Goldberg explained. "It's a correct encryption of the message, so the receiver has no reason to reject it."

That could allow hackers to do things like inject packets of data into financial transactions that contain changed dollar amounts, Goldberg said.

"WEP is assumed to be cracked now," said Chris Rouland, director of the X-Force vulnerability research unit at Internet Security Systems Inc. in Atlanta. "If you watch enough good traffic on a WEP network, you can crack everything in about 12 hours."

Newton, Mass.-based consultancy Cahners In-Stat Group has forecast that the wireless LAN market will reach $2.2 billion by 2004.

1by1.gif
Wireless Standards
NAMEWHEN PUBLISHEDRANGE/DETAILS
802.11 1997Operates in a 2.4-GHz range, same as cordless phones
802.11b 1999Also in 2.4-GHz range; it’s the standard used by most corporate wireless LANs today
802.11a 1999Operates in a 5-GHz range; offers less distance capability between base station and client
802.11eIn developmentWill provide enhanced security features such as larger encryption keys and 128-bit encryption

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon