Black Hat: Users warned about wireless LAN holes

LAS VEGAS -- A cryptologist who helped discover several gaping holes in the international wireless LAN standard and the encryption algorithm meant to protect such networks yesterday detailed the vulnerabilities that could be leaving corporate systems open to hackers.

Ian Goldberg, who now works for Montreal-based security and privacy software vendor Zero-Knowledge Systems Inc., was one of three researchers at the University of California, Berkeley, who uncovered the flaws in the IEEE 802.11 wireless LAN standard earlier this year. The group published a report on the findings in February (see story), and Goldberg made one of his first public appearances about the issue at the annual Black Hat Briefings conference here.

Hardware and software vendors use 802.11 to develop wireless Ethernet cards, and the Wired Equivalent Privacy (WEP) algorithm is designed to provide the same level of security for wireless devices as a physical network cable does. But Goldberg said he and fellow researchers "have demonstrated attacks on WEP that defeat each of the security goals" it was designed to address.

That includes data confidentiality, network access control and data integrity, said Goldberg, who showed slides containing the mathematical proof that such exploits are possible to an applauding crowd of hackers and IT security professionals. "We can read WEP-protected traffic, we can inject traffic onto WEP-protected networks, we can modify WEP-protected data," he said.

To counter this threat, Goldberg and other security experts at the Black Hat conference recommended that companies use additional authentication systems, such as virtual private networks or the IPSec security protocol, before allowing data to cross from a wireless network to an intranet or other corporate system.

"WEP is assumed to be cracked now," said Chris Rouland, director of the X-Force vulnerability research unit at Internet Security Systems Inc. in Atlanta. "If you watch enough good traffic on a WEP network, you can crack everything in about 12 hours." To protect themselves, he said, companies should use personal firewalls or intrusion detection systems on their wireless LANs.

Goldberg said malicious hackers often can simply park their cars in a company's parking lot and essentially become a node on its wireless network, a technique known as authentication spoofing. "Unlike physical cables, it's really difficult to control how far radio waves go," he said, adding that hackers also can pick up wireless LAN signals while driving around.

Mandy Andress, president of security consulting firm ArcSec Technologies Inc. in Dublin, Calif., agreed that WEP is particularly vulnerable to hackers in cars. Andress said there have been cases in which car-based attackers used parabolic dishes to pick up wireless network signals from distances as far as eight miles away.

One of the most significant problems found in the WEP algorithm includes weaknesses in the way it encrypts packets of data using a stream cipher. Through a series of computations, according to the Berkeley researchers, hackers can eventually uncover the plain text of certain messages and use those packets to intercept and decode other messages that were encrypted with the same key -- a maneuver referred to as an Initialization Vector packet collision.

In addition, Goldberg said, many commercial wireless Ethernet cards are vulnerable to attacks stemming from the use of the same encryption key by all mobile LAN clients. "Attackers just need to know a single plain text packet and its corresponding encrypted packet," he said. Having that information could allow them to do things such as inject packets of data that contain fraudulent dollar amounts into financial transactions, Goldberg added.

Vendors have been taking steps to improve wireless LAN security, and some network managers interviewed earlier this year said they're aware of the problems with the technology and are beefing up their defenses in response. But they also said the report issued by Goldberg and his colleagues highlights the dangers inherent in wireless LANs.

Related stories:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon