The software “cloaks” the encryption key used to scramble WLAN data packets by means of the Wired Equivalent Privacy protocol. WEP was defined in the IEEE 802.11 WLAN standard, and is part of every 802.11-based device. But in 2001, a serious flaw in its implementation was identified, making WEP encryption easy to break. The new AirDefense cloaking technique could save retailers and others from large-scale upgrades of embedded or special-purpose wireless gear such as portable cash registers, barcode scanners, point of sale terminals and even VoIP handsets.
These legacy wireless devices often run only WEP encryption because of their age or lack of memory and processing power. For various reasons, they often can’t be upgraded to more advanced and more secure schemes such as Wi-Fi Protected Access or the follow-on WPA2 with the full set of IEEE 802.11i security features, which were designed to correct WEP’s well-known weaknesses.
One AirDefense customer is an East Coast electronics retailer which has WLANs deployed in its stores, but currently only for limited guest access by customers visiting the store, says a security systems specialist for the retailer, speaking on condition of anonymity. The retail chain doesn’t use WEP, but the AirDefense Enterprise sensors and software show WEP is widely used in nearby retail venues, he says.
“We use AirDefense [Enterprise for WLAN security] and we see in the air around our stores a huge amount of WEP-based wireless traffic in mall kiosks, and the ‘mom-and-pop’ retailers,” he says. “This is all [traffic from] stuff that’s been put in place for awhile in an existing infrastructure. And it’s costly to replace.”
Where WEP is relied on, administration is a chronic headache and a chronic cost, as at Mazda Raceway Laguna Seca, in Monterey, Calif. “Currently internal systems such as handheld ticket scanners rely on WEP as their only form of protection,” says Frank Basso, assistant director of communications at the raceway. “We are constantly changing the WEP keys to prevent intrusion due to the weakness of WEP. If we were able to detect [and block] intrusion attempts, we would save on administrative overhead on reprogramming of devices.”
Yet retailers are under the gun to improve security for such things as credit card and customer data. To protect credit card data, the Payment Card Industry (PCI) data security standard now mandates, among other things, that retailers opt for WPA or WPA2, or at least not rely exclusively on WEP. In many cases, retailers may have to scrap existing gear for new equipment that supports the more advanced security.
“You’re supposed to protect cardholder data wherever it’s transmitted or stored,” says Avivah Litan, a vice president for the analyst firm Gartner, where she specializes in PCI compliance. “It’s almost always the wireless LANs that are the weakest link. [AirDefense] is hitting a sweetspot.”
AirDefense, a vendor of radio frequency sensors and RF security software, says its patented cloaking technology will sidestep the need for such upgrades.
The idea for WEP cloaking was hatched by AirDefense developers in 2002 and the company filed a U.S. patent application which was granted in 2006. Actual product development started late in 2006.
The cloaking technique is a kind of jujitsu, in effect using the basic form of a WEP attack against the attack itself.
Attacks on WEP-protected networks have two and sometimes three components. One is a radio sniffer program that uses, say, a laptop’s WLAN adapter to collect wireless data packets. Sometimes a companion program is used that lets the laptop inject additional packets into the radio space triggering more packets being generated from legitimate clients and access points.
These packets are then passed through increasingly sophisticated statistical analyzers, known as WEP crackers, such as AirSnort and WEPCrack, which are numerous and freely available online, along with even more numerous, detailed, online tutorials on how to use them. The WEP cracker recovers the encryption key, which can be used to unscramble the data packets. With today’s tools, the process can take 10 minutes or less.
AirDefense’s WEP Cloaking Module creates dummy data traffic that uses different WEP keys from the one being used by the actual WLAN clients and access points.
“We’re inserting frames into the air that the attacker thinks are real, and this messes up the statistical analysis of the attacker,” says David Thomas, vice president of product strategy for AirDefense. “The attacker can’t tell the difference between the product frames from the WLAN and the spoofing frames generated by AirDefense.”
Thomas declined to be more specific about what’s involved in the cloaking technology.
The idea of generating this kind of “chaff” to confuse attackers is not new, he acknowledges. But that doesn’t mean it’s easy, he says. “There’s a lot of work involved in not disturbing the [enterprise] WLAN, and in addressing the various WLAN environments that are out there,” Thomas says.
The WEP Cloaking Module is a software program that loads onto the AirDefense server, and then becomes simply one tool in the server’s management console. The new module will be available in early April. Pricing is not yet finalized but Thomas said it will be approximately $200 to cover a relatively small store or other building. The price will vary depending on the site’s square footage and the number of AirDefense sensors needed to cover it.
Learn more about this topicIs WEP ever appropriate?
08/28/06Emerging wireless attacks
05/15/06Credit card industry struggles to enforce security standard
01/25/07Credit card companies revise security standard
SecurityFocus’s two-part series on WEP weaknesses and tools