Researchers uncover wireless security flaws

Wireless devices, including laptop computers and PDAs, that are widely used to access corporate computer networks rely on a protocol that has "major security flaws" and are vulnerable to hackers using easily obtained equipment, a research group at the University of California, Berkeley, has concluded in findings published on the Internet.

The Wired Equivalent Privacy (WEP) protocol used in the IEEE 802.11 international standard for wireless LAN communications has flaws that "seriously undermine the security claims of the system," leaving it vulnerable to attacks that decrypt traffic, researchers found. The group was able to intercept wireless transmissions, modify transmissions and access restricted networks.

Because wireless networks use shared radio waves to transmit data they are particularly vulnerable to security breaches, which is why the 802.11 standard and WEP were created. The Internet Security, Applications, Authentication and Cryptography (ISAAC) group in the university's Computer Science Division said that its hope in publishing its findings is that the protocol will be redesigned and that important security principles and design practices will become more widely known.

The flaws exposed by the group make it possible - if not always easy - to intercept and decrypt wireless traffic from laptop computers or PDAs using the 802.11 standard. Hundreds of products employ the standard, which is meant to make wireless transmissions as safe as using a wired network by encrypting wireless traffic and using WEP to authenticate nodes. The flaws further make vulnerable proprietary wireless technologies like AirPort, developed by Apple and Lucent, and leave open for attack those systems that rely on network base stations.

"Our analysis suggests that all of these attacks [outlined in the summary of findings] are practical to mount using only inexpensive off-the-shelf equipment. We recommend that anyone using an 802.11 wireless network not rely on WEP for security, and employ other security measures to protect their wireless network," the group said in information published at its Web site.

The group, consisting of two graduate students, an associate professor and an assistant professor in the university's Computer Science Division, needed only a wireless Ethernet interface that was subverted "to monitor and transmit encrypted data" by simply modifying driver settings. More difficult "active" attacks can be undertaken through reverse-engineering using products from companies that allow upgrading. The research group specifically cited Orinoco PC cards from Lucent.

"The time investment required is nontrivial; however, it is a one-time effort - the rogue firmware can then be posted on a Web site or distributed amongst underground circles," according to a draft of "Intercepting Mobile Communications: The Insecurity of 802.11," a paper the ISAAC group published on its Web site.

Not even 128-bit encryption versions of WEP are secure, according to the paper, which spells out in detail how WEP works and how it can be subverted.

The ISAAC group suggests that "the best alternative is to place the wireless network outside of the organization firewall" in a set of countermeasures that network administrators can take to protect wireless networks. Access controls can be established with the network configured so that "no routes to the outside Internet exist from the wireless network. This prevents people within radio range of the wireless infrastructure from usurping potentially costly Internet connection bandwidth, requiring VPN use for any outside access."

The group further recommends improving the encryption key management of wireless networks. "If possible, every host should have its own encryption key, and keys should be changed with high frequency." However, the paper adds that good key management alone will not protect wireless networks from all potential attacks.

The IDG News Service is a Network World affiliate.