Vendor aims to 'cloak' WEP

New software from AirDefense is designed to protect a widely used but flawed wireless LAN encryption protocol.

The software “cloaks” the encryption key used to scramble WLAN data packets by means of the Wired Equivalent Privacy protocol. WEP was defined in the IEEE 802.11 WLAN standard, and is part of every 802.11-based device. But in 2001, a serious flaw in its implementation was identified, making WEP encryption easy to break. The new AirDefense cloaking technique could save retailers and others from large-scale upgrades of embedded or special-purpose wireless gear such as portable cash registers, barcode scanners, point of sale terminals and even VoIP handsets.

Click to see: Protecting WEP encryption for legacy devices

These legacy wireless devices often run only WEP encryption because of their age or lack of memory and processing power. For various reasons, they often can’t be upgraded to more advanced and more secure schemes such as Wi-Fi Protected Access or the follow-on WPA2 with the full set of IEEE 802.11i security features, which were designed to correct WEP’s well-known weaknesses.

One AirDefense customer is an East Coast electronics retailer which has WLANs deployed in its stores, but currently only for limited guest access by customers visiting the store, says a security systems specialist for the retailer, speaking on condition of anonymity. The retail chain doesn’t use WEP, but the AirDefense Enterprise sensors and software show WEP is widely used in nearby retail venues, he says.

“We use AirDefense [Enterprise for WLAN security] and we see in the air around our stores a huge amount of WEP-based wireless traffic in mall kiosks, and the ‘mom-and-pop’ retailers,” he says. “This is all [traffic from] stuff that’s been put in place for awhile in an existing infrastructure. And it’s costly to replace.”

Where WEP is relied on, administration is a chronic headache and a chronic cost, as at Mazda Raceway Laguna Seca, in Monterey, Calif. “Currently internal systems such as handheld ticket scanners rely on WEP as their only form of protection,” says Frank Basso, assistant director of communications at the raceway. “We are constantly changing the WEP keys to prevent intrusion due to the weakness of WEP. If we were able to detect [and block] intrusion attempts, we would save on administrative overhead on reprogramming of devices.”

Yet retailers are under the gun to improve security for such things as credit card and customer data. To protect credit card data, the Payment Card Industry (PCI) data security standard now mandates, among other things, that retailers opt for WPA or WPA2, or at least not rely exclusively on WEP. In many cases, retailers may have to scrap existing gear for new equipment that supports the more advanced security.

“You’re supposed to protect cardholder data wherever it’s transmitted or stored,” says Avivah Litan, a vice president for the analyst firm Gartner, where she specializes in PCI compliance. “It’s almost always the wireless LANs that are the weakest link. [AirDefense] is hitting a sweetspot.”