It's not often that the techniques
of depression-era hobos and the antics of modern-day cyber
warriors have much in common, but a new phenomenon this year
has brought the two together in the eyes of the popular press.
Homeless travellers in 1930s California used to chalk symbols
on houses to let others know the chances of getting a free
meal there. These days, laptop owners looking for a wireless
Internet connection have taken to 'warchalking' - marking
chalk symbols on floors or walls in areas where wireless networks
exist, describing their level of security. In many cases,
the symbol denotes a completely open network, which would
provide free access to the Internet via a connected corporate
This phenomenon shows how quickly the idea of wireless local
area networks (WLANs) has taken off in the UK. This method
of networking, in which a PC card or built-in antenna acts
as a network interface card between the client PC and the
network via a wireless access point, is attractive to businesses
that don't want to cable their premises. Conventional office
environments with highly mobile employees might benefit from
the convenience of a wireless network, but it could be particularly
valuable in other environments, such as temporary construction
sites or listed buildings.
Even more exciting for companies is
the rise of public WLANs. BT is slowly rolling out WLAN access
points for public use as part of its OpenZone initiative,
which launched on 1 August. The telecoms giant plans to deliver
400 such hotspots around the UK by June next year, and has
already started serving the Heathrow Hilton hotel and its
own BT Centre in London. It would have 20 hotspots operational
by launch, the company said. A recent report from telecommunications
analyst company Analysys suggests that the market for public
WLANs will total more than £1.8bn in 2006. Following
the disillusionment over 3G services, WLANs are likely to
be seen as increasingly important.
Unfortunately, the warchalking phenomenon also highlights
the security vulnerabilities of WLANs built on the IEEE 802.11b
wireless networking standard, which is still the predominant
standard in the UK. The standard, developed in 1999 following
the ratification of the initial 802.11 physical networking
standard in 1997, became known as WiFi following the formation
of the Wireless Ethernet Compatibility Alliance in August
1999. A number of vulnerabilities in the technologies supporting
the 802.11b protocol have since come to light, which present
particular vulnerabilities which have to be overcome.
802.11b WLANs that haven't been enhanced in some way face
two major security issues: user authentication and encryption
of information. Because the nature of the medium is inherently
insecure (signals must be broadcast within a certain radius
if they are to be picked up by legitimate users), networks
are more vulnerable to infiltrators. This is not helped by
the fact that wifeless networking equipment vendors do not
encrypt the service set identifier (SSID) - an identification
string that is sent when a conversation^begins between a wireless
network and a wireless device. This means that hackers can
detect wireless networks easily using an 802.11b-enabled laptop.
"The major issue was that the uptake of the technology
outpaced the security," explains Steven Salmon, head
of security at network integrator Logical. As the technology
became more widely adopted, it inspired enthusiasts and academics
to look closely at the underlying security standards and develop
ways to defeat them.
It's now up to suppliers to implement extra security in a
bid to lock down wireless network security for customers,
he argues. "So now we're being asked to come in and talk
to them about securing the WLAN and scaling the security,
which is one of the biggest issues."
Clearly there is a need for network retailers that are security-aware,
and customers are gradually realising that need following
a couple of high-profile media events that highlighted the
vulnerable nature of wireless LAN technology. Salmon discusses
a security demonstration at the InfoSec computer security
conference this year in which I-Sec, a security consultancy,
hacked into an 802.11b network using a Pringles can and a
freely available network detection program called NetStumbler.
Geoff Davies, managing director of I-Sec, explains why the
encryption mechanism used in 802.11b networks to date has
been inadequate. The encryption protocol, called the wired
equivalent privacy (WEP), is meant to encrypt data travelling
between the wireless access point and the client WiFi card,
but the algorithm that it used was badly implemented, he reveals.
"The problem is that WEP reuses part of the key after
a certain period of time," says Davies. "From that,
a cryptographer would be able to calculate the key, and that's
what programs such as WEPCrack do."
WEPCrack can be used on a laptop in the broadcast area to
sniff network packets and analyse them. Eventually, it will
be able to deduce the WEP key agreed by the access point and
the wireless client, meaning that it can decrypt the code.
This can take a matter of hours on a network with high traffic,
Why can't companies simply change their
WEP keys on a regular basis to avoid people decrypting them?
The problem goes back to the insecure nature of a wireless
LAN link. 802.11b WLANs work on the pre-shared key concept,
in which the access point shares a key with the client that
can be used to log onto the system. The problem is that the
802.11b specification doesn't include any guidance on how
to manage keys using the insecure radio link between the client
and the access point In practice, where the administrator
bothers to turn on pre-shared key access, a single key is
provided to all mobile terminals.
The lack of key management guidelines in the specification
means that if the administrator wants to change the encryption
keys, he has to do so manually, hi reality, changing the encryption
keys in every access point and client in a large company simply
isn't feasible, so many network administrators simply don't
do it Using the same key for a long period of time opens you
up to attacks from key decrypters.
Because the keys are static (that is, not renewed automatically
by the system on a regular basis), once they are cracked the
network is generally vulnerable, meaning that a hacker - even
one located in an adjoining building - could have client access
to the network.
The bottom line is that even
WEP-enabling your network won't necessarily stop a determined
hacker. One way around the problem has been to layer additional
security on top of the flawed security in the 802.11b protocol.
But although authenticating users with
established remote authentication dial-in user service (RADIUS)
security authentication mechanisms may help to ensure that
only the right users get access to the system, it won't stop
hackers sniffing network packets. Virtual private networks
using third-party encryption techniques are the strongest
solution to the problem. Davies recommends using VPNs based
on the commonly accepted IPSec encryption protocol, for example.
But things will get more difficult as more powerful wireless
network technology comes into play, says Salmon. "[VPN
technology] fitted with 802.11b because you were only talking
about 11Mbit/sec" he explains. "The hardware could
cope with that. With 50Mbit/sec, you have gigabytes of data
going up there." In truth, while the 802.11a standard
that promises to supersede the 802.11b standard in many areas
can have up to five times the throughput of the older standard,
technical reviewers from magazines such as eWeek have found
that, just as with 802.11b, 802.11a networks generally achieve
about half the maximum throughput in real-world environments.
Anything over that is a bonus.
HiperLAN/2, a European equivalent of
802.11a and standardised by the European Telecommunications
Standards Institute, also promises higher throughput than
For the small
to medium size company (SME) VPN technology offers an intermediate
option for securing your wireless access.
While VPN encryption can alleviate the problems with WEP,
the authentication issue remains - the lack of dynamic key
management means that it's relatively easy for hackers to
infiltrate WLANs. Another potential problem is the fact that
802.11b networks only require the access point to validate
the user, and not the other way around. Unless additional
authentication has been built into a system, all that a hacker
has to do is plug another access point into the network to
impersonate a valid access point and gather network keys from
Luckily, the industry has been working on better wireless
authentication technologies to solve this problem. Microsoft,
Hewlett-Packard and 3Com developed 802.1x, a standard that
was ratified in June 2001 by the IEEE. 802.1x does what 802.11b
didn't by introducing mutual authentication technology so
that the access point has to prove its identity to the client.
Also, whereas the wireless access point itself acted as a
weak authentication system within 802.11b, 802.1x turns the
wireless access point into a conduit, passing authentication
information to a back-end security system (generally a RADIUS
server). The other big advantage of using 802.1x is that unlike
VPN technologies, it doesn't impose a per packet encryption/decryption
overhead. This means that there is no performance impact when
scaling up bandwidth, making it just as suitable for 802.11a
as it is for 802.11b.
The most important part of 802.1x is the extensible authorisation
protocol (EAP), a technology that enables network administrators
to specify a number of different authentication mechanisms
in a wireless networking session. Generally, the authentication
mechanisms would be handled by a back-end server, with the
wireless access point merely serving as a conduit between
the server and the client device. The upside of this for the
customer is that once an access point supports 802.1x and
EAP, it won't have to be upgraded to support each new authentication
mechanism that comes out. 802.1x will also make it easier
for users to roam wirelessly between different access points
(useful if you have a large building, a multi-building campus
or multiple offices), because now all authentication can be
done from a single point.
The enhanced authentication is great, but unfortunately 802.1x
doesn't provide any new encryption technology itself. On the
other hand, enabling the use of multiple authentication technologies
via EAP enables administrators to choose an authentication
mechanism that includes key management. This provides the
ability to issue encryption keys dynamically, meaning that
if you do want to use WEP, you can change keys on a regular
basis and avoid others decrypting your keys.