Reinventing Wi-Fi Security

As malicious hackers nip at the heels of Wi-Fi security solutions, WLAN administrators must keep up with evolving standards.

by / June 3, 2004
A couple of years ago, security experts wondered why poorly protected Wi-Fi networks weren't serious targets for malevolent hackers. But as Wi-Fi gains more users, hacking into wireless networks is becoming serious sport.

Wi-Fi Planet Expo -- a tradeshow for WLAN vendors held in San Jose, Calif., last December -- turned into a battlefield for wireless hackers to exhibit their advancing tools, according to AirDefense Inc., a WLAN security company.

The expo also demonstrated how many Wi-Fi vendors and users remain fairly naive regarding Wi-Fi security.

In a single day of monitoring the show's Wi-Fi networks, AirDefense observed 21 attempted "man-in-the-middle" attacks, which sought to break the secure connection of a virtual private network by injecting an intruder between a wireless station and the access point.

Of these 21 attacks, 16 were successful.

The company also identified another 33 advanced attacks at the show that sought to breach a WLAN's authentication processes by attacking the authentication server or breaking an authorized user's password by "brute force." Additionally it discovered 75 denial-of-service attacks targeted at specific access stations. It also revealed 125 attempted identity thefts carried out by spoofing a station's media access control (MAC) address. The company reported numerous other forms of attacks as well.

While the trade show was a plum hacker target, the number of attacks in one day illustrates just how busy Wi-Fi hackers can be these days. Anyone running a Wi-Fi network using the older Wi-Fi security standard -- wired equivalent privacy (WEP) -- is just asking for trouble if security is an issue. The readily available hacker tools largely seek to exploit WEP's security weaknesses.

Where confidential data is accessible through a Wi-Fi network, security must be a big concern. In November 2003, three young men were indicted in North Carolina for allegedly conspiring to steal credit card numbers from the Lowe's chain of home improvement stores by taking advantage of an unsecured Wi-Fi network at a store in suburban Detroit.

Reportedly they stumbled on the network while driving around with laptop computers searching for wireless Internet connections, and only later hatched a plot to steal credit card numbers.

Addressing WEP Vulnerabilities
The problem with WEP is that it simply was not designed to withstand attack by sophisticated hacking tools. In the WEP 802.11 standard, all access points and client radios on a particular WLAN use the same encryption key. Each sending station encrypts the body of each frame with this key before transmission, and the receiving station decrypts it using an identical key.

These keys are cumbersome to change, especially one a larger network, as each access point and radio network interface card must be manually configured with new common keys. If these keys are not updated regularly, however, a hacker with a sniffing tool like AirSnort or WEPCrack can monitor a network for less than one day, and then decrypt messages. In practice, many WEP networks will often use the same key for a considerable period of time, making them even more vulnerable to hackers.

WEP's security problems prompted the Wi-Fi Alliance, a nonprofit international association formed in 1999 to certify interoperability of WLAN products, to develop wireless application protocol (WAP), which addressed some, but not all, of the security flaws in WEP.

Meanwhile, the Wi-Fi Alliance and others began working on an even more secure protocol -- something now called Wi-Fi protected access (WPA).

"As soon as the research reports started coming out pointing out the technical flaws in WEP, the Wi-Fi Alliance very aggressively worked to develop WPA," said David Cohen, chairman of the Wi-Fi Alliance's Security Task Group. "WPA addresses all of WEP's issues. Of course, security is always evolutionary. We will have better security over time. But WPA is a great solution -- useful and deployable now for any home, office, government institution or corporate network that wants a secure Wi-Fi network."

The Wi-Fi Alliance announced WPA in April 2003 and began WPA certification on products shortly thereafter. By September, the organization specified that all Wi-Fi products being certified also had to include WPA and be WPA-certified. To date, there are 240 Wi-Fi and WPA-certified products, all of which appear on the Wi-Fi Alliance Web site.

Security Considerations
There are essentially two aspects of Wi-Fi security to consider, one of which is keeping unauthorized users off the network.

"You don't want to have a stranger hack into your network or sit outside your office, pick up a Wi-Fi signal and get on the network either as a loafer to steal your Internet bandwidth or do something more pernicious," Cohen said.

The second is ensuring privacy or confidentiality. This is basically accomplished through encryption.

"WPA brings both of those to bear," said Cohen. "You have a very strong authentication process with WPA. You didn't have that with WEP. In WEP, if you had the Web key, you were authenticated. So WPA takes authentication to a much stronger level. Under the hood of WPA are some other protocols like IEEE 802.1x and EAP [extensible authentication protocol], and these really allow for a very secure deployment. That takes care of your authentication."

More specifically, IEEE 802.1x ties the EAP to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates and public key authentication.

Encryption is also completely revamped in WPA using temporal key integrity protocol (TKIP). This provides extremely secure encryption compared to WEP, Cohen said, and WPA contains a key hierarchy of multiple key sets that are used and refreshed constantly.

"Every data packet sent over the air is encrypted with a unique key that is discarded and never used again," Cohen said.

For now, WPA is the minimally essential standard for deploying a relatively secure Wi-Fi network -- and the emphasis here is on the phrase "for now."

WPA2 on the Horizon
Cohen said all security evolves over time, and the Wi-Fi Alliance is now working on a certification called WPA2.

"We want to be very clear," added Cohen. "We are not introducing WPA2 because WPA is broken."

In fact, many in the industry viewed the WEP security enhancements as a stopgap measure to buy time to get the security right.

The permanent solution was to be the IEEE 802.11i standard that would include a privacy algorithm based on the advanced encryption standard (AES). The AES-based encryption in 802.11i should offer the strongest level of privacy possible within the limits of functionality. Another goal in deploying 802.11i was that networks should not require extra components for encryption.

WPA2 should make government agencies interested in Wi-Fi networks a lot more comfortable. Under the federal information processing standard (FIPS) 140-2, government agencies are required to use only approved cryptographic components to protect sensitive data, and the recommendation is that AES encryption be used, which WPA2 will contain.

"WPA2 is based on what will soon be the fully ratified IEEE 802.11i standard, which calls for AES as a required encryption mechanism," said Cohen. "That is going to make all folks that absolutely require AES very happy. However, the basic framework is very similar to WPA. Everything about WPA -- authentication, underlying keys, per packet key -- is the same. Once you understand WPA, understanding WPA2 is very easy."

Cohen said if a government agency or department needs a secure Wi-Fi network today, WPA should suffice. When fully developed, Cohen said, upgrading to WPA2-certified products should be easy, since WPA2 is expected to be backward compatible.
Blake Harris Contributing Editor