Google

802.11 and swiss cheese

802.11 and swiss cheese

Contact:[email protected]

802.11 and swiss cheese
By Stephan Somogyi, 
April 16, 2001
URL:
http://www.zdnetasia.com/biztech/security/story/0,2000010816,20196487,00
.htm


There is no doubt that 802.11b - the technical name for products also
known as AirPort, Orinoco, Aironet, et al- is a life-changing
technology. 

All of a sudden companies don't have to string as many cables through
their offices to provide connectivity. Small offices, home offices, and
even just plain homes, are all beneficiaries as well, since you can set
up an access point somewhere in the house, ideally hidden from plain
sight, and still engage in e-mail and wander around the Web. 

YES 

The problem is that, unlike a piece of cable that you have to get
physical access to in order to connect, it's comparatively easy to get
near enough to a wireless access point to get good signal strength. Say,
in a caf� across the street. 

OK, but just because you're in the radio footprint of an access point
doesn't mean you can do anything useful with that wireless network,
right? Well, maybe. 

Placebo
Even the most user-friendly access points come with basic security
facilities. These security features give the appearance of protecting a
wireless network in two ways: making the traffic that flies through the
ether undecipherable by outsiders and making the access point, well,
inaccessible to anyone unauthorized. 

The encryption part is accomplished by defining a password that the
access point and all its clients share. One known weakness is that the
encryption scheme--called WEP--uses a key length of 40 bits, so it's
well behind the state of the art. However, I wouldn't be nearly so
perturbed if one really needed to brute force attack the full key
length. One doesn't. 

But wait, there's more. It also turns out that the parts of 802.11's
security not related to encryption are also flawed and can be
compromised. In short, even if you put all three available security
mechanisms--WEP encryption, MAC-based access control, and closed
networks--a smart and determined evildoer can still compromise your
network.


At least as far back as last October, the IEEE 802.11 committee knew
about the security flaws in 802.11 and was starting work to fix them.
Earlier this year, researchers with the Isaac project at UC Berkeley
publicized quite a few problems with WEP. Upon reviewing this work and
the design of 802.11's security, respected Bell Labs security researcher
Steven Bellovin was quoted in the Wall Street Journal on February 5th as
saying that there were some "real howlers" in the design. 

WECA, the Wireless Ethernet Compatibility Alliance, promptly issued a
formal response after the Berkeley researchers announced their findings.
Unfortunately, this response evoked little more than the lightbulb joke
whose punchline is "none--they redefine darkness as the standard." The
response spent more time focusing on semantic quibbles and how hard it
is to perform the attacks than admitting there were fundamental flaws in
the protocol in the first place. 

Adding to the UC Berkeley findings, a group of researchers at the
University of Maryland published a paper of their own outlining even
more vulnerabilities in 802.11. 

Both the quality and quantity of examination of 802.11's security leaves
little doubt about its significant shortcomings.


It's worth pointing out these many vulnerabilities that make 802.11's
security reminiscent of swiss cheese are manageable now that they're
understood. There can no longer be any false sense of security. 

It requires a determined attacker to put significant effort into
compromising an 802.11 network secured with today's technologies. It's
not trivial. That said, all it takes is one person to automate such an
attack, make the necessary code publicly available, and suddenly the
tools to mount a successful attack will be available to every script
kiddie on the planet. 

This is the reason why it isn't sufficient for the various 802.11
hardware vendors--not to mention WECA--to handwave and say that it's too
much effort to attack such networks in the first place and therefore we
should not worry and should be happy. Furthermore, I heard from multiple
companies that their belief was that anyone with intellectual property
to protect is using a VPN running over 802.11 anyway. 

That's just dandy. We're effectively being told that unless we are a
large enterprise with a dedicated IT staff and the necessary
infrastructure to set up VPN servers and associated folderol we're not
worthy of properly designed and implemented security. A flawed system is
considered sufficient. 

802.1x and AES
While things look grim at the moment, work is already well underway to
plug the many holes. One help will be the introduction of 802.1x,
support for which will be built into Windows XP when it ships later this
year. 802.1x adds improved authentication and access control to Ethernet
networks, including 802.11. 802.1x will significantly reduce the
vulnerability of WEP to attackers trying to compromise network data. 

But even with 802.1x, WEP remains broken. To that end, 802.11e is being
worked on, which, among other things, is slated to add 128-bit AES
encryption to fix the 802.11's encryption woes. 

The current guesstimated timetable for 802.1x support is later this
year, and first 802.11e products will likely ship somewhen in 2002. When
asked, hardware vendors get really cagey about whether these
improvements will be firmware upgrades or whether existing 802.11b
hardware will have to be replaced completely. Understandably so since if
the fixes require hardware replacement, it might well put quite a damper
on 802.11 hardware spending today. 

Part of the problem in determining whether existing hardware is
upgradable is that current prototype implementations of 802.1x rely on
an authentication server in addition to the 802.11 access point. It's
far from clear how--or even whether--it will be possible to add 802.1x
to stand-alone access points. If not, Home/SoHo users are unlikely to
benefit from 802.1x for their 802.11 networks. 

Non-corporate users are customers, too
This entire wireless security fracas is as much a war of marketing copy
as anything else. The IEEE standards committee did 802.11 users a great
disservice by allowing such a flawed security architecture to be
approved as a standard. After these flaws became publicized, instead of
fessing up, the committee and WECA tried to market their way out of the
corner they'd painted themselves into. Neither of these actions reflect
well upon the IEEE. 

However, the biggest lesson to be learnt should be among users. Just
because a new and staggeringly useful gadget offers you capabilities
that appear to be security features doesn't mean that they actually
provide substantive security. The 802.11 hardware vendors are primarily
concerned about large corporate customers; they seem far less interested
in how individual customers with a base station and one or two 802.11
cards are served. 

If you've already bought 802.11 hardware--especially if you are a
non-enterprise user--I encourage you to contact both your hardware
manufacturer and your OS vendor and find out what they plan to do about
providing adequate security for your wireless network. Until these
companies realize that their customers aren't apathetic and do care
about the security of small and home networks, they are unlikely to
expend much--if any--effort in meeting those needs. 

Stephan Somogyi feels more than a little vindicated after hearing that
IEEE1394 will be supported in Windows XP and USB 2.0 won't. He also
wishes that Apple and Agere would agree on who's responsible for adding
Orinoco card support to OS X and get on with implementing it.


Back to the Index