Safety: Open networks pose dilemma
By Robert Lemos
Staff Writer, CNET News.com
February 5, 2003, 4:00 AM PT
If you want to know how insecure today's wireless networks are, just ask the people who make it their mission to locate the access points designated by companies and consumers around the world.
Armed with laptops, special software and some makeshift hardware, these wireless explorers drive through cities, suburbs and business parks in search of the signals that connect computers to wired networks and the Internet. The practice is called "wardriving," a term derived from the "wardialing" tactic of the movie "War Games," where a hacker dials every number in an area to find a modem.
"Wardrivers don't pose much of a threat," said Chip Coy, executive consultant for IBM Global Services' Security and Privacy Consulting Practice. "They are collecting information about access points and publishing maps. However, they do show that someone could just pop an antenna on top of their vehicle and get data."
But this open season on wireless networks may be nearing a close. Almost four years after the 802.11b standard--now referred to as Wi-Fi--was established, wireless equipment makers are nearly ready to sell second-generation products that have better security out of the box.
An industry-standards group known as the Wi-Fi Alliance proposed a set of interim security specifications for wireless networks last fall. Called Wi-Fi Protected Access, the measures improve encryption and ways to recognize devices that are authorized to join the network. Devices including the new protections are expected to be available by April if not sooner.
So far, the lack of convenient protections hasn't stunted the success of Wi-Fi networks. Although security concerns have slowed corporate adoption of wireless technologies, consumers have continued to use them. As these networks become more popular in both companies and the home, however, the need for more security will be inevitable.
According to numbers posted by the Worldwide Wireless Wardrive in November, more than 72 percent of the nearly 25,000 access points found by wardrivers around the planet didn't even have the flawed wireless security standard known as Wired Equivalent Privacy, or WEP, turned on.
"If people didn't take the five minutes to turn WEP on in their access points, I doubt they have other security that can protect the network," Coy said. "They really need to be doing something more proactive to make sure their wireless networks are more locked down."
Finding a solution to the insecurity of wireless networks could be a pivotal factor in determining whether the wireless industry has a profitable year, said Dennis Eaton, chairman of the Wi-Fi Alliance. Sales of wireless hardware to companies have flattened in recent quarters, while consumer purchases have grown.
"The consumer segment is not that concerned about security today," Eaton said. "On the enterprise side it has affected sales, but in most cases it has caused them to defer the decision until a security solution is found."
The only way to secure communications today is to either use WEP, a technique that allows the data transmitted to and from the central network hub, or access point, to be encrypted. But the encryption can be broken with relative ease, often in as little as five hours.
A part of the Wi-Fi Alliance's interim standard called Temporal Key Integrity Protocol will address WEP weaknesses by adding stronger security and protecting the encryption keys. In addition, the standard will add a new way to limit who has access to a network.
Using components of a new standard from the Institute of Electrical and Electronics Engineers, companies can create a system that distributes digital keys only to those people allowed to connect to a specific network.
A simpler version of this technology called Pre-Shared Key will be available for home use. Under that system, a password can be created as a master key for each PC on the network. From then on, Wi-Fi Protected Access will bar anyone who isn't using a device with the matching password. With the new technologies, David Pollino, managing security architect for digital security firm @Stake, expects to be able to offer customers less complicated and less costly ways to bolster wireless protection.
"From a security perspective, (the future) is all positive," Pollino said. "Currently, if you roll out wireless securely in your campus, you can do it, but you might have to jump through more hoops than you might want."
Yet even simple security might not be enough to persuade everyone to use wireless networks, said Steve Kirschbaum, president of independent consultancy Secure Information Systems International.
He points to the lack of security on the wireless connection points, known as hot spots, offered by T-Mobile. The company, which provides Internet access at Starbucks outlets in partnership with the ubiquitous coffee chain, doesn't secure surfer communications.
"The way things are now, it's a dicey proposition," Kirschbaum said. "You have to assume that each keystroke is something someone is going to see."
It is no surprise, therefore, that wireless technology companies are trying to get secure products to market as quickly as possible.
"When people talk about wireless networking, the first thing that pops into their mind is security, and we recognize that is a barrier," said Eaton of the Wi-Fi Alliance. "Everyone in the industry sees security as the No. 1 issue for growth."