March 31, 2003 11:02 AM PST

Microsoft fortifies Wi-Fi security

Microsoft on Monday released a Windows XP update designed to enhance security for computers that connect to wireless networks, but the software is only a part of the Wi-Fi picture.

The software update would change how the operating system connects to 802.11, or Wi-Fi, networks or base stations. Under the older method, one encrypted key is used by everyone connecting to the wireless network. The update would provide a means of associating a separate key for each computer connecting to the network, a change that in theory should increase security.

Businesses are increasingly concerned about wireless security, particularly since a breach through a single base station could expose an otherwise fortified network to infiltration by hacking or snooping.

The update adds support for Wi-Fi Protected Access (WPA), which is intended to replace the current standard, Wired Equivalent Privacy (WEP). WPA has been approved by the Wi-Fi Alliance, which is the group responsible for establishing standards governing wireless networking.

WEP already provides one layer of encryption, and WPA adds another. "There would be a different (encryption) key generated during the operation of the wireless link, which would give you stronger protection," said Jawad Khaki, corporate vice president of Microsoft Windows networking and communications technologies.

While seen as an improvement on the older standard, WPA could also complicate matters for some businesses since Wi-Fi firmware would also need to be updated to support the security technology.

"The weakness of WEP as part of the 802.11 standards has been clearly demonstrated," said Jupiter Research analyst Michael Gartenberg. "Since security remains one of the biggest inhibitors of Wi-Fi deployments, Microsoft felt the need to step in and offer an integrated OS alternative."

Still, Gartenberg remained cautious about the WPA update. "Given Microsoft's track record on security, this initiative is going to require very careful scrutiny before most users will feel comfortable with deployment," he said.

Since January 2002, Microsoft has been working to make security a priority across its product line, but the company acknowledges that much more work needs to be done. In the last month, vulnerabilities have been noted in the Windows 2000 operating system and the Internet Explorer browser.

Microsoft was a latecomer to Wi-Fi, adding support for that technology to the operating system with the release of Windows XP in October 2001. Apple Computer, for example, had added support almost two years earlier to Mac OS.

In September of last year, Microsoft released its first set of Wi-Fi gear supporting the established 802.11b standard, which ferries data at a throughput rate of up to 11 megabits per second (mbps). But a glitch caused Microsoft's Wi-Fi gear to drop connections, something the company later fixed with a software update.

On Friday, the Redmond, Wash.-based company revealed that it would offer faster gear using the 802.11g standard, with throughput of up to 54mbps, later this year. That timing, though, may have taken the wind out of Microsoft's recent retail wireless sales rally. Unexpectedly strong sales of 802.11g gear from competing manufacturers largely accounted for the dropoff in Microsoft's wireless market share, said NPDTechworld analyst Stephen Baker.

Temporary measures
The quick support for the emerging WPA standard could help Microsoft recover some momentum on the Wi-Fi front, say analysts. WPA is meant to be a temporary fix, while a broader, more effective security standard called 802.11i makes its way through the standards bodies. That measure isn't expected to be available in final form until later this year and likely would not appear in new products until sometime in 2004. Availability of 802.11i is expected to greatly enhance Wi-Fi security.

Gartner analyst John Pescatore said that this "temporary solution" would have to hold businesses over for "probably two more years."

In the meantime, Gartenberg said, "it seems that the OS is enough if (existing) devices are standards-compliant."


Special Report
Nothing but air
Beleaguered tech industry hears
the call of a wireless boom.


But that WPA compliance could be a problem for many Wi-Fi users, since base stations, PC Cards, USB devices and wireless networking components integrated into notebooks would all need to be updated to support the security technology. In fact, Microsoft, which along with Cisco Systems pushed for the adoption of WPA, doesn't yet support WPA in its Wi-Fi gear.

"Microsoft is still evaluating WPA (for its Wi-Fi hardware)," a company spokesman said on Monday.

A spokeswoman for Linksys, the market leader for Wi-Fi gear, said that WPA updates for its products would be available "very soon."

Manufacturers would provide these updates in the form of new software that businesses or consumers would apply to the Wi-Fi hardware.

As it doesn't support WPA along the whole string of connectivity--base stations, Wi-Fi components and the operating system--the security enhancement offers very little over WEP, Pescatore said.

"I'm just worried that people will be fooled into upgrading the PCs and not the access points, or upgrade the access points and not the PCs," he said.

The Gartner analyst estimated that it would take six months before interoperability could be ensured. "We're telling our clients, don't buy anything that's not WPA-certified for the rest of the year," Pescatore said.

Manufacturers expect that newer hardware will support WPA out of the box.

This problem highlights the ongoing problem of establishing standards governing Wi-Fi use and security. Standards bodies have been slow to approve specifications like 802.11g, leading some manufacturers to ship products ahead of ratification.

"So larger companies like Cisco and Microsoft are stepping in to drive standards like WPA," Pescatore said.

"To ensure true interoperability, you must implement standards," Microsoft's Khaki said. "We are a strong believer in standards that would give our customers the freedom of choice."

Microsoft's WPA update is an accompaniment to booming interest among businesses in wireless networking. Businesses with less than $10 million in annual revenue are leading the charge, with 83 percent either using or planning to use Wi-Fi networks in the next 12 months, according to Jupiter. Companies with $100 million or more in revenue are slightly behind at 71 percent.

In a report issued two weeks ago, market researcher Gartner predicted a significant increase in Wi-Fi offered as a standard feature on mobile computers. Last year, about 10 percent of notebooks shipped with integrated Wi-Fi components, and the volume is expected to reach 31 percent in 2004 and 68 percent in 2007, according to Gartner.

Worldwide spending on wireless networking gear grew 38 percent last year to $2.3 billion, according to Gartner. Manufacturers shipped 15 million Wi-Fi adapters and 4.4 million base stations. Prices fell on average by 37 percent, and Gartner predicted an additional 25 percent decrease in 2003.

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.