Wireless networks have been
enjoying great success in offices, schools, and homes (see
Technology & You, 11/6/00, "So Long,
Computer Cable?"). But the process of going wireless hit a speed
bump in recent days when a report by three security researchers
found a serious flaw in the technology used to keep over-the-air
data transmissions safe from curious ears.
Wireless
communication has an inherent security problem. While nearly all
data sent over wired networks is unencrypted and available to
eavesdroppers, they face the serious challenge of physically tapping
the wire. But to eavesdrop on wireless networks, all you need is the
right kind of radio. The range of the widely used 802.11b, or WiFi,
standard is broad enough that it's often easy to pluck signals from
the air from outside a home or office building.
SIMPLE ATTACKS. To deal with this problem,
the Wireless Ethernet Compatibility Alliance (WECA) came up with
something called Wired Equivalent Privacy (WEP), which uses
encryption to protect the data. But a paper, "Intercepting Mobile
Communications: The Insecurity of 802.11" by Nikita Borisov and
David Wagner of the University of California at Berkeley and Ian
Goldberg of Zero-Knowledge Systems, finds serious flaws in the use
of encryption technology and details some relatively simple attacks
that could be used to defeat the protections.
What does this
mean to users of wireless networks? "Given the goals for Wired
Equivalent Privacy," says a WECA statement, "WEP has been and
continues to be a very effective deterrent for the vast majority of
attackers." While WECA is correct in saying that the attacks
described by Borisov and his colleagues "are not easy to mount,"
neither is the risk trivial.
The appropriate response should
be concern but not panic. In particular, any really sensitive data
sent across wireless networks should be protected with an additional
layer of encryption. There are a wide variety of products available,
from the free but unwieldy Pretty Good Privacy from Network
Associates to commercial systems that automatically scramble all
transmissions. WECA, meanwhile, should accelerate an effort, already
under way, to enhance the security of the wireless Ethernet. This
episode is also a warning, if another one was needed, that the
security claims of all communications-technology vendors are
essentially meaningless until their products have been put to a
rigorous test.
MIGHTY
CONVENIENT. This flap over encryption, while serious,
isn't likely to do much to halt the march of wireless networking.
While the problems are real, the convenience is overwhelming, and
falling prices continue to increase the technology's attractions.
Lucent Technologies recently cut the list price of its Orinoco WiFi
card for laptops by 25%, to $149, for the version with 64-bit
encryption, and to $169 for the 128-bit version. (Interestingly, the
researchers found that using their methods of attack, the nominally
stronger encryptions didn't provide much additional protection.)
Also helping to push prices down are new competitors focused
on the home and small-office market with new products. For example,
Linksys PC cards are available for $132, and wireless access points,
or hubs that connect a machine to the network, for $265. USRobotics,
an old name reborn in a spin-off from 3Com, is offering a kit
consisting of an access point and three PC cards at a suggested
price of $759 and probably significantly less at retail. By midyear,
prices of PC cards are likely to fall below $100, and many new
laptops will come with WiFi wireless built in (all Apple products
are already sold wireless-ready, needing only a $100 AirPort card).
Users of wireless LANs, like people who talk on wireless
phones, should always be aware that someone might be listening. But
the risks haven't slowed the adoption of wireless phones, and they
aren't likely to have a big effect on LANs either.
Copyright 2001 , by The McGraw-Hill Companies Inc. All
rights reserved.
