Learning from Best Buy
May 21, 2002
There are security lessons to be gained from what happened when the electronics retailer recently took its entire line of wireless cash registers off line when the threat surfaced of being hacked by mobile users.
In late April 2002, anonymous security researchers reported on a mailing list that some large retailers might have gaping holes in the security systems governing their 802.11-based mobile cash registers.
By May 1, giant electronics retailer Best Buy had taken all its mobile cash registers off line.
What went wrong at Best Buy? The retailer isn't saying much right now. "We are investigating," said spokesperson Donna Beadle, adding that the mobile registers handled only "a very small percentage of our transactions."
It's been known for some time that 802.11 systems contained certain vulnerabilities. Right now two schools of thought dominate. Some say it's mostly a matter of human error: People simply don't bother to turn on the built-in Wireless Equivalent Privacy (WEP) encryption safeguards, and then they are surprised to find themselves broadcasting data in the clear.
On the other hand, there are some, such as William A. Arbaugh, computer science professor at the University of Maryland at College Park, who say the available tools are insufficient, that even when used properly, present versions of 802.11 are inherently insecure.
"The current 802.11 security mechanisms are completely broken," says Arbaugh. "Thus, the retailers shouldn't have been using the cash registers (even if WEP were available) without additional protection, presuming they could have added such protection. If they couldn't add additional protection, then they should have turned them off."
Critics say part of the problem lies in the nature of the WEP key.
Suppose a network administrator does take the common-sense precaution of turning on WEP. Because 802.11 does not define any key management processes, a hacker armed with an over-the-counter key discovery software tool can figure out the key, explained Jim Geier, an independent consultant at Wireless-Nets, Ltd. in Dayton, Ohio. [Geier is a frequent writer for 80211 Planet.]
Key in hand, "you can then pull down a free demo version of some sniffing software and run around with your laptop" sniffing data, he said. "This technology is very available and you don't have to be a highly technical person to use it. A year ago that was not the case, but today the thieves have ready access to those tools."
Others take issue with this assessment, suggesting that the nay-sayers are perhaps overstating their case.While it is possible to get hold of a WEP key, it is by no means a simple affair, according to Alfred Arsenault, chief security architect at Diversinet Corp
"If you have the equipment and the expertise, you can do it, but for the guy who is walking through the neighborhood checking doorknobs to see if any are unlocked, it is a good enough lock," he said. "The average guy in his car in the parking lot with a laptop probably won't be able to get in."
Of course, that "probably" still leaves a lot of room for error, and Arsenault thus sides with all those who say 802.11 security overall has got to be improved. If high-profile cases like the Best Buy situation continue to crop up, he warned, it could put a damper on the continued adoption of 802.11 systems by enterprise users.
The 802.11 development community has promised that the next iteration of the networking protocol will address many of the security issues that loom today, but that won't be happen for some time yet.
So: What are the options today?
In the first place, network administrators must assess their needs. "There are lots of good security solutions available, but it is not a 'one size fits all' kind of thing," said Symbol Technologies Vice President Wireless Network Products Ray Martino. A hospital, for instance, will want a fairly comprehensive data-security package, whereas a factory that handles no sensitive data might find WEP alone to be sufficient.
In the latter case, it's vital to eliminate human error. That means taking the time to turn on the security features already built into the 802.11 protocol.
For users who need more than WEP, the easiest fix right now involves dynamic key allocation, wherein the system continually creates new keys. Geier noted that this functionality will be part of the standard 802.11 package due out by the end of 2002, and in the meantime is available as an 802.1X access point, such as that manufactured by Cisco.
For those who do opt for key regeneration, the safest approach seems to be to issue a new key for every session. Others likewise advocate user verification at the session level. Either way, "the important thing here is not the wireless connection itself. It is the session," said Burk Murray, vice president of marketing at Digi International. "The pipe has to be secure, but then the session must also be secure."
Murray and others warn that there is a bigger problem looming here: Server security.
Having discovered potential breaches in the 802.11 protocol, Murray warned, it will be only a matter of time before hackers make use of those gaps to do even more damage.
"The same guy who is picking up one or two credit-card numbers across a wireless link could also be sniffing passwords, and if he gets into your server: End game," Murray said. "Because people are not securing their sessions, the servers that are collecting ALL of these credit cards numbers also are vulnerable. So you have to make sure your sessions are secure, and then beyond that, you have to make sure your servers are securely managed, too."