The 'Michael' Vulnerability
December 12, 2002
The recently announced Wi-Fi Protected Access may be an improvement over the current state of 802.11-network security, but even before it's available, WPA's weaknesses are coming to light.
Could it be that the forthcoming Wi-Fi Protected Access (WPA) is too protected?
The new 802.11 security enhancement has not even hit the streets yet, and already
some knowledgeable observers are saying that WPA is going to be especially vulnerable
to denial of service (DoS)
WPA uses a series of mathematical algorithms to authenticate users. If a user tries twice to get in, sending two packets of unauthorized data during a one-second period, the system assumes it is under attack and shuts itself down. The shut-down is mean to thwart attack, but could itself become the means of an attack by a hacker who sends vast quantities of unauthorized data, thus triggering an ongoing series of shut-downs.
The idea behind this kind of attack is not new: It is possible to jam any wireless network by throwing at it an intense signal, one so strong it blocks out everything else on that band. But a powerful transmitter is needed for that kind of attack, making the attacker vulnerable to discovery. An attack on WPA, on the other hand, requires far fewer packets and could thus be carried out with relative stealth.
Niels Ferguson designed "Michael," the security function that triggers the shut-downs. He says there is no reason to single out this particular vulnerability. "Like every wireless network technology, 802.11 with WPA is vulnerable to a DoS attack. This is a significant threat to the reliability of the network in a hostile environment, but it is not WPA-specific," he says.
He argues that WPA reduces the overall risk, but stresses that the 802.11 protocol is fundamentally weak. Using a wireless network for mission-critical data "is plain stupid. Using it for life-critical data is criminally negligent," he said.
While one might suppose that Ferguson has pride of ownership when it comes to the Michael vulnerability, there are plenty of people in the wireless community who support his view."All radio 802.11 is inherently subject to denial of service attacks," says Donald E. Eastlake III, author of the book Secure XML: The New Syntax for Signatures and Encryption and co-chair of the joint IETF/W3C XML Digital Signature Working Group. He notes that these attacks even not even be intentional. As an unlicensed band, "802.11 can be interfered with, resulting in reduced or denied service, by legitimate cordless telephones, garage door openers, Bluetooth, radar," and so on. That being the case, he says WPA "is not significantly more vulnerable to DoS attacks than is WEP or unsecured 802.11." WEP, of course, is Wired Equivalent Privacy, the much derided security encryption currently found in wireless networks.
Others say that logic does not cut it. The Michael vulnerability "is significant," according to Arnold Reinhold, a consultant and author of The Internet for Dummies Quick Reference, 8th Edition and E-mail for Dummies, 2nd Edition. This type of attack "is unique to WPA, easy to mount, and is very stealthy -- only two packets need to be transmitted every minute. Even with sophisticated direction finding gear, it would be hard to track down the perpetrator."
Given this situation, Reinhold suggests that the DoS vulnerability presents a clear danger, especially given the growing corporate dependence on wireless networks. "Wi-Fi use is exploding, and vendors are expecting WPA to enable even more critical applications," he noted.
While 802.11 use may be growing, corporate executives are nervous about the risks involved. In a recent survey by network-security firm ReefEdge, 73 percent of IT managers surveyed listed security as their biggest concern with wireless LANs.
So, whats to be done about the WPA vulnerability?
On this the technical community is unanimous: Nothing much.
For example, an administrator could simply stick with WEP and not bother with WPA. That solves the Michael problem, but you would loose WPAs other security benefits, and "you would, of course, still be subject to all the other 802.11 DoS threats," said Eastlake.
At this point, most interested parties are viewing WPA as a stopgap measure.
As a subset of the forthcoming 802.11i security standard being developed by