Serious WLAN Security Threats: Part I
January 07, 2002
In part one of this two part series on current WLAN security issues, security expert Jim Gemmel defines the issues and explains who should NOT be using 802.11 at this point in its evolution.
Jim Gemmel was shopping in a Circuit City near D.C. recently, when he bumped into, as he puts it, "two gents from an unknown government agency."
They attracted his attention a) because they were obviously feds, a species Gemmel knows well, and b) because they had a big shopping cart into which they were tossing wireless LAN NICs and access points. It piqued Gemmel's curiosity.
As a senior signals analyst at CACI International Inc., a $600-million-a-year Arlington, VA systems integrator, he spends much of his time researching wireless networking technologies for federal government clients, including DoD agencies.
Which means Gemmel knows exactly how secure WLANs are - i.e. not very. He decided to engage the gents in conversation.
"I actually started preaching to them about security," he says a little sheepishly. "But they said they didn't care, they just wanted to get connectivity to wired services and they couldn't wait any longer for their systems' people."
In light of increased fears about cyber terrorism post September 11, such a cavalier (if understandable) attitude in any government department, however far from the front lines, is a little scary. Which is, of course, part of Gemmel's point.
But he also offers this bit of anecdotal evidence as his only knowledge of any trend in government towards adopting WLAN technology. In fact, there isn't a trend, he hopes - unless of course it's all under the radar screens of government systems administrators.
Few of his clients are using 802.11b WLANs - at least officially. And the main reason is that CACI has advised against it for security reasons.
In the first of this two-part series on WLAN security, we look at the major threats to 802.11 technology that make it, in Gemmel's opinion, more inappropriate than ever for government use.
In Part II, he offers a laundry list of tips and tricks to make today's WLANs as secure as they can be.
But even if you used all his techniques, he says, 802.11 WLANs still wouldn't be secure enough for many government applications."I would say that for passing very sensitive information, it's probably not possible to make [an 802.11 network] secure. Or you couldn't make it 100-percent secure - but then I don't suppose a network that's 100-percent secure actually exists."
Some of his clients, including DoD agencies and others - CACI also "services the intelligence community," Gemmel notes - would love it if there were a truly secure wireless network today.
There has already been some public discussion of an "electronic battlefield solution," a portable outdoor WLAN that would offer superior bandwidth for battlefield data communications to current military RF systems.
Harris Corp. (www.harris.com) and Intersil (www.intersil.com) have secure WLAN technology in development that will offer bullet-proof security, good enough even for this kind of application, Gemmel believes.
"I would call [the Harris/Intersil product] a secure network, where you're actually protecting information as its passing across the link. It's as secure as one could get - as secure as any wired network," he says.
In the meantime, the 802.11 gear that dominates the marketplace is a security nightmare, Gemmel says - pure Swiss cheese.
The major threats?
- Most current products use spread spectrum technology. Vendors initially claimed it was difficult or impossible to de-spread or demodulate the signals. Wrong, Gemmel says. It's easy.
All you have to do is steal an SSID (Service Set Identifier), the ID attached to packets sent over WLANs that functions as a password for joining a network. All radios and access points within a network use the same SSID. Packets with other SSIDs are ignored.
- Vendors also said you couldn't get an SSID unless you were given it. Wrong again. "We now know SSIDs are sent in the clear," Gemmel says. "You can get very simple software, some of it free on the Internet, that easily intercepts somebody's SSID."
- WLAN signals are prone to being intercepted well outside the facility in which the network resides.
"A lot of consumers are using wireless LANs now," he points out. "They see on the box that it's 11 Mbps up to 300 feet. They're not educated enough to realize, though, that the signal doesn't necessarily stop at 300 feet. In fact it can go up to 2,000 feet and beyond."
This makes it easy for eavesdroppers to drive up to an office building - or home - park and infiltrate a network inside without anyone realizing.
- As everyone who knows anything knows by now - or should do - the 802.11b Wired Equivalent Protocol (WEP) encryption can be compromised by hackers using statistical mathematical analysis tools. Two recent studies, one from AT&T another at Rice University (www.rice.edu) have made this painfully clear, Gemmel says.
- At the level of what hackers can do once they smash through inadequate WLAN defenses, Gemmel puts "file transposition" at the top of his list. Infiltrators steal an SSID, gain access to a network, hack passwords on the enterprise LAN and then merrily delete or alter files stored on servers - or steal trade secrets contained in files.
- Or hackers infiltrate the network and leave behind "Easter eggs," hidden and undocumented programs or messages embedded in the code of commercial software residing on the network. Some Easter eggs are harmless, even funny, but they can also be destructive viruses.
- Gemmel's last WLAN security threat is really only a perceived threat, he says, because hackers would need a lot of hardware and arcane software to do it. But theoretically, they could intercept WLAN packets, decrypt them if they're encrypted using WEP, change them, re-encrypt them and send them on to the intended recipient - who would never know.
Not a cheery thought around the Holiday season, perhaps, but worth keeping in mind. Next time: Gemmel's Boxing Day gift - WLAN security solutions that work, to a point.