New Module Cloaks Crackable WEP Encryption

By Eric Griffith

April 02, 2007

AirDefense's new software protects enterprise investment in legacy products with old, broken encryption.

AirDefense has done it, just like everyone else, including Wi-Fi Planet. "Being security specialists, we've told customers, you can't use WEP, you can't use WEP, it's insecure!" says Dave Thomas, vice president of product strategy at the company. "And that is the case."

WEP, of course, is wired equivalent privacy , the security encryption scheme that came with the original 802.11 specification. Over the last few years, it has been proven quite easy to crack wide open by anyone with the tools and the patience.

However, the reality is that many companies have spent thousands of dollars, if not much more, investing in products that simply can't be upgraded easily or at all to support the advanced security of Wi-Fi Protected Access (WPA) . "They can only operate in an insecure fashion, and do not comply with PCI," says Thomas.

PCI in this case is the Payment Card Industry, which has specific data security standards for retailers with wireless networks. If the retailers can't meet those standards -- such as using encryption that's better than WEP -- they are not allowed to take credit cards for payments. The only option is a "forklift upgrade" of every wireless product, something Thomas says would cost a bundle; one of AirDefense's customers was looking at no less than $8 million to get WPA support throughout their big distribution center.

The solution from AirDefense is a module for its enterprise product called WEP Cloaking. It's a solution that Thomas says offers fantastic return on investment (ROI), because the enterprise isn't replacing all its hardware, but it still gets advanced encryption that meets PCI standards.

The technology behind the WEP cloak is patented by AirDefense already, which Thomas says is one reason it took this long to come out -- they wanted to wait until they felt it was theirs free and clear. It works by fouling up the statistical analysis that WEP key-cracking products use to figure out the network encryption keys by sending out fake frames.

"We're tricking the tools and breaking their analysis," says Thomas. "It would be irresponsible for anyone to say we've solved the problem of WEP being cracked, but for the tools out there, they won't be able to do it when WEP Cloaking is running. This is a new race -- as new tools come out, we'll stay ahead of them."

Of course, this isn't limited to just retailers, the vertical industry that AirDefense is targeting with this initially. Any company running AirDefense Enterprise with older equipment could take advantage of it. And Thomas says there is no reason the tech wouldn't work at the home network level as well, but for now, AirDefense has no plans to go there.

The cost of WEP Cloaking will vary with the size of a retailer's network, but Thomas guesses it would be between $200 to $400 per site.

"There's a lot of demand for this in stores and in distribution centers for retailers, where they use many wireless devices and it's very expensive to upgrade," says Thomas.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.