Contact:http://www.packetnexus.com
802.11 and swiss cheese By Stephan Somogyi, April 16, 2001 URL: http://www.zdnetasia.com/biztech/security/story/0,2000010816,20196487,00 .htm There is no doubt that 802.11b - the technical name for products also known as AirPort, Orinoco, Aironet, et al- is a life-changing technology. All of a sudden companies don't have to string as many cables through their offices to provide connectivity. Small offices, home offices, and even just plain homes, are all beneficiaries as well, since you can set up an access point somewhere in the house, ideally hidden from plain sight, and still engage in e-mail and wander around the Web. YES The problem is that, unlike a piece of cable that you have to get physical access to in order to connect, it's comparatively easy to get near enough to a wireless access point to get good signal strength. Say, in a café across the street. OK, but just because you're in the radio footprint of an access point doesn't mean you can do anything useful with that wireless network, right? Well, maybe. Placebo Even the most user-friendly access points come with basic security facilities. These security features give the appearance of protecting a wireless network in two ways: making the traffic that flies through the ether undecipherable by outsiders and making the access point, well, inaccessible to anyone unauthorized. The encryption part is accomplished by defining a password that the access point and all its clients share. One known weakness is that the encryption scheme--called WEP--uses a key length of 40 bits, so it's well behind the state of the art. However, I wouldn't be nearly so perturbed if one really needed to brute force attack the full key length. One doesn't. But wait, there's more. It also turns out that the parts of 802.11's security not related to encryption are also flawed and can be compromised. In short, even if you put all three available security mechanisms--WEP encryption, MAC-based access control, and closed networks--a smart and determined evildoer can still compromise your network. At least as far back as last October, the IEEE 802.11 committee knew about the security flaws in 802.11 and was starting work to fix them. Earlier this year, researchers with the Isaac project at UC Berkeley publicized quite a few problems with WEP. Upon reviewing this work and the design of 802.11's security, respected Bell Labs security researcher Steven Bellovin was quoted in the Wall Street Journal on February 5th as saying that there were some "real howlers" in the design. WECA, the Wireless Ethernet Compatibility Alliance, promptly issued a formal response after the Berkeley researchers announced their findings. Unfortunately, this response evoked little more than the lightbulb joke whose punchline is "none--they redefine darkness as the standard." The response spent more time focusing on semantic quibbles and how hard it is to perform the attacks than admitting there were fundamental flaws in the protocol in the first place. Adding to the UC Berkeley findings, a group of researchers at the University of Maryland published a paper of their own outlining even more vulnerabilities in 802.11. Both the quality and quantity of examination of 802.11's security leaves little doubt about its significant shortcomings. It's worth pointing out these many vulnerabilities that make 802.11's security reminiscent of swiss cheese are manageable now that they're understood. There can no longer be any false sense of security. It requires a determined attacker to put si