Users login

Create an account »


Users login

Home » Hacking News » As wireless networks grow, so do security fears

As wireless networks grow, so do security fears

by ivy on August 20th, 2001 Avi Rubin did not mean to hack into the hospital's computer network; it practically begged him to.

Mr. Rubin, a computer security expert at AT&T Laboratories in Florham Park, N.J., had accompanied his wife, Ann, to the nearby Morristown Memorial Hospital while she had minor surgery last month. He brought along his laptop so that he could do some work while she napped during recovery. But as he sat in her room, he noticed a green light blinking on the card that he ordinarily used to connect his laptop to the wireless computer network installed in his home.

The hospital, like many businesses, colleges and even neighborhoods, had installed its own wireless network — in its case to give employees access to the computer system anywhere in the building. It had adopted the popular emerging standard for such networks, known as 802.11b or Wi-Fi; the hospital's network, apparently set to the most welcoming mode of operation, automatically granted access to Mr. Rubin's machine.

Mr. Rubin, 33, the author of "White-Hat Security Arsenal: Tackling the Threats" (Addison-Wesley) a guide to repelling computer security threats, was surprised, but also worried. He was glad to have the easy Internet access that the network was offering. On the other hand, he also knew that with "sniffer" software that he uses to analyze computer networks, he could monitor every message and file passing through the hospital's wireless system, presumably including sensitive patient data entered by nurses via the wireless-equipped laptops they carried from room to room.

"Fortunately, I'm married to a lawyer, who advised me against looking," he said. Instead, he added, "I enjoyed free high- speed Internet services the whole time I was in the hospital, but I didn't peek" at the passing network traffic. After his wife's stay, however, he wrote a letter to the hospital explaining that it had a "serious security vulnerability."

Robert C. Hendricks, vice president for information systems at Atlantic Health System, the parent company of Morristown Memorial, said the security lapse was a "temporary situation," and had occurred as part of a $7 million, yearlong overhaul of the computer networks, with strong security measures as a priority.

But for many businesses, the lack of security is not temporary. The use of Wi-Fi is burgeoning: computer users of all types are rushing to install wireless networks because they offer ease of use and convenience.

Yet most do not even turn on the encryption system that is included in all network software to protect the broadcast data traffic from being picked up by electronic eavesdroppers. As businesses shore up their wireless security, consumers — who can set up wireless networks at home for a few hundred dollars — are likely to realize that they need to follow suit.

In some places, like neighborhoods and college campuses, part of the idea is to share or to even give away Internet access in a kind of high-tech gesture of good will. If those networks are not protected, a result could be a security disaster, said Christopher W. Klaus, co-founder and chief technical officer of Internet Security Systems. Most networks, he said, are still wide open.

"We have driven around Atlanta, New York and other places just with a laptop and an antenna, and we were able to pick up quite a few 802.11 access points," he said. "I'd say 95 percent of them did not have any security whatsoever."

Of course, to companies like Mr. Klaus's, the same situation is a potential jackpot: a whole new set of technologies with flaws that will require analysis, consulting and sales of new software and hardware.

The fact that wireless networks can be monitored and joined by outsiders is no surprise. It is, after all, a broadcast medium like radio, television and cellular phones. But recent disclosures by computer researchers of the weakness of the built-in encryption system, known as Wired Equivalent Privacy, has raised new worries about wireless security. Researchers at the University of California at Berkeley showed that it was theoretically possible to break the encryption system to read individual messages, though the process would take many hours. Another team of researchers, including the renowned cryptographer Adi Shamir, has since outlined a more powerful theoretical attack that would allow a wireless intruder to learn the master key to the encryption system and trick the network into thinking that he was a legitimate user.

Mr. Rubin and Adam Stubblefield, a Rice University undergraduate who was working as a summer intern at AT&T Labs, put the Shamir hypothesis into action. In less than two hours, Mr. Stubblefield was able to lay bare a network protected by Wired Equivalent Privacy technology.

The most unsettling thing about the exploit, which was carried out with the knowledge and consent of an AT&T Labs network administrator, was that it was done passively. Mr. Stubblefield's computer did not try to enter the network or to make itself known in any way while collecting the necessary data to divine the key to the network: it just listened, and pieced together the string of characters necessary to gain full access. If the software that he wrote to assemble that software "key" were published, Mr. Stubblefield said, "this is something any script kiddie could do with a laptop." He added that he and Mr. Rubin were not releasing the program in publishing their research.

Mr. Rubin said the experiment had changed his views on wireless encryption. Until the test, he recommended turning on the wireless networks' built-in encryption system. But now that he and Mr. Stubblefield have shown how weak that encryption standard is, "I feel the encryption gives a false sense of security." Mr. Rubin joked that the next time he has to go to the hospital, "I'm going to ask for the nurse to use pen and paper."

New versions of 802.11 are on the way that will include stronger security measures. But standard versions of those security technologies will not be ready until next year at the earliest. For that reason, many security consultants recommend that companies buy their wireless equipment from vendors like Cisco Systems that have enhanced security through proprietary software, even though that could mean locking the company's future purchases into the wares of a single vendor.

Other consultants recommend that companies building wireless networks incorporate security into their wireless networks on their own — for the most part, by extending into the wireless realm security tools that they are already using in their wired networks. "What we're telling clients," said John Pescatore, an analyst at Gartner Inc., a research firm, is to "treat the airwaves just like you treat the Internet," as a medium to connect to, but as one that is not to be trusted.

Rudy Bakalov, a security manager at PricewaterhouseCoopers in New York, said that meant extending the Internet protections that many businesses and individuals already use, including firewalls, the "virtual private networks" that help ensure that people gaining access to a company's systems are authorized to do so, and intrusion detection systems that alert users when people try to take liberties with the networks. "They already have that infrastructure in place" for Internet access, Mr. Bakalov said, "so it's not going to be that much more expensive, anyway."

Some security experts say consumers will have to follow the lead of businesses in bolstering wireless security. Robert Clyde, chief technical officer at Symantec, a computer security company based in Cupertino, Calif., recommended that people who have set up systems in their homes protect them from intruders with consumer versions of the same software and hardware tools used in the business systems — all of which Symantec happens to sell.

Mr. Clyde added that the worries about network security should be broadened to include the laptop as well: "How do we protect ourselves as we're roving around?" He said he could envision a time when a wireless intruder bent on malice could plant a virus on a laptop that comes within range, or worse. Reputations, he suggested, could be ruined by planting an embarrassing file on a business rival's hard drive.

"Any real protection I have has got to be loaded right here," Mr. Clyde added, lifting his laptop. "Every device has to take care of its own security."

The most important point, security companies say, is that companies and individuals must become aware of the security risks inherent in broadcasting data. Guardent, a security consulting firm, is one of many companies that has developed diagnostic software to help assess companies' wireless security holes.

As Jamie Fullerton, a research scientist at the company, walked along 43rd Street in Midtown Manhattan, cars flowed by in an endless stream, and so did data, drifting by like the sounds of a nearby band of buskers playing Andean flutes. Ears pick up bits of the music, and the antenna in the laptop picks up the data packets. The stream is far richer, he says, in the canyons of Wall Street and in Silicon Valley. Some of the networks he finds are open; others are weakly protected by built-in encryption.

Guardent's chief technical officer, Jerry Brady, said he would like to warn all of the companies whose data was flashing across Mr. Fullerton's screen. But Guardent only shares the results of its scans with the paying clients whose networks they are auditing for security measures. Any other approach, he said, would be awkward — and could even sound like a shakedown.

"There's no real way to approach companies and say: Hey, I saw your traffic go by. Would you like to talk?' " he said with a laugh. "That doesn't work very well."

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »