The driver of the unmarked van outside your office may not be on a long lunch break. He might be hacking your wireless local area network (WLAN) using a new technique called war driving.
New hacking activities seem to pop up daily, keeping pace with the growth of wireless LANs. The reason is obvious: a lot of wireless LANs are completely unprotected. As the number of WLAN cards grows, so will the opportunities for hackers to break into wireless networks.
You need to put your WLAN under lock and key, but current standards won't do the trick. Your only hope: set up fail-safe procedures and keep an eye on encryption.
George Lawton is a freelance writer and consultant based in Brisbane, California. Prior to writing for ZDNet Tech Update, George apprenticed with the Institute of Ecotechnics and helped build Biosphere II.The latest high-profile hacking method is called war driving, whereby hackers find unprotected WLANs by driving around with a laptop and 802.11 Ethernet card. Although freeloaders may surf the Internet for free on your bandwidth, more ominous is the potential for hackers to steal corporate data, plant viruses, change Web pages, or anonymously stage a denial of service attack from your network. In many ways, your wireless LAN is the weakest security link in your IT infrastructure.
Security problems are expected to grow with the proliferation of wireless LANs. Cahners In-Stat has projected that the number of wireless LAN cards will grow from 2.6 million in 2000 to 11.8 million by 2003. These numbers are significantly higher if you include other short-range wireless technologies such as Bluetooth and IrDA.
Life is getting easier for hackers. "The level of expertise required to spy on wireless LANs is fairly high," says James Atkinson, president of Granite Island Group, an electronic security firm. But more people are acquiring that knowledge. "It used to require extraordinarily expensive hardware," he adds, "but by the end of this year, you will be able to do it with a $79 card and a piece of free software."
Although most wireless LAN products come with support for basic security through the Wired Equivalent Privacy (WEP) standard, many corporations fail to turn it on, or they don't change any of the passwords or settings from the default. This makes it easy for an unskilled hacker to simply log in and use the network. Security may also be compromised when employees install rogue access points that the IT department doesn't know about.
John Pescatore, a Gartner analyst, says, "A lot of our clients say, 'We don't use wireless LANs.' But then, employees set up rogue wireless LANs."
Gartner recently found that though 20 percent of corporate IT departments believe they have wireless LANs, 50 percent of the procurement offices said they had bought them. This apparent failure to consult the IT department suggests that at least 30 percent of these corporations have WLANs with dubious security.
Laptops with active 802.11, IrDA, and Bluetooth transmitters are often used in public places and can be compromised by any hacker in the vicinity. The default setting for IrDA and Bluetooth ports is to automatically network with nearby devices without requiring passwords or authentication. Hackers can exploit this and network with your laptop to gather information or to plant viruses.
Atkinson says many travelers' laptops could be easily compromised by a hacker on an airline flight. He notes, "Users are just as clueless as they were a few years ago. The problem is even more pronounced now because more and more laptops come equipped with an IrDA port." The problem could get worse when Bluetooth transceivers become standard features.A new wireless security standard, 802.11i, is expected to address the limitations of WEP. Estimates on the completion of 802.11i vary from later this year to early 2002. Some of the equipment now being sold by companies such as Cisco, 3Com, and Enterasys include features that are anticipated to be part of the final standard.
But you can't rely on standards alone to protect your networks and mobile computers from attack. You need to establish a wireless LAN deployment policy that accomplishes the following goals:
Find unsecured access points. Wireless sniffer equipment can analyze network traffic to locate rogue access points and identify attacks. There are a number of these standalone products such as AiroPeek from WildPackets, MobileManager from Wavelink, and Sniffer Wireless from Network Associates.
In addition, some wireless LAN vendors, such as Cisco, include wireless traffic analysis capabilities to help automatically detect rogue access points or wireless attacks.
Use personal firewall software. The first line of defense for mobile computers is to install personal firewall software on each laptop, such as Network ICE's BlackICE Defender 2.5, Symantec's Norton Personal Firewall; and Zone Labs' ZoneAlarm Pro. This is important for protection on wireless links as well as for fixed Internet connections such as ADSL or cable modems.
Physically secure laptops. Atkinson says the best way to protect roaming laptops is to completely disable physical access. Even though firewall applications can provide some protection, hackers can still get physical access to the network.
You can disable physical access to a laptop by unplugging the wireless Network Interface Card (NIC) and by covering the IrDA port with a piece of aluminum foil secured with duct tape. Bluetooth transceivers pose an additional problem because you can't physically shield them, so you should disable all networking capabilities from within the operating system when they aren't needed.
Run VPN software. Pescatore says that some of the major vendors, such as Lucent, Cisco, and 3Com, can provide adequate security today, but this means that you must use a single vendor for all your equipment. Otherwise, he recommends that all mobile computers run virtual private network (VPN) software and that you "treat the wireless LAN just as you would treat the Internet."
Though most VPN technologies operate at the Internet protocol layer, AppGate has developed an applications layer VPN that runs in Java. Dennis Szerszen, chief strategy officer at AppGate, says that this allows a company to strategically secure valuable applications and databases without having to modify every PC and PDA. In addition, VPNs do require that you install software on gateways that need to be deployed around the IT infrastructure.
Making sure your security precautions pay off requires keeping an eye on the standards. The current WEP standard is easily compromised, yet a new standard may not be adopted until next year.The IEEE created WEP to provide wireless privacy equivalent to that of traditional wired networks. WEP is designed to deter eavesdroppers and prevent unauthorized connections to wireless LANs. But the standard has a number of limitations. Gemma Paulo, a Cahners In-Stat analyst, notes, "Basically, the WEP standard is pretty lenient. They just wanted to get it out there, and they did not want it to be so complicated that it increased the cost."
Recent research reports from UC Berkeley and the University of Maryland indicate that even if you try to secure your wireless LAN through WEP, dedicated hackers could still compromise the network, most likely due to weak encryption and the reuse of encryption keys.
WEP uses the RC4 encryption algorithm, which uses the same key to scramble and descramble the packets. UC Berkeley researchers claim a diligent hacker could decipher RC4 encrypted text by gathering about five hours' worth of data. In addition, many WEP implementations use the same key.
Also, you should avoid changing your key in a predictable manner. Hackers crack codes by gathering a lot of data encrypted with the same key. If your key management system cycles through the same set of keys in a predictable manner, determined hackers can gather data from your LAN traffic and correlate it with the keys to help decipher the encryption. Their attack techniques work just as well with both 40-bit and 128-bit RC4 encryptions.
The new standard will incorporate two key components for authentication and encryption. For authentication, the task group is likely to adopt 802.1x, a new authentication management system protocol being incorporated into Windows XP and a variety of networking equipment. As a result, you could use unique encryption keys for each session, and the standard provides an infrastructure for key management. 802.1x also supports the use of centralized authentication, identification, and accounting schemes such as Kerberos and RADIUS (Remote Authentication Dial-In User Service). Major vendors such as Microsoft, Cisco, 3Com, and Enterasys are adopting 802.1x.
For encryption, Task Group I is considering using either WEP2 or Advanced Encryption Standard (AES). WEP2--an encryption protocol that may be adopted for 802.11i--would be easier to implement on top of the existing WEP infrastructure, but many experts are concerned that it is not secure enough.
"Even with its enhancements, the inherent weaknesses of RC4 [the underlying encryption algorithm] will still remain," explains Dennis Eaton, vice chair of the Wireless Ethernet Compatibility Alliance. "I think that it is inevitable that we will migrate to AES, regardless of whether WEP2 becomes a standard."Pescatore expects the various security technologies such as personal firewalls, VPN clients, and desktop antivirus software to converge, which should improve security over both WLANs and the Internet. But regardless of the technology, WLAN security will always be limited because users will sidestep security features.
You can slow down and frustrate hackers by adding multiple security layers to your system, such as biometrics and hardware tokens. A hardware token is a device, usually a small card, which displays a password that changes over time. If one of these falls into the wrong hands, the IT department must be alerted so that it can disable access. Biometric units, on the other hand, are harder to foil because they require someone's eye or finger to be scanned. Of course this makes life less convenient for employees, but at least these security measures can't be sidestepped, unlike storing passwords.
You can also set up a secure network to require a token or a biometric scan every time it is accessed--a safeguard that can't be disabled by the user.
And for your ultimate wireless LAN strategy, you might even have the network require a new login every hour--just so a hacker can't log in from a laptop while its owner is eating lunch.