Wireless Insecurity

Whether or not you’ve deployed wireless networks, they’re a threat. Fight back with these eight steps.

Take one look at the tangle of cables connecting the computer to its monitor, peripherals and printers, and it’s not hard to imagine how someone thought "wireless." Sample the wireless 802.11b network (a.k.a. Wi-Fi and AirPort) in a café after crawling around on your hands and knees underneath your desk trying to find a live Ethernet port.

You’re hooked.

All this has Corporate IT asking: "Should we invest in wireless networks? Are they secure enough?"

Whether or not IT supports wireless, users are already using it, leaving IT and security managers to try and cope.

"You have to realize that the business world is going to adopt technology and if you’re the security guy saying you can’t do that, you’re going to be run over by a herd of buffalo," cautions Jim Wade, chief security officer and business continuity officer for the Federal Reserve System, and also the president and CEO of ISC2, a security education organization.

Gartner Inc. warns that few wireless LANs operate with even the most basic kind of security activated. That’s why it recommends that security managers formulate wireless LAN security policies posthaste.

By the end of 2002, Gartner predicts 30 percent of all companies will face a security risk from wireless LANs. The No. 1 problem: hackers.

Anyone with a Wi-Fi card in an urban area knows how many "open networks" there are. Web sites describe "war driving," the practice of literally driving around looking for free connectivity from Wi-Fi networks, made easy since the networks freely announce their presence. (The phrase alludes to "war dialing," in which combinations of numbers were tested to find network back doors via modem.)

Brian Hassick, a security expert specializing in wireless infrastructure at Cambridge, Mass.-based Consilium-III, was formerly with @Stake Inc., a security firm also based in Cambridge, and is the founder of its Wireless Center of Excellence. Hassick recounts how IT managers at The MITRE Corp. in Burlington, Mass. were experimenting with 802.11b connectivity. (MITRE is a non-profit organization that studies nuclear weapons and defense technologies.)

"They were doing that whole ‘war driving’ thing and were going down Route 3 and seeing all of these access points popping up. They decided to go into work and sniff around, and they saw the exact same access points, some on the sensitive network."

Behold: MITRE quickly got a wireless security policy.

Besides easy access, there are the problems with the underlying security schemes. One is MAC-address filtering, which restricts users to an approved list of addresses, but addresses can easily be spoofed.

A stronger scheme is the Wired Equivalent Privacy specification (WEP), but it’s been criticized by researchers for its poor use of keys and security encryption recycling algorithms. Because WEP didn’t recycle keys fast enough (a firmware fix has changed that), it was possible—after listening to network traffic for a while—to deconstruct encryption and gain access.

In addition, 802.11b is vulnerable to man-in-the-middle attacks, in which an outside computer pretends it’s an access point, fooling a user’s computer into divulging access codes. A session hijacking is similar, in that it tells a user’s computer it’s been kicked off the network, then pretends it’s the user’s computer.

It’s not just a PC problem. Cracking other types of wireless devices just requires that you intercept—and wait. Waterloo, Ontario-based Research in Motion admits its Blackberry Internet edition transmits all data in plain text. By contrast, Blackberry’s Enterprise edition has very good security. That is, unless the device is stolen. Blackberry passwords can be as short as four digits, making them susceptible to brute-force attacks.

Eight Steps for Wi-Fi Security

  1. Decide what kind of Wi-Fi network you want
  2. Articulate policies
  3. Create a wireless-activity baseline by sniffing around
  4. Inventory all RIM-type wireless devices monthly
  5. Turn down the RF volume
  6. Track down signals
  7. Implement new wireless security standards as fast as they become available
  8. Watch the "war drivers"

Articulate a Security Policy
Not surprisingly, organizations such as Lawrence Livermore National Laboratory, which researches nuclear weapons and defense technologies, have said they ban the use of wireless networks.

While some organizations seek to ban the technology, others search for the right mix. Take the Defense Information Systems Agency (DISA), where Blackberries are used. DISA is a peacetime and wartime combat support agency responsible for planning, developing, operating, and supporting command, control, communications, and information systems, serving the Department of Defense.

"Wireless is a big concern to us because security has not been addressed very well. We have folks carrying around devices that transmit, in the clear, sometimes through other countries, and we’re very sensitive to how much of that is sensitive. So we’re looking there at some investments in the wireless space. We know folks are going to use it— because it’s convenient and easy to use," says Dawn Meyerreicks, DISA’s chief technology officer.

DISA is looking at how it can better secure those easy-to-use devices that users crave while restricting how they use them in the interim.

At the Federal Reserve, when it comes to utilizing a popular device, "We’re saying we can use it, because here’s the business need, but here’s how to use it, meaning there are certain uses that are allowed, but there are others that are excluded," says Wade. Sometimes securing wireless devices is as simple as telling users what they can’t use them for. For instance, "sensitive e-mails" are out.

Workarounds for Now
IT can’t just sit and wait. META Group predicts that it might be 2004 or 2005 before off-the-shelf wireless network products will seamlessly integrate to the network, using specialized gateways to solve such problems as security, roaming and other problems. Until then, it’s up to security and IT managers to devise workarounds.

In the interim, plan to upgrade all wireless LAN rollouts commensurate with security improvements. The imminent rollout of the 802.1x standard will require authentication before granting access, though it has flaws. The upcoming 802.11i specification—not yet finalized—will allow use of the AES encryption algorithm, making Wi-Fi much stronger.

But 802.11i is a year or two away, and it will require new hardware to handle encryption so network data doesn’t slow.

Eight Steps to More Secure Networks
The bottom line is that Wi-Fi, whether deployed maliciously or not, can compromise a company with even the most highly paid security experts and the best security hardware or software. "Can you secure yourself against a $150 wireless device bought from RadioShack?" asks Hassick.

Yes, you can.

Start with the following eight steps for securing an enterprise against wireless insecurity:

1. Decide what kind of Wi-Fi network you want.
When setting up a wireless network using 802.11b, Hassick says there are two approaches.

"You can try to lock down every aspect of 802.11b, or you can set it up knowing anyone can jump onto the wireless side," he says. In other words, it’s free for all who can find it. "You don’t trust anybody, and in order to get into something trusted, you have to furnish credentials."

For instance, IT managers can use SSL on the Web server as a gateway between its wireless users—considering them "untrusted"—and the corporate goods. In effect, IT puts the onus on wireless network users to prove that they should be there.

2. Articulate policies.
Articulating to employees proper wireless usage policies, especially if your organization trades in sensitive information (and who doesn’t?), will help secure the organization.

3. Create a wireless-activity baseline by sniffing around.
Companies need to proactively search for wireless installations, create a baseline, then repeat frequently.

"I would like to see people do it at least three times a year, and you don’t have to get all that elaborate," says Hassick.

The goal: To find and properly configure new 802.11b non-IT- installed set-ups.

The hardware investment in sniffing equipment is minimal—take an old 486 laptop, give it a Wi-Fi card, install NetStumbler or Kismet (for Linux), and "you’ve got a really cheap Internet sniffer," remarks Hassick. "Just walk around and see what’s leaking."

4. Inventory all RIM-type wireless devices monthly.
Breaking Blackberry Enterprise Edition encryption is difficult, but stealing the device is a much simpler way to gain access to corporate information. The same goes for all other devices—laptop, desktop, Palm OS, PocketPC OS, etc.—capable of accessing the corporate network, whether wireless or not.

Wireless Security Resources

SANS: An Overview of Bluetooth Security: http://rr.sans.org/wireless/bluetooth.php

Wireless Insecurities: Control mobile computing vulnerabilities before they get control of you: www.infosecuritymag.com/2002/jan/cover.shtml

802.11 Security: www.wirelessdevnet.com/articles/80211security/index2.html

NIST Construction Automation Program Report No. 3: Electromagnetic Signal Attenuation in Construction Materials: http://fire.nist.gov/bfrlpubs/build97/art123.html

Wi-Fi: www.wi-fi.com/

War driving: www.wardriving.com

The Unofficial 802.11 Security Page: www.drizzle.com/~aboba/IEEE/

Wi-Fi Access Points: http://80211hotspots.com

5. Turn down the RF volume.
Limit the amount of RF spilling out of your building by literally dialing-down the power output of wireless devices.

Many enterprise Wi-Fi cards and base stations allow this. In addition, lower outsiders’ ability to listen in or gain network access by placing Wi-Fi antennas wisely, and using directional antennas where possible to reduce RF spillage.

You can also shield buildings through appropriate architectural and renovation techniques, according to an article titled "Electromagnetic Signal Attenuation in Construction Materials" (see "Wireless Security Resources").

Thoughtful placement of network closets deep inside the building, grounding interior walls with metal studs, and using metallic-doped paints on the building exterior are other ways of attenuating RF leaks.

A side benefit, notes Hassick, is that greater shielding results in less outside RF interference with the internal network, and reduces the denial-of-service threat, by which a wireless network can be overloaded with bogus RF traffic. However, shielding can compromise cell-phone signal strength.

6. Track down signals.
When there is evidence of a rogue access point, the only information you’ll have is a large, rough geographic area within the building. To actually root out the device, Hassick recommends using antennas that receive narrower and narrower beams until you track down the offending hardware.

7. Implement new wireless security standards as fast as they become available.
Though it may be expensive, upgrade to new Wi-Fi standards (e.g. 801.11x, 801.11i) as soon as they become available. Also keep patching; wireless LAN firmware fixes continue to obviate many current attacks.

8. Watch the "war drivers."
Keep abreast of "war driving" Web sites that list open, accessible Wi-Fi networks.