EVERYTHING YOU NEED TO KNOW ABOUT WiFi IN 400 WORDS OR LESS

Well, here's a tad of trivia that will move any high-tech wallflower to the center of attention at any elite gathering. Question: When was the first Wireless Network deployed? 1995 (WRONG). 1987 (NOPE). 1982? (huh-uh). The answer is 1970. It was called ALOHANET ( http://en.wikipedia.org/wiki/ALOHA_network ), and it anticipated many of the core network protocols in use today, including Ethernet and Wireless Fidelity (aka WiFi �).

If that piece of intoxicating trivia won't produce a collective drool of golden sterlet caviar, nothing will. If you can recite the trivia I provide in these columns without making yourself look like you once had a bit part in a Cheech and Chong movie, you'll make every A-list from Wall Street to Hollywood. Trust me on this. Jeannie Caruso and I are even talking about a converting this concept into a mini-series for the Discovery Channel: “Survival IT: last nerd standing.” But I digress.

Basically, the flavor of digital wireless technologies that we're likely to be most concerned about in our enterprise are Personal Area Networks (PANs) and Wireless Local Area Networks (WLANS). Both are widely used in business. Both are saddled with insecurities.

THE ROSETTA STONE AND WEP ENCRYPTION

Champollion showed that comparing fragments of an understood plaintext (Ancient Greek) with an encoded text (demotic or hieroglyphic) could be used to reveal the correspondences . Hmmm, I wonder if there isn't an analogy somewhere out there in cyberspace.

How's this? The WiFi standard for encryption is called Wired Equivalent Privacy (WEP). Since it's built into the WiFi standard, it comes free with WiFi appliances. (Even though it's free, it's overpriced.)

There are two common varieties of WEP based on key length: 40-bit (standard) and 104-bit (extended). However they're called 64-bit and 128-bit encryption because the vendors want us to think that WEP is more secure than it is. The additional 24 bits in both case comes from a 3-byte sequence that is prepended to the key. This sequence is called an initialization vector, or IV for short. I tell my clients that IV stands for “invasive vermin.”

The core algorithm of WEP is RC4, but the implementation of WEP is fundamentally flawed: it's both poorly designed and feebly implemented, but other than that it's a nice piece of work☺. WEP is to wireless security what the Tacoma Narrows Bridge is to landmark engineering failures. Both are case studies in how not to do things.

The essence of the weakness is the feeble way that the WEP designers approached the age-old key distribution problem. Encryption requires the use of keys to obscure the message. But somehow the keys, or means to re-generate the keys, must be shared by sender and receiver. The WEP designers decided to handle key management by sending the initialization vector and the key ID in plaintext in the management frame of the message sequence (Figure 1).

Figure 1: The Management Frame of an Encrypted WiFi Message. Note that the WEP initialization vector, the WEP key ID and the 40-bit encryption format are all broadcast in plaintext for any hacker sniffing the wireless traffic to intercept.

Not content to leave good enough alone, the WEP designers implemented a version of RC4 that is hobbled. Whenever the middle byte of the initialization vector is all ones (0xff), the byte of ciphertext pointed to by the first byte of the initialization vector is exactly the same as in the message text - it's just a matter of comparing the two (pieces of text (ala Champollion and the Rosetta Stone). This is called a weak IV. In 'geek speak' we say that a weak IV has a format of B+3::ff::X (where B is the byte of the key to be found, ff is the constant 255, and X is irrelevant).

IS WiFi READY FOR PRIME TIME?

Take a look at Figure 2. This is a screen shot of casual sniffing of WiFi traffic from one of my offices on Las Vegas Blvd. The column “BSSID” is the internal ID of the wireless appliance. The columns of greatest relevance are “WEP” and “Interesting.” When the entry for WEP is not “Y,” it means that the wireless network isn't using WEP encryption, so everything is in plaintext - email, Web pages, database commands, --- everything! Interesting packets are those with “weak” IVs discussed above. The PW columns would be passwords that are disclosed during the normal interflow of packets. Bear in mind that this is only 45 seconds of traffic that wafted into my office. What is more important, every encrypted message from these wireless sites is vulnerable to attack - and most aren't even encrypted!

Figure 2: Sniffing WiFi on Las Vegas Blvd with AirSnort. The column marked “interesting” betrays the weak keys. A rule-of-thumb is that wireless hacking tools require only a few megabytes of “interesting” packets in order to break the key.

WiFi SECURITY AND DIGITAL RISK MANAGEMENT?

Wireless is here to stay. At the moment, however, it's radically over-deployed. This is in equal parts a result of convenience and a desire to be perceived as “current.” Unfortunately, recent legislation like Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley presents a real-and-present-danger to executives who underestimate the potential threat of insecure wireless. Given the inherent vulnerabilities in WiFi, a good starting strategy is to assume that all wireless traffic is printed and left in public areas for all to see. If your organization doesn't mind if that traffic is read, there's no problem. On the other hand...

This actually leads me to a topic that comes up a lot in my consulting work. Wireless security has less to do with technology than it does with risk management. CIOs and IT CSOs typically understand this point. It's lost on most CFOs and CEOs that I've worked with.

The fault actually lies on the IT side of the ledger. IT executives and managers have all-too-often tried to justify WiFi security (for that matter, all computer and network security) to CFOs and CEOs by means of a technology mandate. That's the wrong way to look at it. WiFi security is best justified as a risk management mandate. Conceptually, digital security of digital assets is no different than physical security of physical assets.

Now that we've closed most of our modem banks, WiFi has become the greatest security breach in our organization. Eventually, WiFi will become as secure as LAN-based communications. But until that time, it's incumbent on the CIO to focus on the risk, not the glitz, if we're to safely control the growth of WiFi so that the organization and it's customers remain both well-served and secure.

So anyone may be listening to your WiFi traffic. Remember, it's not paranoia if it's true!

by Hal Berghel