June 3, 2004 By Blake Harris
Wi-Fi Planet Expo -- a tradeshow for WLAN vendors held in San Jose, Calif., last December -- turned into a battlefield for wireless hackers to exhibit their advancing tools, according to AirDefense Inc., a WLAN security company.
The expo also demonstrated how many Wi-Fi vendors and users remain fairly naive regarding Wi-Fi security.
In a single day of monitoring the show's Wi-Fi networks, AirDefense observed 21 attempted "man-in-the-middle" attacks, which sought to break the secure connection of a virtual private network by injecting an intruder between a wireless station and the access point.
Of these 21 attacks, 16 were successful.
The company also identified another 33 advanced attacks at the show that sought to breach a WLAN's authentication processes by attacking the authentication server or breaking an authorized user's password by "brute force." Additionally it discovered 75 denial-of-service attacks targeted at specific access stations. It also revealed 125 attempted identity thefts carried out by spoofing a station's media access control (MAC) address. The company reported numerous other forms of attacks as well.
While the trade show was a plum hacker target, the number of attacks in one day illustrates just how busy Wi-Fi hackers can be these days. Anyone running a Wi-Fi network using the older Wi-Fi security standard -- wired equivalent privacy (WEP) -- is just asking for trouble if security is an issue. The readily available hacker tools largely seek to exploit WEP's security weaknesses.
Where confidential data is accessible through a Wi-Fi network, security must be a big concern. In November 2003, three young men were indicted in North Carolina for allegedly conspiring to steal credit card numbers from the Lowe's chain of home improvement stores by taking advantage of an unsecured Wi-Fi network at a store in suburban Detroit.
Reportedly they stumbled on the network while driving around with laptop computers searching for wireless Internet connections, and only later hatched a plot to steal credit card numbers.
Addressing WEP Vulnerabilities
The problem with WEP is that it simply was not designed to withstand attack by sophisticated hacking tools. In the WEP 802.11 standard, all access points and client radios on a particular WLAN use the same encryption key. Each sending station encrypts the body of each frame with this key before transmission, and the receiving station decrypts it using an identical key.
These keys are cumbersome to change, especially one a larger network, as each access point and radio network interface card must be manually configured with new common keys. If these keys are not updated regularly, however, a hacker with a sniffing tool like AirSnort or WEPCrack can monitor a network for less than one day, and then decrypt messages. In practice, many WEP networks will often use the same key for a considerable period of time, making them even more vulnerable to hackers.
WEP's security problems prompted the Wi-Fi Alliance, a nonprofit international association formed in 1999 to certify interoperability of WLAN products, to develop wireless application protocol (WAP), which addressed some, but not all, of the security flaws in WEP.
Meanwhile, the Wi-Fi Alliance and others began working on an even more secure protocol -- something now called Wi-Fi protected access (WPA).
"As soon as the research reports started coming out pointing out the technical flaws in WEP, the Wi-Fi Alliance very aggressively worked to develop WPA," said David Cohen, chairman of the Wi-Fi Alliance's Security Task Group. "WPA addresses all of WEP's issues. Of course, security is always evolutionary. We will have better security over time. But WPA is a great solution -- useful and deployable now for