Your Wireless LAN Can Be Hacked

LAS VEGAS -- A cryptologist who helped discover several gaping holes in the international wireless LAN standard and the encryption algorithm meant to protect such networks this week detailed the vulnerabilities that could be leaving corporate systems open to hackers.

Ian Goldberg, who now works for Montreal-based security and privacy software vendor Zero-Knowledge Systems, was one of three researchers at the University of California, Berkeley, who uncovered the flaws in the IEEE 802.11 wireless LAN standard earlier this year. The group published a report on the findings in February, and Goldberg made one of his first public appearances about the issue at the annual Black Hat Briefings conference here.

Hardware and software vendors use 802.11 to develop wireless Ethernet cards, and the Wired Equivalent Privacy (WEP) algorithm is designed to provide the same level of security for wireless devices as a physical network cable does. But Goldberg says he and his fellow researchers "have demonstrated attacks on WEP that defeat each of the security goals" it was designed to address.

That includes data confidentiality, network access control and data integrity, says Goldberg, who showed slides containing the mathematical proof that such exploits are possible to an applauding crowd of hackers and IT security pros. "We can read WEP-protected traffic, we can inject traffic onto WEP-protected networks, [and] we can modify WEP-protected data," he says.

Protect Your Data

To counter this threat, Goldberg and other security experts at the Black Hat conference recommend that companies use additional authentication systems, such as virtual private networks or the IPSec security protocol, before allowing data to cross from a wireless network to an intranet or other corporate system.

"WEP is assumed to be cracked now," says Chris Rouland, director of the X-Force vulnerability research unit at Internet Security Systems in Atlanta. "If you watch enough good traffic on a WEP network, you can crack everything in about 12 hours." To protect themselves, he said, companies should use personal firewalls or intrusion detection systems on their wireless LANs.

Goldberg says malicious hackers often can simply park their cars in a company's parking lot and essentially become a node on its wireless network--a technique known as authentication spoofing. "Unlike physical cables, it's really difficult to control how far radio waves go," he said, adding that hackers also can pick up wireless LAN signals while driving around.

Mandy Andress, president of security consulting firm ArcSec Technologies agrees that WEP is particularly vulnerable to hackers in cars. Andress said there have been cases in which car-based attackers used parabolic dishes to pick up wireless network signals from distances as far as eight miles away.

Beware the Cipher

One of the most significant problems found in the WEP algorithm includes weaknesses in the way it encrypts packets of data using a stream cipher. Through a series of computations, according to the Berkeley researchers, hackers can eventually uncover the plain text of certain messages and use those packets to intercept and decode other messages that were encrypted with the same key--a maneuver referred to as an Initialization Vector packet collision.

In addition, Goldberg says, many commercial wireless Ethernet cards are vulnerable to hacks stemming from the use of the same encryption key by all mobile LAN clients. "Attackers just need to know a single plain text packet and its corresponding encrypted packet," he says. Having that information could allow them to do things such as inject packets of data that contain fraudulent dollar amounts into financial transactions, Goldberg adds.

Vendors have been taking steps to improve wireless LAN security, and some network managers interviewed earlier this year said they're aware of the problems with the technology and are beefing up their defenses in response. But they also said the report issued by Goldberg and his colleagues highlights the dangers inherent in wireless LANs.