On a slow news day, you can always go “war driving.” Thats what Mike Outmesguine did in an 800-mile drive down the California coastline in an Associated Press story this week. About 40 percent of the networks he detected from the laptop on the passenger seat of his Toyota 4Runner were not secured.
The news here, folks, is that this is not news. That 40 percent has hardly budged since PC Magazine did its first war-driving investigation into wireless LAN (WLAN) security more than two years ago.
Does that mean were as insecure now as we were then? Are we wireless warriors computing blindly in the wild? Are our transmissions really just out there for everyone to see?
Dont ring the alarm just yet. My apologies to Benjamin Disraeli, who said there are three kinds of lies: lies, damned lies and statistics. And what we have here are statistics.
Time and the law dont allow joyriding war drivers to truly access all of those networks to see whether they really are insecure. What you get from a war-driving report is rarely more than a surface glance.
It tells how many networks are not running the native, over-the-air security mechanisms built into 802.11 devices. But this does not necessarily mean that theyre not running security at all.
Detecting “open” WLANs by using a laptop, sniffing software such as NetStumbler and an antenna mounted atop a vehicle can identify networks that have not implemented Wired Equivalent Privacy (WEP) or the much stronger and much more secure Wireless Protected Access (WPA) that you get in newer devices.
But can WEP even be called security? If anyone out there has not heard about WEPs many vulnerabilities, please raise your hand.
Most enterprise networks gave up on WEP long ago, and the tools they do use to secure wireless network segments cant be detected by casual war drivers. Unless a war driver actually associates with a WLAN and gets an IP address, he cant really draw valid conclusions about the networks security. Any one of a number of other things might be going on.
At the simplest level, a network manager can restrict Media Access Control (MAC) addresses to allow only known wireless devices onto the network.
The technique is not practical in large enterprises with lots of devices to track, but it is realistic for the small or home office, and lots of integrators who sell and manage small WLANs do it.
Enterprises can—and usually do—deploy 802.1X user authentication to require users to enter user names and passwords before theyre given network access.
And if they have legacy WEP devices that cannot be upgraded to WPA, they can secure data transmissions on the wireless segments of their networks with Virtual Private Networks (VPNs).
Truths and Fictions
Then, too, there are times when wireless networks are left open by design. The number of public Wi-Fi hot spots is growing at a rapid pace. For better or for worse, hot-spot operators function on the assumption that users who need the security will open VPN tunnels to their corporate networks once they log on. Its not the best policy, but who can blame them?
Public hot spots are cropping up everywhere, from fast-food hamburger stands to truck stops, and its just not practical for folks at the lunch counter to be handing out passwords to customers and reconfiguring their WLANs to accept them.
Thats not to say that war-driving reports should be ignored. Even if their statistics exaggerate the case, theres a troubling truth behind them: The best security mechanisms cannot protect anyone who doesnt enable them.
The Wi-Fi Alliances adoption of WPA as a standard for certification last year closed the holes that WEP left open in WLAN security.
And by years end, the Institute of Electrical and Electronics Engineers is expected to ratify the 802.11i standard, which brings much stronger security to 802.11 devices.
Last week at CeBIT, I caught up with Colin McNabb, CEO of wireless chipmaker Atheros Communications Inc., who bravely predicted that “11i is going to solidify security standards once and for all.”
The Advanced Encryption Standard (AES) called for in 802.11i has been approved as the Federal Information Processing Standard (FIPS)and has been adopted by the U.S. Department of Commerce and the National Institute of Standards and Technology (NIST). Atheros and other chipmakers have already begun building in AES support.
But the vendors who build those chips into their devices typically ship them with security turned off in the default configuration to make them easy to install. Deploying that security is not always tough for users to do but, as Outmesguines friends experience shows, its also not always easy.
Also, studies have shown that the preshared key used in WPA will be vulnerable to dictionary attacks if users choose an easily remembered password that can be easily deciphered. (Hint: Instead of a password, use a passphrase that includes numbers and symbols.)
It wont be until the industry finds an easy way to ensure that security is implemented in the default configurations of WLAN devices that the war-driving reports will go away.
Until then, they serve as a reminder to all of us that we should take the job of wireless security seriously. Good fables usually do contain great truths.