Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Wireless LANs Dealt New Blow

    By
    Carmen Nobel
    -
    August 13, 2001
    Share
    Facebook
    Twitter
    Linkedin

      A new attack that can compromise the encryption cipher used on wireless networks has many users and security experts questioning the future of a technology that has long been touted as the future of enterprise computing.

      The latest blow to the already shaky security reputation of WLANs (wireless LANs) is the worst one yet. The attack, devised by three well-known cryptographers and re-created successfully by a team of AT&T Labs researchers, enables an eavesdropper to capture a small amount of network traffic and recover a users secret key in less than an hour.

      “This is the last straw for WEP [Wired Equivalent Privacy],” said Adam Stubblefield, a summer intern at AT&T Corp.s famed lab in Florham Park, N.J., who wrote the code used to compromise WEP. “WEP is basically useless.”

      While WLAN vendors scrambled to do damage control and assess the implications for their products last week as word of the attack leaked out, users sounded a uniformly grim note on WEP and WLAN security.

      “To be honest, security was a low consideration [when we built our WLAN] considering what it was to be used for,” said Gary Moore, assistant dean for IS at Hofstra University School of Law, in Hempstead, N.Y., which has a WLAN that its law students use to access e-mail and law databases. “[But] if I were building a new building, security would be the No. 1 concern, especially after this [attack].”

      WLAN gear vendors have always maintained that WEP is insufficient, and they recommend that users augment the protocol with extra layers of security, such as a VPN (virtual private network) or a secure shell. In fact, vendor confidence in WEP is so low, the encryption is turned off by default on all access points when they are shipped.

      But, in practice, many users simply use the gear in its out-of-the-box configuration and dont bother to pair it with a VPN or other more secure technologies.

      Some users, however, have found it necessary to use alternative encryption schemes.

      “WEP was not on by default,” said Steve Durst, co-founder of Skaion Corp., a North Chelmsford, Mass., security vendor that recently installed a WLAN. “The truly important things, like X Window and the Unix Shell, I encrypt anyway, so WEP is superfluous.”

      Meanwhile, WLAN advocates defended the technology and said that while the new attack is a problem, its not insurmountable.

      “Well probably see some short-term impact, but this is the natural evolution of the security process,” said Dennis Eaton, vice chairman of the Wireless Ethernet Compatibility Alliance, of San Jose, Calif., which promotes the 802.11b standard and compatibility among various WLAN products. “The sky is not falling.”

      Although there are several efforts under way to improve upon WEP or replace it with a more secure protocol—including one that would substitute the new Advanced Encryption Standard for RC4—they are a long way from implementation. And one of the proposed standards, known as WEP2, is just as vulnerable to this new attack as is the existing protocol, according to security experts.

      The flaws that the new attack exploits are in the key scheduling algorithm of the RC4 cipher on which WEP is based. Using little more than a notebook PC with a wireless network card, an attacker would need only to eavesdrop on a small amount of WLAN traffic and then perform some number crunching to decipher a users secret key.

      And, unlike some other attacks, the length of the key makes little difference in the attacks success, as the complexity of the operation grows linearly instead of exponentially in relation to key size.

      The paper disclosing the vulnerability in RC4, “Weaknesses in the Key Scheduling Algorithm of RC4,” was written by Adi Shamir and Itsik Mantin of the Weitzmann Institute, in Israel, and Scott Fluhrer of Cisco Systems Inc., in San Jose, three of the best-regarded cryptographers in the world.

      The authors will present their work at a cryptography conference in Toronto this week.

      Although there have been two other widely publicized papers detailing attacks on WLANs, this one details an attack that is much more efficient and potentially devastating to users of wireless networks, experts said.

      “This is really bad,” said William Arbaugh, an associate professor of computer science at the University of Maryland, in College Park, and co-author of another paper on security problems with WEP. “With currently deployed equipment, the security on these networks is such that you might as well say there isnt any security.”

      Carmen Nobel
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×