WLAN Data on the Loose

Ongoing problems attributed more to lack of security awareness than to failure of wireless equipment.

While an anonymous message on a security mailing list has reignited the hysteria over the security of wireless LANs, IT managers and industry analysts acknowledge that the ongoing wireless security problem has less to do with the equipments security features than with the users failure to use them.

The 802.11b WLAN protocol, or Wi-Fi, includes an encryption algorithm known as WEP (Wired Equivalent Privacy). But many users fail to enable it.

"I would argue there is a lack of security awareness in networking," said Jason Smolek, an analyst at International Data Corp., in Framingham, Mass. "Typically, network administrators have not been trained in WLAN."

IT managers who know something about WLANs said security education is turning into a big part of their jobs.

"Most WLAN users dont really understand the open nature of the wireless medium," said Nathan Lemmon, senior technical adviser for wireless systems development at FedEx Corporate Services, a division of FedEx Corp. in Memphis, Tenn., which has deployed wireless networks across several campuses nationwide. "Educating the FedEx corporate user about the peculiarities of wireless is a big part of my job. Security just happens to be the most important aspect of wireless, but thats from the corporations perspective, not necessarily the users."

Even enabled, WEP has key exchange problems that can lead to security gaps, and the IEEE is working on a security protocol that may best WEP. But WEP-enabled networks are still more secure than networks without WEP.

Not knowing how to enable WEP, or just not bothering, can lead to trouble.

Recently, someone posted an anonymous message to the Vuln-Dev security list maintained at SecurityFocus.com that recounted a recent trip to a Best Buy retail store to purchase an 802.11b WLAN card for a laptop computer.

The author installed the card and its drivers while sitting in the Best Buy parking lot and immediately noticed that the light on the card indicating network traffic was illuminated. Using a wireless packet-sniffing application called Kismet, the author captured numerous unencrypted packets, which turned out to be coming from Best Buy.

The frenzy has escalated to such a degree that Best Buy Co. Inc., of Eden Prairie, Minn., last week decided to take all its wireless cash registers offline. The cash registers were manufactured by Symbol Inc., which includes basic WEP security in all its WLAN products. But the customer had neglected to turn it on. Best Buy did not return a phone call seeking comment.

"If you dont mind having your internal corporate data published on the front page of The New York Times or Boston Globe, then you dont need WLAN security and encryption," said Kevin Baradet, network systems director at the S.C. Johnson Graduate School of Management at Cornell University, in Ithaca, N.Y., and an eWeek Corporate Partner.

The Vuln-Dev message about the Best Buy hack drew dozens of replies, many from people who reported that they, too, had been able to capture WLAN traffic from the parking lots of some large retailers. Others, however, pointed out that this was an old issue and was well-known among crackers.

Indeed, hacking into insecure wireless networks is nothing new. In fact, some networking companies now sell products that detect insecure networks before a hacker uses a program such as Kismet.

Enterprise security provider Solutionary Inc. recently created a map of Omaha, Neb., that revealed insecure WLANs all over the city.

AirMagnet Inc. late last month introduced a handheld WLAN analyzer that detects a number of problems, including security gaps. Company officials said they used the product to find insecure access points virtually everywhere they went while they were on their product road tour.

The moderator of the mailing list said he has no reason to doubt the veracity of the message.

"Since then, multiple people have confirmed at minimum that lots of the big retailers are indeed using 802.11b," said the lists moderator, who goes by the handle Blue Boar. "Best Buy has done the smart thing by shutting off their wireless until they figure out if they have a problem or not. Someone will probably report in about other retailers."

Security experts say that even if Best Buy or other retailers are broadcasting credit card numbers in clear text, its the retailer that is exposed, not consumers.

"The impact on the consumer is almost nothing," said Daniel Baley, general manager of wireless networking at Ntru Cryptosystems Inc., a maker of wireless encryption products based in Burlington, Mass. "The customers liability is $50 on [fraudulent] purchases. But Best Buy clearly has an exposure here."