From laboratories to lugers, the security of wireless LANs is being
scrutinized. Is this only a bump in the road of the meteoric rise of
Wi-Fi, or is something inherently flawed with the popular technology?
If you ask Brian Grimm, a spokesman for the Wireless Ethernet
Compatibility Alliance, the 140-member trade group supporting Wi-Fi,
recent reports of 802.11b being banned or restricted is the natural
evolution of the wireless technology.
Researchers who earlier this month revealed faults in new 802.11x
Wi-Fi security call WLANs insecure.
In January, the U.S. Department of Energy’s Lawrence Livermore
National Laboratory, responsible for much of the nation’s weapons
research, temporarily extended a decades-old ban of wireless devices
in classified areas to ban the “deployment and use of all wireless
computer local area networks (LANs)” in unclassified areas.
While just two WLAN sites were effected by the ban, Lawrence
Livermore said the restriction would continue pending completing a
review of security risks posed by wireless LANs. The ban, put in
place Jan. 31, remains in effect, says Lawrence Livermore spokesman
David Schwoegler.
WLANs took another hit when several security firms reported in
January that wireless systems used at airports from San Jose to Boston for
bag matching and curbside check-in were operating without any
security. Although airlines downplayed the security risk, the U.S.
Department of Transportation has launched an examination of wireless
LANs used by airlines.
The International Olympic Committee (IOC) Feb. 15 was forced to
knock down reports stating that it would ban the use of wireless networks during
future games. An IOC spokeswoman told reporters that Wi-Fi LANs could
be used before the 2008 games, if security issues were resolved.
While Wi-Fi wasn’t used by officials during the 2002 Winter
Olympics in Salt Lake City, Utah, biathlon teams used 802.11b
transmitters strapped to their ankles to keep player and coaches in
sync. News organizations, such as Reuters, employed Wi-Fi connections
to send photos and stories from mountain-top venues.
To cap off all the security worries, University of Maryland
professor William Arbaugh Feb. 14 announced Wi-Fi and
802.1x security flaws. Wi-Fi using 802.1x is the security protocol set to replace the notorious WEP (Wired
Equivalent Privacy) security measure.
Grimm says WEP is a broken security solution that should be used to protect
data of only minimal importance. The future of Wi-Fi security rests
with TKIP (Temporal Key Integrity Protocol), says WECA. TKIP quickly
changes WEP encryption keys about every 10,000 packets. With WEP, a
single key encrypted an entire WLAN conversation.
TKIP, set to become available in the second quarter, is compatible
with current WLAN products and is upgradeable through a software
patch.
The National Institute of Standards, the U.S. governmental body
that funded Arbaugh’s research into 802.1x, uses AES (Advanced
Encryption Standard) as the nation’s official security protocol
protecting unclassified information. AES will be available to WLAN
users early in 2003, according to WECA.
AES for wireless devices requires additional hardware to be used
in WLANs. Co-processing chips are needed to share the encryption and
decryption of data. Without a co-processor, WLANs would slow. Also
hampering the introduction of AES is the need for new Wi-Fi cards for
each device.
In the meantime, WECA’s Grimm advises WLAN systems use Virtual
Private Networks to create secure ‘tunnels’ for important data. Wi-Fi
is not invulnerable. Says Grimm: “Even Microsoft releases monthly
security updates.”