The ‘Michael’ Vulnerability

Could it be that the forthcoming Wi-Fi Protected Access (WPA) is too protected?

The new 802.11 security enhancement has not even hit the streets yet, and already
some knowledgeable observers are saying that WPA is going to be especially vulnerable
to denial of service (DoS) attacks.

WPA uses a series of mathematical algorithms to authenticate users. If a user
tries twice to get in, sending two packets of unauthorized data during a one-second
period, the system assumes it is under attack and shuts itself down. The shut-down
is mean to thwart attack, but could itself become the means of an attack by
a hacker who sends vast quantities of unauthorized data, thus triggering an
ongoing series of shut-downs.

The idea behind this kind of attack is not new: It is possible to jam any wireless
network by throwing at it an intense signal, one so strong it blocks out everything
else on that band. But a powerful transmitter is needed for that kind of attack,
making the attacker vulnerable to discovery. An attack on WPA, on the other
hand, requires far fewer packets and could thus be carried out with relative
stealth.

Niels Ferguson designed "Michael,” the security function that triggers
the shut-downs. He says there is no reason to single out this particular vulnerability.
“Like every wireless network technology, 802.11 with WPA is vulnerable to a
DoS attack. This is a significant threat to the reliability of the network in
a hostile environment, but it is not WPA-specific,” he says.

He argues that WPA reduces the overall risk, but stresses that the 802.11 protocol
is fundamentally weak. Using a wireless network for mission-critical data “is
plain stupid. Using it for life-critical data is criminally negligent,” he said.

While one might suppose that Ferguson has pride of ownership when it comes
to the Michael vulnerability, there are plenty of people in the wireless community
who support his view.

“All radio 802.11 is inherently subject to denial of service attacks,” says
Donald E. Eastlake III, author of the book Secure
XML: The New Syntax for Signatures and Encryption and co-chair of the
joint IETF/W3C XML Digital Signature Working Group.
He notes that these attacks even not even be intentional. As an unlicensed band,
“802.11 can be interfered with, resulting in reduced or denied service, by legitimate
cordless telephones, garage door openers, Bluetooth, radar,” and so on. That
being the case, he says WPA “is not significantly more vulnerable to DoS attacks
than is WEP or unsecured 802.11.” WEP, of course, is Wired Equivalent Privacy,
the much derided security encryption currently found in wireless networks.

Others say that logic does not cut it. The Michael vulnerability “is significant,”
according to Arnold Reinhold, a consultant and author of The Internet for Dummies Quick
Reference, 8^th Edition and E-mail for Dummies, 2^nd
Edition. This type of attack “is unique to WPA, easy to mount, and is
very stealthy — only two packets need to be transmitted every minute. Even
with sophisticated direction finding gear, it would be hard to track down the
perpetrator.”

Given this situation, Reinhold suggests that the DoS vulnerability presents
a clear danger, especially given the growing corporate dependence on wireless
networks. “Wi-Fi use is exploding, and vendors are expecting WPA to enable even
more critical applications,” he noted.

While 802.11 use may be growing, corporate executives are nervous about the
risks involved. In a recent survey by network-security firm ReefEdge,
73 percent of IT managers surveyed listed security as their biggest concern
with wireless LANs.

So, whats to be done about the WPA vulnerability?

On this the technical community is unanimous: Nothing much.

For example, an administrator could simply stick with WEP and not bother with
WPA. That solves the Michael problem, but you would loose WPAs other security
benefits, and “you would, of course, still be subject to all the other 802.11
DoS threats,” said Eastlake.

At this point, most interested parties are viewing WPA as a stopgap measure.
As a subset of the forthcoming 802.11i security standard being developed by
the IEEE it’s better than WEP, but it is by no means the
last word in wireless-network security.