As Wireless Networks Grow, So Do Security Fears
R. A. Hettinga
rah at shipwright.com
Sat Aug 18 08:41:32 EDT 2001
AUG 19, 2001
As Wireless Networks Grow, So Do Security Fears
By JOHN SCHWARTZ
VI RUBIN did not mean to hack into the hospital's computer network; it
practically begged him to.
Mr. Rubin, a computer security expert at AT&T (news/quote) Laboratories in
Florham Park, N.J., had accompanied his wife, Ann, to the nearby Morristown
Memorial Hospital while she had minor surgery last month. He brought along
his laptop so that he could do some work while she napped during recovery.
But as he sat in her room, he noticed a green light blinking on the card
that he ordinarily used to connect his laptop to the wireless computer
network installed in his home.
The hospital, like many businesses, colleges and even neighborhoods, had
installed its own wireless network - in its case to give employees access
to the computer system anywhere in the building. It had adopted the popular
emerging standard for such networks, known as 802.11b or Wi-Fi; the
hospital's network, apparently set to the most welcoming mode of operation,
automatically granted access to Mr. Rubin's machine.
Mr. Rubin, 33, the author of "White-Hat Security Arsenal: Tackling the
Threats" (Addison-Wesley) a guide to repelling computer security threats,
was surprised, but also worried. He was glad to have the easy Internet
access that the network was offering. On the other hand, he also knew that
with "sniffer" software that he uses to analyze computer networks, he could
monitor every message and file passing through the hospital's wireless
system, presumably including sensitive patient data entered by nurses via
the wireless-equipped laptops they carried from room to room.
"Fortunately, I'm married to a lawyer, who advised me against looking," he
said. Instead, he added, "I enjoyed free high- speed Internet services the
whole time I was in the hospital, but I didn't peek" at the passing network
traffic. After his wife's stay, however, he wrote a letter to the hospital
explaining that it had a "serious security vulnerability."
Robert C. Hendricks, vice president for information systems at Atlantic
Health System, the parent company of Morristown Memorial, said the security
lapse was a "temporary situation," and had occurred as part of a $7
million, yearlong overhaul of the computer networks, with strong security
measures as a priority.
But for many businesses, the lack of security is not temporary. The use of
Wi-Fi is burgeoning: computer users of all types are rushing to install
wireless networks because they offer ease of use and convenience.
Yet most do not even turn on the encryption system that is included in all
network software to protect the broadcast data traffic from being picked up
by electronic eavesdroppers. As businesses shore up their wireless
security, consumers - who can set up wireless networks at home for a few
hundred dollars - are likely to realize that they need to follow suit.
In some places, like neighborhoods and college campuses, part of the idea
is to share or to even give away Internet access in a kind of high-tech
gesture of good will. If those networks are not protected, a result could
be a security disaster, said Christopher W. Klaus, co-founder and chief
technical officer of Internet Security Systems (news/quote). Most networks,
he said, are still wide open.
"We have driven around Atlanta, New York and other places just with a
laptop and an antenna, and we were able to pick up quite a few 802.11
access points," he said. "I'd say 95 percent of them did not have any
Of course, to companies like Mr. Klaus's, the same situation is a potential
jackpot: a whole new set of technologies with flaws that will require
analysis, consulting and sales of new software and hardware.
The fact that wireless networks can be monitored and joined by outsiders is
no surprise. It is, after all, a broadcast medium like radio, television
and cellular phones. But recent disclosures by computer researchers of the
weakness of the built-in encryption system, known as Wired Equivalent
Privacy, has raised new worries about wireless security. Researchers at the
University of California at Berkeley showed that it was theoretically
possible to break the encryption system to read individual messages, though
the process would take many hours. Another team of researchers, including
the renowned cryptographer Adi Shamir, has since outlined a more powerful
theoretical attack that would allow a wireless intruder to learn the master
key to the encryption system and trick the network into thinking that he
was a legitimate user.
Mr. Rubin and Adam Stubblefield, a Rice University undergraduate who was
working as a summer intern at AT&T Labs, put the Shamir hypothesis into
action. In less than two hours, Mr. Stubblefield was able to lay bare a
network protected by Wired Equivalent Privacy technology.
HE most unsettling thing about the exploit, which was carried out with the
knowledge and consent of an AT&T Labs network administrator, was that it
was done passively. Mr. Stubblefield's computer did not try to enter the
network or to make itself known in any way while collecting the necessary
data to divine the key to the network: it just listened, and pieced
together the string of characters necessary to gain full access. If the
software that he wrote to assemble that software "key" were published, Mr.
Stubblefield said, "this is something any script kiddie could do with a
laptop." He added that he and Mr. Rubin were not releasing the program in
publishing their research.
Mr. Rubin said the experiment had changed his views on wireless encryption.
Until the test, he recommended turning on the wireless networks' built-in
encryption system. But now that he and Mr. Stubblefield have shown how weak
that encryption standard is, "I feel the encryption gives a false sense of
security." Mr. Rubin joked that the next time he has to go to the hospital,
"I'm going to ask for the nurse to use pen and paper."
New versions of 802.11 are on the way that will include stronger security
measures. But standard versions of those security technologies will not be
ready until next year at the earliest. For that reason, many security
consultants recommend that companies buy their wireless equipment from
vendors like Cisco Systems (news/quote) that have enhanced security through
proprietary software, even though that could mean locking the company's
future purchases into the wares of a single vendor.
Other consultants recommend that companies building wireless networks
incorporate security into their wireless networks on their own - for the
most part, by extending into the wireless realm security tools that they
are already using in their wired networks. "What we're telling clients,"
said John Pescatore, an analyst at Gartner Inc. (news/quote), a research
firm, is to "treat the airwaves just like you treat the Internet," as a
medium to connect to, but as one that is not to be trusted.
Rudy Bakalov, a security manager at PricewaterhouseCoopers in New York,
said that meant extending the Internet protections that many businesses and
individuals already use, including firewalls, the "virtual private
networks" that help ensure that people gaining access to a company's
systems are authorized to do so, and intrusion detection systems that alert
users when people try to take liberties with the networks. "They already
have that infrastructure in place" for Internet access, Mr. Bakalov said,
"so it's not going to be that much more expensive, anyway."
Some security experts say consumers will have to follow the lead of
businesses in bolstering wireless security. Robert Clyde, chief technical
officer at Symantec, a computer security company based in Cupertino,
Calif., recommended that people who have set up systems in their homes
protect them from intruders with consumer versions of the same software and
hardware tools used in the business systems - all of which Symantec happens
Mr. Clyde added that the worries about network security should be broadened
to include the laptop as well: "How do we protect ourselves as we're roving
around?" He said he could envision a time when a wireless intruder bent on
malice could plant a virus on a laptop that comes within range, or worse.
Reputations, he suggested, could be ruined by planting an embarrassing file
on a business rival's hard drive.
"Any real protection I have has got to be loaded right here," Mr. Clyde
added, lifting his laptop. "Every device has to take care of its own
HE most important point, security companies say, is that companies and
individuals must become aware of the security risks inherent in
broadcasting data. Guardent, a security consulting firm, is one of many
companies that has developed diagnostic software to help assess companies'
wireless security holes.
As Jamie Fullerton, a research scientist at the company, walked along 43rd
Street in Midtown Manhattan, cars flowed by in an endless stream, and so
did data, drifting by like the sounds of a nearby band of buskers playing
Andean flutes. Ears pick up bits of the music, and the antenna in the
laptop picks up the data packets. The stream is far richer, he says, in the
canyons of Wall Street and in Silicon Valley. Some of the networks he finds
are open; others are weakly protected by built-in encryption.
Guardent's chief technical officer, Jerry Brady, said he would like to warn
all of the companies whose data was flashing across Mr. Fullerton's screen.
But Guardent only shares the results of its scans with the paying clients
whose networks they are auditing for security measures. Any other approach,
he said, would be awkward - and could even sound like a shakedown.
"There's no real way to approach companies and say: `Hey, I saw your
traffic go by. Would you like to talk?' " he said with a laugh. "That
doesn't work very well."
Copyright 2001 The New York Times Company | Privacy Information
Family photos conquer gravity
A floor lamp that spreads sunshine all over a room
Add an entertainment center to your next car trip
Cool down rooms without touching the thermostat
Bring the power of the digital revolution to your fingertips
Quit smoking in 7 days--guaranteed!
Why spend hundreds on a bigger monitor enlarge the one you have
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography