(Sunday) NYT -- 802.11b (or "Wi-Fi") security fears.
August 19, 2001
As Wireless Networks Grow, So Do Security Fears
By JOHN SCHWARTZ
Avi Rubin did not mean to hack into the hospital's computer
network; it practically begged him to.
Mr. Rubin, a computer security expert at AT&T (news/quote)
Laboratories in Florham Park, N.J., had accompanied his wife, Ann, to
the nearby Morristown Memorial Hospital while she had minor surgery
last month. He brought along his laptop so that he could do some work
while she napped during recovery. But as he sat in her room, he noticed
a green light blinking on the card that he ordinarily used to connect his
laptop to the wireless computer network installed in his home.
The hospital, like many businesses, colleges and even neighborhoods,
had installed its own wireless network — in its case to give employees
access to the computer system anywhere in the building. It had adopted
the popular emerging standard for such networks, known as 802.11b or
Wi-Fi; the hospital's network, apparently set to the most welcoming
mode of operation, automatically granted access to Mr. Rubin's
machine.
Mr. Rubin, 33, the author of "White-Hat Security Arsenal: Tackling the
Threats" (Addison-Wesley) a guide to repelling computer security
threats, was surprised, but also worried. He was glad to have the easy
Internet access that the network was offering. On the other hand, he also knew that with "sniffer" software that he
uses to analyze computer networks, he could monitor every message and file passing through the hospital's wireless
system, presumably including sensitive patient data entered by nurses via the wireless-equipped laptops they carried
from room to room.
"Fortunately, I'm married to a lawyer, who advised me against looking," he said.
Instead, he added, "I enjoyed free high- speed Internet services the whole time I
was in the hospital, but I didn't peek" at the passing network traffic. After his
wife's stay, however, he wrote a letter to the hospital explaining that it had a
"serious security vulnerability."
Robert C. Hendricks, vice president for information systems at Atlantic Health
System, the parent company of Morristown Memorial, said the security lapse was
a "temporary situation," and had occurred as part of a $7 million, yearlong
overhaul of the computer networks, with strong security measures as a priority.
But for many businesses, the lack of security is not temporary. The use of Wi-Fi
is burgeoning: computer users of all types are rushing to install wireless networks
because they offer ease of use and convenience.
Yet most do not even turn on the encryption system that is included in all network
software to protect the broadcast data traffic from being picked up by electronic
eavesdroppers. As businesses shore up their wireless security, consumers —
who can set up wireless networks at home for a few hundred dollars — are likely
to realize that they need to follow suit.
In some places, like neighborhoods and college campuses, part of the idea is to
share or to even give away Internet access in a kind of high-tech gesture of good
will. If those networks are not protected, a result could be a security disaster,
said Christopher W. Klaus, co-founder and chief technical officer of Internet
Security Systems (news/quote). Most networks, he said, are still wide open.
"We have driven around Atlanta, New York and other places just with a laptop
and an antenna, and we were able to pick up quite a few 802.11 access points,"
he said. "I'd say 95 percent of them did not have any security whatsoever."
Of course, to companies like Mr. Klaus's, the same situation is a potential jackpot: a whole new set of technologies
with flaws that will require analysis, consulting and sales of new software and hardware.
The fact that wireless networks can be monitored and joined by outsiders is no surprise. It is, after all, a broadcast
medium like radio, television and cellular phones. But recent disclosures by computer researchers of the weakness
of the built-in encryption system, known as Wired Equivalent Privacy, has raised new worries about wireless
security. Researchers at the University of California at Berkeley showed that it was theoretically possible to break
the encryption system to read individual messages, though the process would take many hours. Another team of
researchers, including the renowned cryptographer Adi Shamir, has since outlined a more powerful theoretical
attack that would allow a wireless intruder to learn the master key to the encryption system and trick the network
into thinking that he was a legitimate user.
Mr. Rubin and Adam Stubblefield, a Rice University undergraduate who was working as a summer intern at AT&T
Labs, put the Shamir hypothesis into action. In less than two hours, Mr. Stubblefield was able to lay bare a network
protected by Wired Equivalent Privacy technology.
The most unsettling thing about the exploit, which was carried out with the knowledge and consent of an AT&T
Labs network administrator, was that it was done passively. Mr. Stubblefield's computer did not try to enter the
network or to make itself known in any way while collecting the necessary data to divine the key to the network: it
just listened, and pieced together the string of characters necessary to gain full access. If the software that he wrote
to assemble that software "key" were published, Mr. Stubblefield said, "this is something any script kiddie could do
with a laptop." He added that he and Mr. Rubin were not releasing the program in publishing their research.
Mr. Rubin said the experiment had changed his views on wireless encryption. Until the test, he recommended
turning on the wireless networks' built-in encryption system. But now that he and Mr. Stubblefield have shown how
weak that encryption standard is, "I feel the encryption gives a false sense of security." Mr. Rubin joked that the
next time he has to go to the hospital, "I'm going to ask for the nurse to use pen and paper."
New versions of 802.11 are on the way that will include stronger security measures. But standard versions of those
security technologies will not be ready until next year at the earliest. For that reason, many security consultants
recommend that companies buy their wireless equipment from vendors like Cisco Systems (news/quote) that have
enhanced security through proprietary software, even though that could mean locking the company's future
purchases into the wares of a single vendor.
Other consultants recommend that companies building wireless networks incorporate security into their wireless
networks on their own — for the most part, by extending into the wireless realm security tools that they are already
using in their wired networks. "What we're telling clients," said John Pescatore, an analyst at Gartner Inc.
(news/quote), a research firm, is to "treat the airwaves just like you treat the Internet," as a medium to connect to,
but as one that is not to be trusted.
Rudy Bakalov, a security manager at PricewaterhouseCoopers in New York, said that meant extending the Internet
protections that many businesses and individuals already use, including firewalls, the "virtual private networks" that
help ensure that people gaining access to a company's systems are authorized to do so, and intrusion detection
systems that alert users when people try to take liberties with the networks. "They already have that infrastructure
in place" for Internet access, Mr. Bakalov said, "so it's not going to be that much more expensive, anyway."
Some security experts say consumers will have to follow the lead of businesses in bolstering wireless security.
Robert Clyde, chief technical officer at Symantec, a computer security company based in Cupertino, Calif.,
recommended that people who have set up systems in their homes protect them from intruders with consumer
versions of the same software and hardware tools used in the business systems — all of which Symantec happens
to sell.
Mr. Clyde added that the worries about network security should be broadened to include the laptop as well: "How
do we protect ourselves as we're roving around?" He said he could envision a time when a wireless intruder bent on
malice could plant a virus on a laptop that comes within range, or worse. Reputations, he suggested, could be ruined
by planting an embarrassing file on a business rival's hard drive.
"Any real protection I have has got to be loaded right here," Mr. Clyde added, lifting his laptop. "Every device has to
take care of its own security."
The most important point, security companies say, is that companies and individuals must become aware of the
security risks inherent in broadcasting data. Guardent, a security consulting firm, is one of many companies that has
developed diagnostic software to help assess companies' wireless security holes.
As Jamie Fullerton, a research scientist at the company, walked along 43rd Street in Midtown Manhattan, cars
flowed by in an endless stream, and so did data, drifting by like the sounds of a nearby band of buskers playing
Andean flutes. Ears pick up bits of the music, and the antenna in the laptop picks up the data packets. The stream is
far richer, he says, in the canyons of Wall Street and in Silicon Valley. Some of the networks he finds are open;
others are weakly protected by built-in encryption.
Guardent's chief technical officer, Jerry Brady, said he would like to warn all of the companies whose data was
flashing across Mr. Fullerton's screen. But Guardent only shares the results of its scans with the paying clients
whose networks they are auditing for security measures. Any other approach, he said, would be awkward — and
could even sound like a shakedown.
"There's no real way to approach companies and say: `Hey, I saw your traffic go by. Would you like to talk?' " he
said with a laugh. "That doesn't work very well."
Copyright 2001 The New York Times Company |
