Published: 01 Jan 2002
It's a sight that would make any sales manager proud: your company's top sales rep is dutifully e-mailing detailed reports on the day's activities over a public wireless 802.11b network as he waits for his lunch across the street from the office. But would your sales manager be quite so happy if she knew the sensitive data transmissions sent from the rep's laptop could be grabbed by anyone else within a few hundred yards?
Or, let's say your hospital has deployed the latest health care technology: a state-of-the-art wireless handheld application that lets administrators, physicians and medical staff access records, order lab tests and prescribe medications. It's a hit. Recordkeeping costs are lowered, patients agree service is more efficient, and fewer errors are made. But what happens when a doctor sets down his PDA -- still logged on -- and discovers it's missing when he reaches for it again?
WLANs Take Hold
Organizations are deploying wireless LANs (WLAN) in large numbers, but typical of emerging technology, implementation is out in front of security. Handheld devices are inherently insecure, and the current WLAN standard, 802.11b, offers immature and inadequate security. Sensitive data is being transmitted using flawed encryption, or worse, no encryption at all.
These and other wireless vulnerabilities have IT/security managers worried. More than 90 percent of 1,268 respondents to a recent Information Security poll said they are either "very concerned" or "somewhat concerned" about the security of wireless networking.
"Even though [wireless networking] was not -- and is not -- truly ready for prime time, people were deploying it," says Willis Marti, associate director for networks at Texas A&M University. "We stepped in to provide a workable solution and get access coordinated."
While infosec professionals are well aware of the problems, wireless security may not be getting the high-profile attention it merits. "Often, a couple of people in the security department are aware," says Richard Mackey, a principal at System Experts, a security consulting firm. "But senior management doesn't know it's the problem it really is."
Despite the risks, WLAN installation is on the rise. In 1999, 1.4 million WLAN nodes were shipped worldwide. The number nearly quadrupled to 4.9 million in 2000 and is projected to reach 55.9 million in 2006, representing a $4.5 billion market, according to a recent Allied Business Intelligence report.
The growth of business applications for cellular networks is less clear, at least for now, largely because of the debate in the U.S. over spectrum allocation for high-speed transmissions. WLANs offer a much cheaper path, and high-speed transmission is imminent, as vendors adopt the 802.11a and/or 802.11g standards.
The wireless LAN environment is riddled with vulnerabilities. Without significant security upgrades, endpoints and transmissions are wide open to compromise.
Handhelds. Handheld devices are neither designed for nor capable of sophisticated security. PDAs and their wireless access points (APs) are being deployed outside of infosec control. They are underpowered and plagued by poor password implementation schemes. Worse, they are often lost or stolen.
Protocols. 802.11b is inadequate, in itself, to meet anything but minimal security requirements: basic access control and authentication.
The Wired Equivalent Privacy (WEP), 802.11b's much-maligned encryption mechanism, has proved easy to break and is hamstrung by its lack of a key-management scheme. A cracker can scan for 802.11 APs and decrypt the captured data using a laptop computer and software downloaded from the Internet.
The Weakest Link
Though wireless data stream get more attention, the greatest risk to wireless connectivity may be the handheld devices themselves.
Handheld computers and their applications were built for cool new functions, not security. They lack the processing power for strong encryption, memory management and solid password security. When they were just electronic organizers, it didn't matter. Now, they're an open door to the network, and that matters a lot.
Start with physical security. You can augment the security on handhelds, but you can't prevent them from being lost and stolen from pockets, purses and briefcases. The risk isn't trivial. Gartner Group estimates that more than a quarter million PDAs and mobile phones were lost or stolen in airports worldwide in 2001.
Cable and lock systems that hook into your PDA's stylus slot, such as Kensington Technology Group's PDA Saver, offer some degree of physical protection. Such products will at least discourage an opportunist from snatching your PDA off your desk. However, cable-lock devices aren't universal. As stylus designs evolve with new PDA models, the PDA Saver is usable on fewer and fewer devices.
The 5-ounce weakling. Laptops and desktop systems have the resources-ample power, speedy processors and lots of storage -- to efficiently handle security-related tasks, such as cryptographic calculations. In contrast, PDAs -- with their low power, relatively slow processors and limited storage capacity -- were intended to support personal applications that don't generally require robust security. And while vendors have been quick to promote the devices for a range of sensitive applications, such as finance and health care, they've been slow to offer security capabilities commensurate with the risks.
The Palm OS, for example, has very weak password security, according to an analysis conducted by Peiter "Mudge" Zatko and Joe "Kingpin" Grand of @stake security. While the pair identified several vulnerabilities specific to version 3.5 of the operating system, they raised a number of broader concerns as well, such as the inability of the OS to control an application's access to system resources, the possibility for cross-system viruses and the potential for attacks related to synchronization.
Most handheld devices rely on some form of password-based control access; there are limited options for additional authentication. Since many users employ the same password on multiple systems, anyone who gets it can compromise other systems in addition to the data and applications on the device itself. This reflects the limits of password protection for any system, but PDAs are particularly vulnerable because their passwords aren't secure.
The @stake analysis, for example, revealed that the Palm OS (v3.5) doesn't encrypt the password on the device. Instead, the password is encoded with a known algorithm and stored in a location accessible to any application. An attacker who captures the encoded block can quickly determine the password. Microsoft's WinCE (now PocketPC) has also suffered password problems, including a widely publicized exploit that allowed an attacker to learn an individual's Windows NT password.
In each case, the OEM vendor has moved to correct the shortcoming, but the problem points to the need for more robust protection of handheld devices, such as multifactor authentication.
"It sure would be nice if I was able to issue a smart card that people had to physically carry around with them, stick into the device and then enter their password," says James Kobelius, a senior analyst at the Burton Group.
New crypto? Compounding the insecurity of their weak passwords, PDAs don't have the processing muscle needed for robust authentication and data/line encryption applications. So the question remains: How do you build in efficient security?
While much attention is focused on improving the processing capabilities of the devices, new, more efficient cryptography schemes are fueling a hot debate among rival crypto vendors.
Despite its leading position in the handheld market, Palm is a Johnny-come-lately in security. On the other hand, the competition -- specifically, Microsoft and Texas Instruments -- have addressed the need for security and crypto capabilities in their development environments. Microsoft's PocketPC, for example, has long offered a crypto API. And TI's OMAP processor -- a specialized chipset for 2.5 and 3G cellular devices -- includes a comprehensive mix of third-party security technologies.
Palm jumped in last November, announcing that it would incorporate RSA's BSAFE encryption software in future versions of the Palm OS. BSAFE is available in a wireless version, Wireless Core, that's optimized for handheld devices.
Certicom's movianCrypt for the Palm OS uses a message authentication key to authenticate future logon attempts and encrypts data using 128-bit AES.
Asynchrony's PDA Defense stores only an MD5 hash of the password on the PDA and offers 64-, 128- or 512-bit data encryption, depending on the device.
F-Secure's FileCrypto for the Palm OS, PocketPC and the Symbian OS provides 128-bit AES data encryption and PIN or passphrase authentication. F-Secure also supplies antivirus products for all three operating systems.
Network Associates' PGPWireless is a version of its well-known PGP encryption product for the Palm OS. NAI also offers a version of its AV product for Palm, Symbian and PocketPC devices.
IS/Complete's Restrictor for Palm OS allows an admin to establish limits on the applications individual users may execute on Palm devices.
Tranzoa's OnlyMe extends the Palm OS's limited password functions to include button taps and other "gestures," rather than just letters and numbers.
*Representative list only
RSA Security is the de facto choice for public-key cryptography. But is it the best choice for power-challenged handhelds? The new partnership with Palm gives RSA a huge boost in this space, despite its comparatively processor-intensive algorithms.
Michael Vergera, RSA's director of marketing, stresses the benefits of interoperability. "The security on the device must interoperate with the security used in the Internet," he maintains. "Only one algorithm, RSA, provides that." As a case in point, RSA Wireless Core supports Diffie-Hellman, DSA and its own algorithms.
On the flip side, Certicom and NTRU sell encryption technology using algorithms fundamentally different from traditional crypto approaches. Certicom maintains that its elliptical curve cryptography (ECC) is ideally suited for wireless devices, with less computational overhead, smaller key size and lower bandwidth usage than RSA's BSAFE.
"These old legacy standards are just inappropriate. They're dinosaurs," asserts NTRU CEO Scott Crenshaw. While NTRU's encryption routines lack the install base and long-term cryptanalysis afforded by algorithms like RSA, NTRU claims its cryptosystem is much faster than either RSA or ECC.
The most likely application for new cryptographic techniques lies less with displacing existing technologies and more with new applications. NTRU's use of "disposable" keys makes it possible to change keys after even a few seconds of use. To crack the encryption on, say, a music or video file, a cracker would need to obtain hundreds, or thousands, of keys rather than just one.
More insecurities. Lack of memory management leaves another gaping security hole. Palm devices have no capacity to mark sections of memory as read-only or limit access, Zatko and Grand note. If a virus is introduced or the device is stolen, a rogue application can read and write to memory or interact directly with the system processor. At that point, the insecurity of the operating system becomes academic. With free reign over system memory, rogue applications can read records, erase data or programs, modify creator codes (used to determine which program will execute) and physically damage the device itself.
And sometimes security issues are simply the result of poor design decisions. For example, at the launch of PocketPC 2002 OS last October, Microsoft boasted of new security features, including requiring users to specify more complex passwords using a mix of characters and symbols. While that doesn't address the basic issues of insecure passwords, it's a good step. Still, the updated OS undercuts the enhanced security by allowing people to establish an "idle" window for a period of minutes to a full day, during which the password doesn't need to be re-entered before resuming work. A similar feature is built into v4.0 of the Palm OS.
"Anybody who steals or simply finds the device can go in as that user automatically and run amuck in terms of getting access to corporate resources," Burton's Kobelius points out.
Another problem is a "debug mode" that's able to bypass a user lockout on the device. For standard operations, the Palm OS uses the lockout to protect access to a device; applications and data can't be accessed until the appropriate password is entered. However, when a device is placed in debug mode, the OS allows an attacker to bypass the lockout and gain complete control of the system. While the vulnerability has been closed in v4.0, it remains in older systems.
In addition to the above products, there are a number of third-party solutions that mitigate the insecurity of handheld devices. Most of these enhance password protection and/or add encrypted file storage capabilities.
Protect Your WLAN
The focus on bits in the air has changed cracker habits. When networks were wired, war dialing was the rage. Now, instead of aiming a dialer at a phone exchange and noting the numbers when a modem answers the line, crackers have adopted "war driving" -- jumping into the car with an appropriately configured wireless network client to locate and access ("LAN-jack") wireless networks.
Most war drivers are content to grab a high-speed Internet connection. A poorly configured system will allow literally anyone to join the network. And the usual type of black hat intrusions-vulnerability exploits, buffer overflows, Web site defacements, malware attacks -- are made all that much easier because network penetration via dialing in or exploiting an open port isn't required.
The wired equivalent that wasn't. While better than nothing, WEP isn't good enough for robust security. WEP suffers from two critical flaws: vulnerable encryption and a lack of key management. That means either manually changing keys or individual vendor solutions, which in the best cases generate keys dynamically.
War drivers use programs such as NetStumbler to obtain a wealth of detail from LAN-jacked transmissions. Cracker tools like Airsnort and WEPCrack can begin decoding traffic in mere minutes.
The worst thing that can happen -- and it does happen, a lot -- is that WEP is turned off on 802.11b devices with no alternative protection. In other words, wireless clients send data in the clear. A war driver doesn't even have to break a sweat.
WEP supports both 64- and 128-bit keys. Both are vulnerable, however, because the initialization vector (IV) is only 24-bits long in each case. Its RC4 algorithm, which is used securely in other implementations, such as SSL, is quite vulnerable in WEP.
Moreover, with WEP, keys for all APs and clients on a network must be administered manually. Since good security dictates that keys be changed frequently, this is an administrative nightmare for all but the smallest networks. Each AP and client uses the same key to encrypt and decrypt data.
Network access control and client authentication tools underscore 802.11b's limitations. The standard relies solely on hardware-based authentication between the AP and client, using one of two methods: open or shared key. The open method, MAC address filtering, identifies client computers by the address of its 802.11b network card in the clear. Moreover, maintaining and managing a MAC address list is impractical for all but the smallest networks.
Shared key authentication requires that WEP be enabled, with identical keys on both the client and AP.
The other 802.11b access security method uses a Service Set Identifier (SSID), which is assigned to one or more APs to create a wireless network segment. Wireless clients must be configured with the correct SSID to access the network, providing very basic security. But even this security will be useless if APs are enabled to "broadcast" their SSIDs. That allows any computer that isn't configured with an SSID to receive it and access the AP.
Proprietary solutions. Wireless vendors address these problems with some form of enhanced key management for both encryption and client authentication. The tradeoff for better-than-WEP key management is locking into a proprietary system. For example, Cisco Systems, Agere Systems, Enterasys Networks and Avaya have all put key management software in their systems.
Dynamic key management addresses the 802.11b administration headaches and thwarts cracker efforts. Cisco, for example, uses a central key server that creates, distributes and rotates RSA public/private key pairs at the client level for authentication. The server also generates and distributes RC4 keys for packet encryption.
Complex enterprises with large numbers of employees, business partners and a wide range of applications and access methods -- including wireless -- require an authentication server. For user-based authentication, RADIUS/AAA is recommended. A RADIUS server can be employed to validate a client before it's allowed to verify itself to an access point. It can be centrally managed, which is important for large enterprises, and can be used to authenticate VPN clients as well as other services.
Wireless network vendors implement RADIUS in a variety of ways. Avaya's Wireless Access Server, for example, has a built-in RADIUS client. Agere, on the other hand, stresses its compatibility with other vendors' RADIUS servers.
Regardless of specific plans regarding WLANs, the pending 802.1x authentication standard is worth evaluating because of the potential benefits it can offer in both wired and wireless environments.
The standard makes it possible to require that an individual be authenticated before he gains access to the network. This resolves the problem of war driving, where anybody within range of your network can easily gain access.
"With 802.1x, your RADIUS server can create a key on the fly and then send them down to the access point, and the access point would send them to the client and it would use a unique set of keys to talk to that client," explains Dennis Eaton, vice chairman of the Wireless Ethernet Compatibility Alliance (WECA).
Robert Moskowitz, senior technical director at TruSecure Corp. and a member of an Institute of Electrical and Electronics Engineers (IEEE) team developing fixes for the well-known WEP flaws, recommends 802.1x authentication. But Moskowitz would add a requirement for packet authentication. This is especially important in public hot spots, such as airport lounges or coffeehouses, where an attacker can easily watch a user authenticate to their service provider, capturing the MAC and IP addresses.
Should the user not properly log off, Moskowitz warns, "The attacker can just set the user name, the MAC address and the IP address, and they are that user -- as far as the network is concerned."
Authentication of individual packets would reveal the ruse, even though the access point could be fooled, since keys wouldn't match.
Several companies, including Cisco, 3Com, Enterasys and Microsoft (XP includes 802.1x support) are adopting the protocol, and Funk Software, developer of commercial RADIUS servers, announced 802.1x support in its latest release last October.
VPN for Safety's Sake
VPNs, the remote access choice for a growing number of enterprises, are arguably the best way to thwart intrusions on wireless transmissions. A number of vendors offer VPNs that are optimized for wireless security. VPNs, in a securely architected enterprise, protect data transmissions and assure strong authentication. Performance will slow, but protecting wireless traffic is often worth the tradeoff.
War drivers will drive elsewhere, because IPSec -- the encryption protocol used in a lot of VPN applications -- will thwart programs such as AirSnort.
Using a VPN and deploying wireless APs in a DMZ effectively segregates the WLAN and assures that only authorized wireless traffic can access the network. In this architecture, the VPN gateway is placed behind the wireless APs. This offers the same security that VPNs provide for any remote user who uses a dial-up or high-speed wired connection. Since wireless PCs, like other remote clients such as cable modem or DSL, are always on, experts emphatically recommend employing personal firewalls to thwart local data from as many know attacks as possible. A RADIUS server can be added to authenticate wireless VPN clients before they are passed through the AP.
For organizations that already have a VPN in place for remote users, it's easy to incorporate wireless, and users will be dealing with a familiar interface and procedure. In this environment, the easiest configuration is to simply place the wireless access points on the same network segment.
If the VPN is solely for wireless access, combining all access points on a single segment simplifies roaming issues for users and can make it easier to control wireless traffic-shutting down access at a certain time of night, or allowing only VPN traffic to pass, for example.
Vendors offer both stand-alone solutions and integration with firewalls and routers. If the VPN implementation is to support only WLAN access, consider a solution that integrates VPN capabilities with the AP itself.
As wireless LANs become more prevalent, vendors have begun to include VPN support for the devices. Microsoft has added its own VPN client to the most recent version of PocketPC 2002. Certicom offers movianVPN, a specialized handheld solution that supports 802.11 networks and -- unlike the Microsoft offering -- multiple gateways.
Moving Forward: Take Control
Despite the economic downturn, organizations continue to deploy WLANs, because they increase productivity and are cheaper than wired LANs. More than 80 percent of those responding to the Information Security poll said they plan to spend money on wireless technology in 2002; 20 percent plan on spending more than $100,000.
But securing the WLAN environment may initially mean having to play catch-up. Organizations can't implement security until they rein in the selection and deployment of the wireless devices connecting to their network. As if deploying a secure wireless network wasn't enough to deal with, individuals and departments often set up wireless access on their own, inside the firewall. There goes the secure WLAN.
These so-called "rogue" WLANs are on 20 percent of enterprises, according to a recent Gartner survey. The remedial task grows when you consider unauthorized and insecure PDAs, laptops unprotected by personal firewalls and unencrypted transmissions.
"Every place I go, they have wireless access points. There's no question," says Chris Byrnes, vice president and head of META Group's security practice. "The only question is, 'Have they found them and tried to make them secure?'"
The best tool for finding unauthorized access points is the very same one used by war drivers-a wireless sniffer. Options include NetStumbler, AiroPeek from WildPackets, Network Associates' Sniffer Wireless and "roll-your-own" solutions that build on open-source cracking tools.
In addition, a RADIUS/AAA server will ignore APs that aren't registered with it, effectively cutting rogues out of the network.
To eliminate vulnerabilities from rogue access points set up by employees inside the firewall, manage IP addresses, investigate DHCP leases that aren't expiring, and turn off unused ports, which are likely sites for rogue APs.
But the best cure is prevention. Wireless security begins with establishing and enforcing policies that dictate how, when and where wireless will be deployed.
In conjunction with select security products and practices, such policies will help you secure your WLANs as wireless protocols and standards evolve.
About the author:
Dale Garner is an independent software market analyst. He focuses on issues and products in the security, networking and systems management industries.