The security hole exists in the wireless equivalent privacy (WEP) algorithm. The research team discovered numerous...
ways of intercepting and modifying transmissions even if access to the network had been restricted.
In particular, the team found it could decrypt traffic using statistical analysis, transmit new traffic from unauthorised mobile stations, decrypt traffic by tricking the wireless access point, and mount a dictionary-based attack - which analyses a day's worth of traffic to allow real-time decryption.
The group said inexpensive equipment could be used to mount the attacks and recommended that those using 802.11 wireless equipment should not rely on WEP for security. The vulnerability occurs in both 40-bit and 128-bit versions.
WEP is designed to protect wireless Lans from eavesdropping and prevent unauthorised access. It uses a secret key shared between a mobile station, such as a laptop, and the base station access point. It encrypts packets as they are sent and carries out an integrity check to ensure no modification has been made in transit.
Butler Group senior analyst Mark Blowers downplayed the risk. "The best way a company can protect itself is by having a security policy - wireless networks are no more insecure than fixed networks," he said.
"However, with wireless networks, management needs to determine the specific risks associated - is wireless suitable for all traffic or should only certain types be transmitted that way?"
Wireless Lan supplier 3Com said the WEP standard is a simple defence against everyday threats but conceded that it is susceptible to sophisticated hacker attacks.
The Berkeley paper advises use of higher level security, such as virtual private networks.