Wireless LAN vulnerability exposed

A second group of experts has discovered potentially dangerous flaws in the encryption algorithm designed to protect wireless...

A second group of experts has discovered potentially dangerous flaws in the encryption algorithm designed to protect wireless LANs.

The announcement, which comes seven months after researchers at the University of California discovered similar weaknesses, warns of a new and more dangerous method of attack.

In the newly published paper, US researchers from Rice University in Houston and AT&T Labs in New Jersey outlined a new passive attack that was capable of undermining the 128-bit version of the Wired Equivalent Privacy (WEP) encryption algorithm used to protect 802.11 wireless LANS.

The researchers advised that all industry-standard 802.11 wireless LANs should be viewed as insecure, adding that users should "treat all systems that are connected via 802.11 as external".

They also urged corporate users to "place all access points outside the firewall".

Adam Stubblefield, a graduate student at Rice University and co-author of the report, confirmed that the new attack differed from the Berkley one in that no skilled hackers were involved in breaking the encryption keys. "This new attack method is much stronger and much easier for a generic person to carry out," he said. "The adversary is completely passive. He can just listen to the network traffic, and the victims will never know they've been compromised."

The new attack method discovered by Stubblefield and Aviel Rubin, a researcher at AT&T Labs, comes one week after Itsik Mantin and Adi Shamir of the Weizmann Institute of Science in Israel joined with Cisco Systems' Scott Fluhrer to publish a paper describing the attack in theory.

Stubblefield argued and proved it was possible to recover the 128-bit secret WEP key used in wireless LANs paper after less than two hours of coding. Significantly, he had used no more than a US$100 (£70) wireless LAN card purchased from an American retail outlet to confirm the vulnerability.

Rubin added, "It's important to note that generic 128-bit encryption is still secure and that this most recent discovery demonstrates flaws in the way WEP uses the WEP RC4 cipher. You can take ciphers that use a 128-bit key and design or use them in an insecure way. In WEP, it's a flawed design."

Although WEP currently uses 64bit encryption, the industry plans to move to a 128-bit key for additional protection in a standard which is scheduled to come into operation later this year.

John Pescatore, an analyst at Gartner, said his company had been advising clients to run virtual private networks to secure wireless LANs for some time. "Treat [wireless] LANs just like you do the Internet," he said. "Don't trust the security [that's] built in.

"Some of the vendors, like Cisco, have built in better security than WEP, but Rubin's attack against streaming crypto [encryption] shows the need to run proven stuff like IPSec or Secure Sockets Layer."

Read more on Antivirus, firewall and IDS products