Cracking the Code By Karen M. Kroll, Contributing Editor, VSR
It could happen anywhere, at any time especially since so many SMBs are now going wireless. While wireless networks are not any more vulnerable to a security breach than a wired network, hackers have still apparently found a way to "crack" the encryption code within Wi-Fi Protected Access (WPA).
Addressing these potential threats are Martin Beck and Eric Tews, German researchers, who, this past November, published a paper titled Practical Attacks Against WEP and WPA. While this report, written by academics on another continent, may have seemed, at the time, of little consequence to North American SMBs, their findings could dramatically impact daily IT operations of all businesses that operate wireless networks.
Here's why: Beck and Tews discovered a weakness in what's known as TKIP, Temporal Key Integrity Protocol). TKIP is the encryption code incorporated within WPA (WI-Fi Protected Access), which in turn is the security protocol in place in many wireless networks. Beck's and Tews' work confirms that it falls short of adequately protecting wireless networks against intruders. The upshot? Business owners operating wireless networks should seriously consider upgrading to the more secure WPA2 over the next year or so.
A Little Bit of History
In 2001, an earlier encryption protocol termed WEP, or Wired Equivalent Privacy, was found to be flawed. TKIP was introduced in 2003 to fix the vulnerabilities in WEP. At the same time, it was designed to be compatible with existing hardware. That way, business owners wouldn't need to immediately replace their access points, computers and other devices. TKIP was designed as a stop-gap measure, says Amit Sinha, Ph.D., fellow and chief technologist with Motorola Enterprise WLAN.
For instance, TKIP added sequence counters to detect instances in which someone captured a packet, upsetting the overall sequence of packets, Sinha says. The technology also added message integrity checks. This feature within TKIP detects instances when the integrity of a frame is compromised.
Because TKIP and WPA were designed to work with the same devices that could use WEP, they couldn't be tremendously more sophisticated, says Johannes B. Ullrich, chief research officer with the SANS (SysAdmin, Audit, Network, Security) Institute. WPA was born as transitional technology, because WEP was problematic.
When it was introduced, IEEE, the organization behind TKIP, indicated that it would have a lifespan of about five years, says Joshua Wright, senior security analyst with InGuardians, Inc., a Washington D.C.-based independent information security consultancy. The idea was to give businesses some time before they had to replace equipment. Now, that five year window is about up.
Lethal Packet Injection
In their paper released in November, Beck and Tews reported on the process they used to undermine TKIP. They figured out a way to selectively, albeit slowly, decrypt some packets. That's because when more than two message integrity violations occur within 60 seconds of each other, the access point will shut down. By proceeding at a pace of about one byte per minute, they could circumvent the integrity check, Sinha notes.
That meant it could take about 1,500 minutes (25 hours) to break one packet; a packet contains up to 1,600 characters or bytes, says Todd Hooper, CEO of Napera Networks, a provider of security solutions.
Then, having decrypted some packets, the hackers could inject other packets into the network. These packets could, for instance, manipulate an unsuspecting computer on the network into injecting malware into the network, Hooper says. Or, it could redirect a computer to a point on the Internet where its information could be taken.
While not a surefire way to access a network, this vulnerability is likely to work often enough to be an issue. "What it does is give attackers steps to the network, Hooper says. Once hackers uncover a kink in a network's armor, they'll waste no time trying to exploit it, he adds.
Ullrich of SANS concurs that while the attack was quite limited, it shows the concepts that can be used in the future to break WPA.
The WPA2 Move
That's why business owners want to take advantage of the window of time they currently enjoy, and upgrade to WPA2. WPA was never a standard, and never intended to be used long term, says John Girard, vice president and distinguished analyst with the Info Security and Privacy Research Center of Gartner, Inc. It's time to move on.
According to the Wigle.net, (Wireless Geographic Logging Engine) an online database with almost 17 million unique wireless networks, 35 percent of wireless networks haven't enabled any security.
Given what's known about WPA, businesses really should move to WPA2. WPA2 uses what's known as AES or Advanced Encryption Standard. This protocol has been scrutinized with cryptographic lenses by many security experts over the past four years, and its robustness has been confirmed, Sinha says.
Moreover, WPA2 is more a complicated protocol than either WEP or WPA. That alone should dissuade less sophisticated hackers who lack a strong technology background, Hooper says.
David Yandry, CEO of Acclaim Networks, a Grapevine, Texas-based provider of network services, has begun recommending WPA2 for all new networks Acclaim designs. Our clients depend on us to stay on top of emerging technologies that will keep the hackers at bay, he says.
Business owners will want to move to WPA2 enterprise mode, rather than personal mode, which was designed for home and small office users who don't use authentication servers, Sinha says. WPA2 enterprise mode provides for a centralized means of authenticating users, in which each user is assigned a unique key mechanism for accessing the wireless network.
In time, a security flaw with WPA2 might still be found, Girard of Gartner acknowledges. At this point, however, no instances of security problems with properly implemented WPA2 networks have been detected, he adds.
Moreover, WPA2 was designed from the start to be a more effective encryption protocol than TKIP, Wright notes. While TKIP was built to be secure, it also was designed to work with older hardware, which limited its strength.
Vertical Vulnerability
Making the move to WPA2 is particularly important for several verticals. One is retail, which seems to be an attractive target for hackers, Hooper notes. For starters, it's fairly easy for would-be hackers to park themselves outside a shopping area, and try to hack into a network. In contrast, a car hanging around an office building would tend to attract more attention. More significantly, because retailers transmit credit card information, if someone can break the network code, it's a way to get cash through the airwaves, Hooper notes.
Also, the PCI Data Security Standards, version 1.2, issued in October, provides a sunset date for WEP implementations of June, 2010, Sinha says.
While financial services firms don't appear to be targeted as frequently as retailers are, most regularly transmit customers' private financial information. To limit the potential for troublesome security violations, financial firms also should move to WPA2, and implement firewalls and other layers of defense, Sinha notes.
Resellers should let their end user clients, in all verticals, know that moving to WPA2 is critical if not now, within the next year or so. Because WPA2 is not yet widely implemented, the hackers that are likely to publish tools useful for hacking aren't yet familiar with it, providing a window of time in which to make the move. This whole scenario is a wake-up call, says Wright. It's an opportunity to move away from WPA before more sophisticated attacks come out.
Fortunately, most access points, computers and other devices purchased in the last couple of years should be able to run WPA2, Hooper notes. Some wireless access points may need updated firmware, however. Firms with older hardware, however, may need to replace it. WPA2 boasts stronger encryption protocols, which may require more powerful processing capability, Ullrich says.
To be sure, few business owners are going to look forward to the time and expense involved in upgrading their wireless networks. Retailers in particular often have fleets of legacy mobile devices, such as scanners and registers. Upgrading all of these devices across a portfolio of locations is an expensive undertaking.
An interim step they can take is to limit the use of the older, less-secure devices, Wright says. For instance, a retailer with older wireless scanners could connect those devices to a network that's separate from the company's overall network.
Yandry of Acclaim Networks is recommending that SMBs who aren't able to move to WPA2 immediately, should then take extra security steps. For example, they can lengthen employees' passwords, and include special characters that make them harden to decode.
Business owners also need to recognize that many security problems within wireless networks stem in part from improper configurations. One example would be employees adding rogue access points, providing a back door to the network, Sinha says. To guard against this, businesses can implement wireless intrusion protection systems.
Effective security requires a strong infrastructure, as well as appropriate, ongoing monitoring and enforcement of security procedures, Sinha says. Security is never a destination; it's an evolution.
Addressing these potential threats are Martin Beck and Eric Tews, German researchers, who, this past November, published a paper titled Practical Attacks Against WEP and WPA. While this report, written by academics on another continent, may have seemed, at the time, of little consequence to North American SMBs, their findings could dramatically impact daily IT operations of all businesses that operate wireless networks. 
