Wireless network group discloses new vulnerability

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/docs/news/svfront/062136.htm

Friday, Aug. 3, 2001

NEW YORK (Reuters) - Researchers have discovered a way to quickly
break through the security system that protects the leading corporate
wireless networking system, a trade group said Friday.

While computer security experts had previously uncovered weaknesses in
Wi-Fi, a standard for wireless data communication also known as
802.11b, the latest discovery is being treated with more concern
because it is more feasible and takes less time to carry out.

The new attack allows a hacker to discover the ``secret key'' used to
encrypt data before it goes into the air.

The group that promotes the Wi-Fi standard, which briefed reporters
and analysts prior to the publication of a paper that details the
vulnerability, said it had long urged wireless network users to
supplement Wi-Fi's built-in security system with stronger encryption
tools.

``Companies that have something worth attacking are likely to -- and
if they're not, they certainly should -- put in other forms of network
protection,'' David Cohen, the chairman of the Wireless Ethernet
Compatibility Alliance, said in an interview.

Wi-Fi, backed by technology giants including Intel Corp. and Cisco
Systems Inc., has caught on in places beyond corporate campuses,
including airports, hotels and other public spaces, letting computer
users reach the Internet without attaching any wires.

Wednesday, the alliance, known as WECA, said it had added to its board
of directors Microsoft Corp., which will support Wi-Fi networks in its
new Windows XP operating system.

Despite its popularity, critics have long said Wi-Fi was vulnerable to
attack by hackers.

Early this year, a group of security experts at the University of
California at Berkeley discovered weaknesses in the Wired Equivalent
Privacy, or WEP, algorithm -- the security system used in Wi-Fi
networks.

In March, researchers at the University of Maryland published a report
entitled ``Your 802.11 Wireless Network Has No Clothes,'' that claimed
wireless networks are vulnerable to attack.

Wi-Fi's backers responded by saying the Berkeley report was far too
complex to be widely implemented, and that WEP should not be used by
itself to protect sensitive data.

Navin Sabharwal, a wireless analyst at research firm Allied Business
Intelligence, said WEP is no longer seen as a secure way to protect
data over wireless networks.

``WEP is pretty much defunct,'' Sabharwal said. ``It's sort of the
curse of any wireless protocol: ultimately, no matter what algorithm
you choose, you're basically going to be assured that its going to be
susceptible to hacking.''

The new paper was written by Scott Fluhrer of Cisco Systems Inc. as
well as Itsik Mantin and Adi Shamir of The Weizmann Institute in
Israel, WECA said. Neither of the three experts could immediately be
reached.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.