Wireless Networks in Big Trouble

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/wireless/0,1382,46187,00.html

By Michelle Delio 
2:20 p.m. Aug. 20, 2001 PDT 

Wireless networks are a little less secure today with the public
release of "AirSnort," a tool that can surreptitiously grab and
analyze data moving across just about every major wireless network.

When enough information has been captured, AirSnort can then piece
together the system's master password.

In other words, hackers and/or eavesdroppers using AirSnort can just
grab what they want from a company's database wirelessly, out of thin
air.

AirSnort's abilities aren't groundbreaking - security experts know all
too well that wireless networks can be easily accessed and monitored
by outsiders. But a fully featured tool to facilitate password-grabs
wasn't readily available until this past weekend, when AirSnort was
released on the Internet.

"AirSnort certainly ups the ante in the sense that with this tool,
your 'encrypted wireless net' can be quickly and easily breached,"
said Randy Sandone of Argus, a security company.

"Once AirSnort breaks the encryption, you're basically hosed. A
malicious hacker can read any packet traveling over the network,
gather information, passwords -- you name it."

Wireless networks transmit information over public airwaves, the same
medium used by television, radio and cell phones. The networks are
supposed to be protected by a built-in security feature, the Wired
Equivalent Privacy system (WEP) -- also known as the 802.11b standard
-- which encrypts data as it is transmitted.

But WEP/802.11b has proved to be quite crackable. And that's exactly
why AirSnort was publicly released, said AirSnort programmers Jeremy
Bruestle and Blake Hegerle. They hope that AirSnort will prove once
and for all that wireless networks protected only by WEP are not
secure.

"Yes, AirSnort can be used as a cracking tool, but it can also be used
as a really big stick in an argument over the safety of WEP," Hegerle
said.

"We felt that the only proper thing to do was to release the project,"
Bruestle said. "It is not obvious to the layman or the average
administrator how vulnerable 802.11b is to attack. It's too easy to
trust WEP. Honestly, there is a lot of work involved in hardening a
wireless network. It's easy to be complacent. AirSnort is all about
opening people's eyes."

Added Sandone: "Perhaps its release will prompt wireless vendors to
significantly enhance the encryption of their products. And hopefully
users will come to understand that encryption (regardless of how it is
used) is not a panacea."

"Some people overhype the power of encryption, and others put too much
faith in its 'mathematical precision.' It clearly has its value, but
it shouldn't be the only security mechanism in use."

"Weaknesses in the Key Scheduling Algorithm of RC4," a recently
published paper by Scott Fluhrer, Itsik Mantin and Adi Shamir,
outlined a way to learn the master key to the WEP encryption system,
which would allow an intruder to pose as a legitimate user of the
network.

Adam Stubblefield, a Rice University undergraduate who was working as
a summer intern at AT&T Labs, tested that exploit (with the permission
of the network's administrator) and was able to pull up the network's
master password in just under two hours.

Stubblefield published his research on the Internet, but did not
release the program he used to access AT&T's wireless network.

If the software that he wrote to grab passwords were published,
Stubblefield told a reporter from The New York Times, anyone with a
basic knowledge of computers and a wireless network card could easily
crack many wireless networks.

"Basically I read the paper and wondered if the attack would actually
work in the real world, and how hard it would be to implement,"
Bruestle said. "I am the CEO of a small security firm, Cypher42, and I
wanted to know just how difficult or easy it would be to implement the
attack, so we could properly advise clients on 802.11b security."

Another tool, WEPcrack, was released on the Internet around the same
time as AirSnort, but WEPcrack is still considered an alpha release, a
work in progress.

Bruestle and Hegerle's AirSnort is a beta release, a designation that
indicates a program is not quite ready for primetime, but is further
along feature and stability-wise than alpha.

Bruestle said he and Hegerle had a basic working version of AirSnort
after less than 24 hours of programming time.

Bruestle said he has received many e-mails about AirSnort, some in
favor of the public release of the tool, others accusing him of adding
to the malicious hackers' arsenal.

"Many of the people who have e-mailed me about AirSnort are sysadmins
who thanked me for giving them a way to convince management that WEP
really is insecure," Bruestle said. "Of course, I have gotten a number
of flame mails too, comparing the release of AirSnort to 'giving guns
to children.' I understand the viewpoint of those who believe
dangerous information should be hidden, but I disagree."

Hegerle and Bruestle said that they believe that many people did not
understand the academic nature of Fluhrer, Mantin and Shamir's paper,
and may not understand how vulnerable wireless systems are.

"It was beyond even my humble attempts to understand (the paper's)
full depths," Bruestle said. "The implications of a tool like AirSnort
are much harder to deny than the paper it was based on."

AirSnort uses a completely passive attack: An AirSnort user needs only
a Linux-operated computer with a wireless network card, and access to
whatever wireless network he or she wishes to crack.

Many wireless networks allow amazingly easy access to unauthorized
users, as some have discovered when their laptops suddenly connect to
the Internet when they are in or near a building that has a wireless
network.

"I've been able to connect to networks when standing outside of
businesses, hospitals or Internet cafs that offer the service," said
Mark Denon, a freelance technology writer.

"You can jump in and use the network to send e-mail or surf the Net,
and often it's quite possible to access whatever information is moving
across the network. It's very easy to piggyback onto many wireless
networks, and some people make a game of driving or walking around a
city and seeing how many networks they can jump into."

"A wireless card in the machine that's running AirSnort does not send
out any data or actually talk with any of the other machines on the
network," said Hegerle. "It simply listens to all the other traffic,
so it doesn't matter if the network allows unauthorized access, as
none of the other machines on the network will even know anyone is
listening," said Hegerle.

The amount of time required to piece together a password with AirSnort
depends on a number of factors, Bruestle said, but mostly depends on
the amount of network traffic and "luck."

"On a highly saturated network, AirSnort can usually collect enough
packets to guess the key in three or four hours. If the network is
very low traffic, it can take days to get enough data," Bruestle said.
"Since the attack is based on probability, the actual number of
packets required to guess a given key varies from key to key,
sometimes significantly."

AirSnort monitoring does not have to be all done in one session,
though. "Five hours one day and five the next works out to be about
the same as 10 hours in a row," Bruestle said.

Systems administrators have mixed reactions over the release of
AirSnort.

"Granted, this program will hammer the truth into people's heads about
the insecure nature of any wireless network protected only by WEP,"
said Gerry Kaufman, a medical network and systems consultant. "But
releasing this tool also allows a lot of people access to networks who
couldn't have cracked them before. I'm really torn between advocating
open access to information, and keeping tools like AirSnort out of the
hands of kids with too much free time on their hands."

Kaufman said the "only good thing" that could come from AirSnort's
release is its use for proving to "those who approve the expenditures"
that wireless networks need stronger protection.

Hegerle and Bruestle suggest that wireless network users look into
other end-to-end forms of encryption, such as Virtual Private Networks
(VPNs) to protect data going over wireless networks.

"While this requires more work, the false sense of security WEP offers
is worse than no security at all," Bruestle said.

"Quite simply, I won't be happy until there are no people trusting
their data to WEP as it now exists," Hegerle said. "There are several
possible ways to change WEP, and I would like to see a new dialog
begin, one that looks for a replacement to the badly designed WEP we
are now stuck with."

Under development are new versions of WEP/802.11b that will include
stronger security features. But the new standards won't be released
until mid-2002 at the earliest.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.