Wireless LAN security: more holes than a Swiss cheese

Many companies are failing to implement even basic security on their WLANs. For those that do, the current security standard, it appears, is inadequate. Equipment vendors urgently need to improve the security of their WLAN products. Until then, WLANs should be considered as open to external users. Companies with WLANs must implement other security measures.

The security drawbacks of wireless LANs are becoming increasingly obvious.

Wireless LAN (WLAN) technology certainly provides many convenience benefits, such as reducing the cost of constantly rewiring offices. However, several vulnerabilities in its security have recently been discovered. In January this year, researchers at the University of California in Berkeley found that a person across the street can access an 802.11b (the leading WLAN technology today) network using just an antenna, a laptop and a PC card.

The WEP (Wired Equivalency Privacy) standard is the encryption scheme behind 802.11. However, WEP encryption has to be manually installed, which many companies forget to do. Without WEP, the network is wide open. Recent research in Stockholm found that 60% of wireless LANs did not use WEP.

Yet even WEP is not failsafe. It is far behind leading technology, with a key length of only 40 bits. The access point and all the clients share the same password, and many companies forget to change the default password on installation. It is also possible to find the configuration of the encryption key by analyzing vectors transmitted with every wireless data packet. Already, free software tools such as AirSnort can recover encryption keys.

The best option for companies today is to use multi-layered security, for instance running VPN technology such as IPSec on all connections. Without this, companies should avoid setting up wireless access points behind the firewall, as it opens up the entire internal network to anyone with a laptop.

Better security technologies will soon be launched. New Jersey’s ReefEdge has already launched a WLAN management solution, which means only authorized personnel can access the network. A new solution, built into Windows XP, adds improved authentication and access control to Ethernet networks, including 802.11. And the new 802.11e standard, expected next year, should use 128-bit AES encryption.

The next WLAN standard certainly requires such radical improvements. Until then, data on a WLAN should be seen as open to external users. Without adequate security, the risk of intellectual property theft means the price of implementing a WLAN could be more than the cost of the equipment.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing