From spatial multiplexing for increasing throughput of 802.11n, to Voice over Wi-Fi, to the latest Intel Centrino 2 chipsets — quite a few changes have come about in the 802.11 wireless world recently. But what about wireless security? You know, that gaping security hole once touted as a major business problem? Does it still matter? Well, quite a few things have changed for better and for worse. Here is what you need to know to keep your airwaves in check heading into 2009.
In August 2008, the largest hacking and identify theft case ever was prosecuted at the Federal level. Reportedly more than 100 million credit and debit card accounts were compromised involving attacks against retailers such as TJX, BJ’s Wholesale, Barnes & Noble and more over the past few years. Big shocker: poor wireless security is being blamed. Looking at this pragmatically, poor security management is really to blame. When businesses do not assess their risks and put even the most basic security controls in place, bad things come of it eventually. But who’s counting?
The thing is, it’s not just high-visibility retail organizations that are not locking down their wireless networks. Small businesses, schools, government agencies and even home users are contributing to the problem. Do I see wireless network security as big of an issue as it was three years ago? No. In my work performing security assessments, I am finding the majority of organizations have at least taken the basic steps towards locking things down. I will occasionally load up a wireless network analyzer while I am driving across town to see how many wireless systems are secured. Three years ago, I would find that 50-60 percent of them were open to anyone and everyone. Now, my non-scientific analyses of the situation are showing around 20-30 percent of wireless networks are unsecured — certainly an improvement.
So what has changed to make people secure their wireless networks better than before? It is partly an awareness issue. People see the headlines about wireless breaches and want to make sure they are not affected in the same way. I think it is also becoming more difficult to not secure wireless networks — especially in small business and telecommuter settings. You are almost forced to enable basic wireless security controls when setting up new equipment. Whether or not this is the right way to go about, it appears to be working.
At the enterprise level, arguably everyone in IT knows the risks of wireless and they go out of their way to enable the right controls. The problem comes when a lazy or rogue administrator has a temporary need to install a wireless access point or two and then forgets about it. Can you say, “bye-bye network firewall — you are not needed anymore?” Obviously it is not that cut-and-dry, but you get my point.
Another issue I am seeing is that many wireless infrastructures have been in place for some time. In these situations, management is hesitant to fund upgrades in support of better wireless security when the existing environments seem to be running fine. The thing that many in management still do not understand is the fact that you cannot assume that all is well in securityland just because you are not aware of any breaches. What you cannot see — and what you do not know — can still hurt you.
This is further perpetuated when there is a general culture of denial throughout the organization. In certain organizations, management does not believe anything is at risk, and they do not make the resources available to adequately secure wireless. The folks in IT have their hands tied, and thus begins the vicious circle of ignorance and apathy. This is the exact recipe for a wireless breach and explains why a quarter or more of businesses still have open wireless networks waiting to be attacked.
Another overlooked aspect of wireless security is that if an attacker cannot get in through the wireless network, he will just try to find a way to get in otherwise. Network jacks in your reception area, gullible employees, Web sites and more are all fair game. These often require a little more work compared to just attaching to your wireless environment, but if the bad guys want to get in badly enough, they will find a way.
When it comes to the old vulnerabilities in 802.11, they are still around. People can still crack WEP encryption. The newer WPA is also vulnerable if encryption passphrases of 20 or more random characters are not used. Even if you have the latest and greatest Wi-Fi configuration — 802.11n — you can still be at risk. There is a known issue with wireless intrusion detection systems taking twice as long to scan the airwaves for malicious attacks when using channel bonding across 40MHz channels. There is also an issue with packet management in 802.11n that can be exploited to create a denial of service attack. In fact, Wi-Fi denial of service is still one of the greatest risks. From radio jammers to free tools off the Internet that can manipulate wireless communications, 802.11 is not immune from being taken down indefinitely until you can find who is generating the attacks. This is certainly a good reason to question whether or not you want to run critical business applications wirelessly.
With the weaknesses associated with wireless, even the regulators are starting to tighten down their requirements. In forthcoming Payment Card Industry Data Security Standard (PCI DSS) version 1.2, WEP encryption is going to have to be phased out and stronger industry best practices (i.e. 802.1x) are going to be required. Regulations are finally starting to catch up with reality in this case.
To sum up: yes, wireless security is still an issue. If the wireless security vendor acquisitions over the past couple of years are not proof enough, then the wireless breach stories we hear about — and even the ones we do not — should be enough justification to keep it on your radar. And do not forget that there is more to “wireless” as we know it. It is still a little early to tell just how WiMax will be exploited, but RFID is another thing altogether. Just look at the recent RFID hack against the Massachusetts Bay Transportation Authority. These weaknesses have implications reaching far and wide across every type of enterprise.
The good news is that you do not have to spend a lot of money to lock down wireless. For small wireless environments, the tools and controls are mostly free. They are built right in to the equipment and they are really all you need to have nearly 100-percent wireless security.
Need to do more with less? Then here is the opportunity. For large-scale deployments where centralized wireless visibility and control are needed, the vendor solutions are there, they are mature, and there is no reason to own one or two of them.
Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent information security assessments. He has authored/co-authored seven books on information security including “Hacking for Dummies” and “Hacking Wireless Networks for Dummies” (Wiley). He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at firstname.lastname@example.org.