Communications Litigation Today was a service of Warren Communications News.

WI-FI SECURITY WOES HARM ITS USE BY GOVT., NIST CONTENDS

July 31, 2002 by Patrick Ross|Miscellaneous

Wireless LANs or Wi-Fi networks require greater security maintenance and have more vulnerabilities than traditional networks, making them currently ill-suited to widespread govt. use, federal study tentatively concluded. National Institute of Standards & Technology (NIST) released draft report Mon., Wireless Network Security: 802.11, Bluetooth and Handheld Devices, that warns federal agencies to use caution when launching wireless networks. NIST invited comments on report, which are due Sept. 1.

Wireless network, due to its use of airwaves, “is openly exposed to intruders, making it the logical equivalent of placing an Ethernet port in the parking lot,” report said. Hackers not only could tap into free Internet access through unsecure Wi-Fi hot spots but also could use that access for denial-of-service attacks or to spread viruses, NIST said. It said problem was compounded by fact that “several public Web sites provide maps of insecure wireless access points throughout the nation.” NIST’s concern is in contrast to growing community of Wi-Fi boosters who see open-source technology as a way of democratizing Internet access. Some have taken to using chalk on sidewalks to mark open nodes where Wi-Fi users can get high-speed Internet access (CD July 11 p13), while the Electronic Frontier Foundation (EFF) for first time has entered wireless space to promote ISPs that allow customers to create open networks (CD July 12 p11).

NIST had several recommendations for federal agencies considering use of Wi-Fi or similar networks: (1) Recognize that maintaining secure wireless network “is an ongoing process that requires greater effort than for other networks and systems.” Most recent report card on federal agencies’ cybersecurity efforts to date conducted on behalf of House Govt. Reform Govt. Efficiency Chmn. Horn (R-Cal.) found many agencies deficient in security for terrestrial networks. (2) Implement specific management practices to ensure proper security and user authentication. (3) Regard physical controls as also important. Report said Wi-Fi allowed use of personal digital assistants (PDAs), laptops and other easily stolen portable devices that could be configured for immediate access to network. (4) Check systems routinely for vulnerabilities.

Wi-Fi networks are beginning to be adopted by govt. agencies, and security has been issue. Harris County, Tex., court system learned in March that its month-old wireless network was vulnerable when Houston computer security analyst, Stefan Puffer, showed court official and local newspaper reporter how he could hack into court’s Wi-Fi network. Network had been installed because aging building couldn’t support any more computer lines. Puffer last week was indicted by federal grand jury for computer hacking as result of his demonstration.

Wi-Fi networks use for security Wired Equivalent Privacy (WEP) protocol developed by Institute for Electrical & Electronics Engineers (IEEE), developer of 802.11b standard. WEP handles security for data only during wireless transmission; users concerned with security are expected to establish further measures at either end of transmission. But even with firewalls and other security solutions, NIST identified “key problems” with WEP and Wi-Fi security in general. Many of problems relate to cryptographic keys used to disguise transmission and allow its decoding in receiver. WEP generally uses 40-bit keys, which NIST called “inadequate for any system. It is generally accepted that key sizes should be greater than 80 bits in length. The longer the key, the less likely a compromise is possible from a brute- force attack.” NIST said multiple receiving devices in Wi-Fi network routinely use same key, and key sharing “can compromise the system.” It also said keys often weren’t changed frequently because it was inconvenient to modify each receiving device and there was no automatic way to download new keys, making networks more vulnerable to brute-force attacks. IEEE and Internet Engineering Task Force (IETF) are working on several initiatives to improve Wi-Fi security (CD July 22 p3).

Report was produced by NIST’s Computer Security Div., one of many divisions that President Bush has requested be moved to Dept. of Homeland Security. However, homeland security bill that passed House (HR-5005) would keep division at NIST within Commerce Dept. Dozens of members of Congress, led by House Internet Caucus Co-Chmn. Goodlatte (R-Va.), fear that moving Computer Security Div. to law enforcement agency would invite the govt. to start seeking to put in encryption back-doors and other devices in computer standards. Issue is unresolved in Senate, and latest statements from Senate Majority Leader Daschle (D-S.D.) suggest that Senate may not vote on homeland security until after Aug. recess.