When national retailer Best Buy decided to shut down its wireless cash registers, security managers took notice. BestBuy made its move in May, after an anonymous network security researcher bragged on the Internet that he had broken into the retailer's wireless LAN while sitting in his car outside a store.

“People raised their eyebrows and asked, does the Best Buy incident apply to us?” says Jim Williams, a former special agent for the FBI, now employed as director of security solutions at Solutionary — a consulting firm.

Without the right precautions in place, wireless LAN users have been vulnerable since early last year, when academic researchers began publishing papers about security holes in the 802.11b wireless LAN standard. Particularly on the East and West coasts, but also in large cities elsewhere in the U.S., “war drivers” or “drive-by hackers” have been outfitting themselves with specially-rigged PCs, driving around in their cars, and honing in on wireless LANs located nearby.

“Traditional 802.11 security does not address all the issues,” contends Kitter Nagesh, product line manager of Cisco's wireless networking business unit located in San Jose, Calif. Although improvements to 802.11b are expected by the end of this year, the current encryption scheme, called Wireless Encryption Protocol (WEP), has received heaps of criticism. Encryption technologies are designed to “scramble” data so it can't be read by prying eyes. WEP encryption, however, is considered relatively easy to break. One big problem is that WEP uses the same key for encrypting and decrypting all data on the wireless link.

“Nevertheless, it's astounding that so many wireless LAN users never even bother to enable WEP,” says Ray Martino, vice president of wireless technologies for Symbol Technologies, Holtsville, N.Y.

Meanwhile, experts argue that by adding extra security layers, customers can effectively seal holes in 802.11b. Current workarounds include virtual private networks (VPNs); new “dynamic key” encryption from Cisco, Symbol and other vendors; and multi-pronged security packages from companies like NetMotion Wireless, Bluesocket, ReefEdge and Vermier.

Who is doing the war driving? There's no single profile. Most war drivers who admit to the practice are either Internet security consultants, teen-aged hackers, or corporate security managers. “There's also a lot of potential for abuse in criminal activities and corporate espionage,” Solutionary's Williams says.

When corporate security managers get behind the wheel, they're typically looking for “rogue” or unauthorized wireless LANs on their own company grounds.

According to analysts, it's cheap and easy for employees to set up rogue LANs. All it takes is a wireless access point (AP) and a wireless card for a desktop or laptop PC. Both hardware items can be easily bought in retail stores.

War drivers, on the other hand, need a laptop outfitted with a wireless card, a GPS (global positioning system), and wireless sniffer software such as NetStumbler or Air Sniffer, which is downloadable over the Web free of charge.

Outside consultants sometimes engage in war driving, simply to prove the security risks of wireless LANs. One security consultant, Frank Keeney, spent his Thanksgiving vacation last year hunting for wireless access points from Pasadena, Calif. to San Francisco. Keeney takes pains to point out he never actually breaks into the wireless nets he discovers.

Obviously, the same didn't hold true for Best Buy's drive-by hacker. In a posting on an Internet news group, the “anonymous researcher” claimed the data he grabbed may have included a credit card number.

Responding to the boast, Best Buy officials said they were “aware of that possibility,” and that they'd decided to suspend use of the wireless registers until an investigation could take place.

It isn't just stores that are vulnerable, either. According to findings by security consultants, WEP often goes unenabled in warehouses, branch offices, and home offices as well.

Without encryption in place, road warriors can see all information flowing back and forth between the wireless LAN and the Internet, says Jeff Guilfoyle, Solutionary's vice president of e-security.

“You can grab people's e-mails. You can see what Web sites they're going to, and which documents they're downloading. If they also have access to the corporate network, and there aren't any [internal] firewalls, you can also access any information on the corporate net,” he says.

Over the past couple of years, war driving was catching on as a hobby for teens and college students. “War driving can be an enticing thing to do for young knowledge seekers out there on the Internet. Typically, these ‘script kiddies’ just want to satisfy their curiosity,” Williams says.

On an Internet forum about ISP-Wireless, one member acknowledged, “Being a student, war driving is something we do when we're not partying. We used to drive around and download all night long into our van.”

Colleges were one of the first big markets for wireless LANs, because of mobility needs of student populations. As such, college administrators tend to be particularly attuned to wireless security issues.

Interviewed prior to the Best Buy attack, Deborah Gelch, IT administrator at Lasell College, Cambridge, Mass., said: “I've definitely had some concerns about students — particularly some of the students in our computer science program, and other sophisticated users. We host a summer computer camp, and this has made me even more concerned,” she says.

Lasell has established two different domains for its wireless net: one for faculty/staff, and the other for students. With the help of Bluesocket's wireless security solution, the school is giving faculty/staff greater bandwidth priority, as well as greater access to college resources.

“Before the Best Buy incident, I don't think security managers were as highly-aware of the plug-and-play tools that are easily available to consumers over the Internet. Ironically, the same tools used by professionals to assess and secure wireless networks can also be employed by young, inexperienced individuals for network hacking,” Williams says.

One favorite pastime among driveby hackers is to draw maps of the access points they detect. In his drive along the California coastline, Keeney found access points everywhere.

“Part of my reason for doing this [was] to find out if there were many access points in the more rural areas. There are plenty,” Keeney says. “The Silicon Valley areas have been mapped [by other war drivers] many times. Nearly every major company has [at least one] access point.”

Guilfoyle, on the other hand, has readied a map of about 50 wireless access points unearthed during a brief drive-by of Omaha, Neb. “About 75 percent of the access points we found did not have WEP turned on — and we were driving through business districts,” he says.

Even if the Best Buy hacker didn't manage to grab a credit card number, many people fear that unless wireless customers tighten their security, it's only a matter of time before credit card theft really does occur.

“When this happens, it will be almost untraceable,” Guilfoyle says. “How is anyone going to prove what happened, if the [perpetrator] was sitting outside in a parked car, possibly in the darkness, nowhere near the cash register?”

Others point to improved technologies for data encryption and authentication, just down the road. Authentication technologies are meant to prove that users “are who they say they are.”

According to Dennis Eaton, executive director of the WECA industry group, wireless vendors will start supporting TKIP, an interim encryption standard from the Institute of Electrical and Electronics Engineers (IEEE), by the end of this year.

Meanwhile, companies are also working on the IEEE's new 802.1x authentication framework and two other new encryption standards, both supporting 802.1x.

According to Martino, current technologies from Symbol, Cisco, and other companies are actually early implementations of 802.1x's EAPTLS, a Microsoft-proposed protocol already present in Windows XP.

EAPTTLS, on the other hand, will employ user names and passwords instead of certificates for authentication.

Symbol and other leading wireless LAN vendors will support all three encryption protocols — EAPTLS, EAPTTLS, and TKIP — with the ultimate goal of interoper-ability between the three types of encryption, Martino says.

MobiusGuard, a new security software suite from Symbol, already includes EAPTLS, along with another type of encryption, called Kerberos; mobile roaming, for moving between access points without dropping the connection; and a VPN client, for “secure tunneling.”

“One size doesn't fit all,” says Martino. “The level of wireless security you need depends on the application. If you're operating a warehouse application, and all you're saying [over a wireless LAN] is, ‘That box is on this shelf,’ you might not require that much encryption. If you're running credit card numbers, however, that's a different story,” he adds.

Many people think it's already relatively easy to ward off wireless security breaches, if you simply know how.

“You defend against wireless attacks the same way you defend against any other network attack,” Williams says. “You have security policies in place. You train end-users about the risks. Then you conduct periodic assessments — to find out what access points are out there, to monitor their use, and to make sure this particular type of technology is not abused.

When it comes to technical nuts-and-bolts, experts agree, turning on WEP encryption is essential. “There's been a lot of disparagement about WEP, but it certainly presents a much higher barrier than no encryption at all,” says Joe Savarese, chief technology officer for NetMotion Wireless.

Other current considerations include service set IDs (SSIDs) and broadcast IP. Under their default settings, most wireless cards will automatically broadcast their IP addresses, allowing rapid detection by sniffer software.

A few vendors, including Lucent and Symbol Technologies, automatically disable broadcast IP. Otherwise, customers need to go out of their way to turn off this potentially hazardous feature.

Along the same lines, lots of wireless customers make the mistake of relying on manufacturers' default SSIDs, or network names, as opposed to creating unique SSIDs that are tougher for others to guess.

Jacqueline Emigh is a 12-year veteran of technology journalism and a freelance writer for iSecurity.

Visit infoLink at www.securitysolutions.com for more information on companies featured in this article, or circle the card number.

Cisco — 2
Symbol Technologies — 3
NetMotion Wireless — 4
Bluesocket — 5
ReefEdge — 6
Solutionary — 7
Vermier — 8

Want to use this article? Click here for options!
© 2005, PRIMEDIA Business Magazines & Media Inc.