Wireless security is becoming increasingly important as wireless applications and systems are widely adopted. Numerous organizations have already installed or are busy installing Wireless Local Area Networks (WLANs). These networks, based on the IEEE 802.11b standard, are very easy to deploy and inexpensive. Other important trends in wireless adoption include the introduction of wireless e-mail with devices such as the BlackBerry and the Palm VII, rampant digital cell phone use (including the use of Short Message Service [SMS]), and the advent of Bluetooth devices. Wireless is clearly here to stay.
But all is not well in the wireless universe. The risks associated with the adoption of wireless networking are only now coming to light. A number of impressive attacks are possible and have been heavily publicized, especially in the IEEE 802.11b arena. Since October 2000, at least ten major wireless security stories have played out (see Table F.1). These stories were covered by the New York Times, the Wall Street Journal, CNN, and NBC Nightly News, among others. Apparently, the world finds wireless security both interesting and important.
Table F.1. A Chronology of Wireless Security Topics, Issues, and Stories (Incomplete) | |||
When | Who | What | Web |
October 2000 | Jesse Walker of the University of Maryland | Several problems in WEP | http://www.cs.umd.edu/~waa/wireless.html |
January 2001 | U.C. Berkeley researchers Nikita Borisov, Ian Goldberg, and David Wagner | Seminal work on WEP insecurity | http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html |
March 2001 | University of Maryland researchers Bill Arbaugh, Narendar Shankar, and Justin Wan | Several access control and authentication problems in 802.11b | http://www.cs.umd.edu/~waa/wireless.pdf |
June 2001 | Tim Newsham from @stake | A key generation algorithm problem leading to dictionary attacks | http://www.lava.net/~newsham/wlan/ |
August 2001 | Scott Fluhrer, Itsik Mantin, and Adi Shamir | A cryptographic flaw in the RC4 key setup algorithm used by WEP |
|
|
|
|
|
August 2001 | Avi Rubin from AT&T Research and Adam Stubblefield of Rice University | Implementation of the WEP crack | http://www.nytimes.com/2001/08/19/technology/19WIRE.html |
October 2001 | Bob Fleck from Cigital's Software Security Group | ARP cache poisoning attacks that work against 802.11 networks | http://www.cigital.com/news/wireless-sec.html |
February 2002 | Arunesh Mishra and Bill Arbaugh from the University of Maryland | Several flaws in 802.1X (still in committee) | http://www.cs.umd.edu/~waa/lx.pdf |
May 2002 | Avi Rubin of AT&T Research | X10 Wireless camera vulnerabilities | http://www.nytimes.com/2002/04/14/technology/14SPY.html |
The most interesting thing about wireless security is the opportunity presented by the very recent adoption of wireless technology. New users of wireless technology have a chance to build things properly and securely as they adopt wireless networks and create applications to run on them. That's not to imply that this will be easy, because it will not be. This book presents an important, and a necessary, introduction to critical issues in wireless security, something that will be extremely useful to those adapting wireless technology. Armed with a solid understanding of reality, readers of this book are unlikely to fall prey to hype.
As far as base technology is concerned, wireless security appears to be following the usual "penetrate and patch" route. This is unfortunate, but perhaps unavoidable. Early wireless security is focused almost exclusively on cryptography and secure trans-mission with unfortunate results thus far. WEP security, the cryptography built in to 802.11b, for example, is completely broken and offers very little real security. In fact, one might argue that using WEP is worse than using no cryptography at all, because it can lull users into a completely unfounded sense of security. Given that our wired networks are in such bad shape, perhaps the notion of attaining "wired equivalent privacy" is ironically accurate after all!
An over reliance on cryptography springs from a misunderstanding of the fact that cryptography is a tool with which to approach security (and not security itself). This misunderstanding is deeply entrenched in many other subfields of security, especially software security, where "magic crypto fairy dust" is sprinkled liberally over designs in hope of attaining an easy security solution. Alas, software security is not that easily accomplished. Neither is wireless security.
The Gates memo of January 2002 highlights the importance of building secure software to the future of Microsoft. But software security reaches far beyond shrink-wrapped software of the sort that Microsoft produces. Software has worked its way into the very heart of business and government and has become essential in the new millennium. Software applications will clearly play a crucial role in the successful evolution of wireless systems. This is a critical fact that, to their credit, the authors understand and highlight in this book.
Mature software security practices and sound systems security engineering should be used when designing and building wireless systems. Security measures must be implemented throughout the wireless software development lifecycle, or wireless applications risk running afoul of the same security pitfalls that currently afflict wired applications. The difficulty in constructing a secure wireless system lies in the medium's limitations: Devices are smaller, communications speeds are slower, and consumers are more demanding. These limitations force a trade-off between security and functionality. The trick to sound security is to begin early, know your threats (including language-based flaws and pitfalls), design for security, and subject your design to thorough objective risk analyses and testing.
This book will help.
Gary McGraw, Ph.D.
Trento, Italy
May 2002