Skip to main content /TECH with /TECH

'Off-the-shelf' hack breaks wireless encryption

By Daniel Sieberg
CNN Sci-Tech

(CNN) -- A group of researchers from Rice University and AT&T Labs have used off-the-shelf methods to carry out an attack on a known wireless encryption flaw -- to prove that it "could work in the real world."

The security protocol containing the vulnerability is called Wired Equivalent Privacy (WEP), and it's used to protect local area networks (LANs) employing the 802.11 standard.

WEP contains an algorithm called RC4 that's designed to shield transmissions between a mobile station (for example, a laptop with a wireless Ethernet card) and a base station system.

Several research groups have uncovered a variety of problems in WEP, which is deployed in wireless networks at numerous homes, offices, hospitals and airports.

CNN's Brian Palmer talks with two AT&T researchers who demonstrate the ease of eavesdropping on wireless networks (August 10)

Play video
(QuickTime, Real or Windows Media)

The researchers from Rice University in Houston, Texas, and AT&T performed their recent attack after reading a detailed and highly scientific description of the vulnerability written several weeks ago by Scott Fluhrer from Cisco Systems, and Itsik Mantin and Adi Shamir from The Weizmann Institute of Science in Israel.

Fluhrer, Mantin and Shamir are expected to present certain aspects of their findings publicly at a cryptography symposium next week in Toronto, Canada.

"We show that RC4 is completely insecure in a common mode of operation, which is used in the widely deployed Wired Equivalent Privacy protocol," reads the findings' summation by Fluhrer, Mantin and Shamir -- who is the "S" in the distinguished RSA cryptosystem.

Avi Rubin  

The researchers from Rice and AT&T essentially then applied these technical findings to a "real world" implementation and released a paper with their conclusions on Monday.

"It is a complete and devastating break of the security of wireless networks," said Avi Rubin of AT&T Labs in New Jersey. Rubin led one of the teams that administered the recent attack in only hours after taking a few days to prepare. Rice University's Adam Stubblefield and John Ioannidis also participated.

"Given this attack, we believe that 802.11 networks should be viewed as insecure," the statement reads.

"What we did is important because we proved that virtually all of the wireless networks used by companies and hospitals are completely open and offer no protection for the data on them," said Rubin.

In fact, since the publication of the paper detailing the vulnerability, Rubin says both private companies and several United States government agencies have contacted his office.

Industry group downplays new findings

But the industry group that certifies and promotes the use of 802.11 networks says the Rice University and AT&T report doesn't offer any new information, and that it's already working to solve the problem.

"All the information that exposes the weakness . . . is outlined in the Fluhrer, Mantin and Shamir paper," said Dennis Eaton, vice chairman of the Wireless Ethernet Compatibility Alliance, or WECA. "It (the action carried out by Rice and AT&T) is like somebody following instructions and saying, 'Guess what? It worked.'"

Fluhrer, Mantin and Shamir were part of the development team for the RC4 algorithm, said Eaton, and WECA's relationship with them is viewed as promoting scientific discovery in a cooperative manner.

But he did not have the same opinion of the efforts by Rice and AT&T.

"We've looked at their paper, and there is no new science here," he said. "It's not helpful at all."

Denny Arar, senior editor at PC World  

Eaton says WECA is "aggressively" working to upgrade the security of its networks. But he added that the group has long urged users, especially those who have sensitive information to transmit, to fortify security with measures such as password protections, firewalls, or virtual private networks.

The vulnerability affects only devices with the 802.11 card installed, not the average laptop, cell phone or PDA (personal digital assistant).

"Basically this has to do with people who are in range of the radio, of the antenna and its access point, being able to pick up the traffic that's come to the wireless point and being able to decode it and read it," said Denny Arar, senior editor at PC World.

"So for now . . . people who deal with sensitive data would probably be advised to avoid them as much as possible, especially if they are in public places where people can come within range and grab that stuff in the ether," Arar told CNN.

Common sense required

Both Arar and Rubin say it is important to publicize security flaws such as this as soon as they're found, so users can be conscious of what may be a risky transmission.

Wireless transmissions, by their nature, are hard to secure. Radio signals have been intercepted for nearly a century for military and espionage purposes. Now there's often great concern about the security of medical and financial information, as well as trade secrets.

Wireless technology was developed so workers could move about large corporations without constantly plugging and unplugging their laptops. Its success made the 802.11 technology -- also known as Wi-Fi -- popular for home networks, and later for public spaces such as airports, hotels and coffee shops.

While the security flaws are serious, wireless expert Arar says a measure of common sense isn't too much to expect of users.

"This doesn't invalidate for me the value of a wireless network," she said. "It just means that you've got to be careful about some uses, that's all."

-- CNN Sci-Tech's Marsha Walton contributed to this report.

• AT&T Labs
• AT&T technical report of the WEP attack
• Wireless Ethernet Compatibility Alliance

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top