New software from AirDefense is designed to protect a widely used but flawed wireless LAN encryption protocol.
The software "cloaks" the encryption key used to scramble WLAN data packets by means of the Wired Equivalent Privacy protocol. WEP was defined in the IEEE 802.11 WLAN standard, and is part of every 802.11-based device. But in 2001, a serious flaw in its implementation was identified, making WEP encryption easy to break. The new AirDefense cloaking technique could save retailers and others from large-scale upgrades of embedded or special-purpose wireless gear such as portable cash registers, barcode scanners, point of sale terminals and even VOIP handsets.
These legacy wireless devices often run only WEP encryption because of their age or lack of memory and processing power. For various reasons, they often can't be upgraded to more advanced and more secure schemes such as Wi-Fi Protected Access or the follow-on WPA2 with the full set of IEEE 802.11i security features, which were designed to correct WEP's well-known weaknesses.
Yet retailers are under the gun to improve security for such things as credit card and customer data. To protect credit card data, the Payment Card Industry (PCI) data security standard now mandates, among other things, that retailers opt for WPA or WPA2, or at least not rely exclusively on WEP. In many cases, retailers may have to scrap existing gear for new equipment that supports the more advanced security.
"You're supposed to protect cardholder data wherever it's transmitted or stored," says Avivah Litan, a vice president for the analyst firm Gartner, where she specializes in PCI compliance. "It's almost always the wireless LANs that are the weakest link. [AirDefense] is hitting a sweetspot."
AirDefense, a vendor of radio frequency sensors and RF security software, says its patented cloaking technology will sidestep the need for such upgrades.
The idea for WEP cloaking was hatched by AirDefense developers in 2002 and the company filed a U.S. patent application which was granted in 2006. Actual product development started late in 2006.
The cloaking technique is a kind of jujitsu, in effect using the basic form of a WEP attack against the attack itself.
Attacks on WEP-protected networks have two and sometimes three components. One is a radio sniffer program that uses, say, a laptop's WLAN adapter to collect wireless data packets. Sometimes a companion program is used that lets the laptop inject additional packets into the radio space triggering more packets being generated from legitimate clients and access points.
These packets are then passed through increasingly sophisticated statistical analyzers, known as WEP crackers, such as AirSnort and WEPCrack, which are numerous and freely available online, along with even more numerous, detailed, online tutorials on how to use them. The WEP cracker recovers the encryption key, which can be used to unscramble the data packets. With today's tools, the process can take 10 minutes or less.
AirDefense's WEP Cloaking Module creates dummy data traffic that uses different WEP keys from the one being used by the actual WLAN clients and access points.
"We're inserting frames into the air that the attacker thinks are real, and this messes up the statistical analysis of the attacker," says David Thomas, vice president of product strategy for AirDefense. "The attacker can't tell the difference between the product frames from the WLAN and the spoofing frames generated by AirDefense."
Thomas declined to be more specific about what's involved in the cloaking technology.
The idea of generating this kind of "chaff" to confuse attackers is not new, he acknowledges. But that doesn't mean it's easy, he says. "There's a lot of work involved in not disturbing the [enterprise] WLAN, and in addressing the various WLAN environments that are out there," Thomas says.
The WEP Cloaking Module is a software program that loads onto the AirDefense server, and then becomes simply one tool in the server's management console. The new module will be available in early April. Pricing is not yet finalized but Thomas said it will be approximately US$200 to cover a relatively small store or other building. The price will vary depending on the site's square footage and the number of AirDefense sensors needed to cover it.