I know some guys who think it's cool to drive around the San Francisco financial district with a bunch of computers in the back seat, sucking down emails and web pages that fly over poorly-secured wireless networks.

If encryption is turned on, it gets rid of the casual surfer. But even when the built-in security is configured properly, these guys can break through in as little as a few hours.

The wireless networks they are abusing were not installed by careless or stupid people, just by folks who believed the writing on the box and trusted the standards bodies and manufacturers.

This means that these network administrators are now stuck trying to figure out how to graft some sort of meaningful security onto an inherently insecure infrastructure.

The first thing we can take away from this is a fundamental lesson about the foolishness of allowing standards bodies to cook up their own security schemes without significant public input, and then burning that standard into silicon.

Wired Equivalent Privacy (Wep), is the standard 'security' for the most widely deployed wireless network flavour, 802.11b. Cooked up by a group of volunteer IEEE members, Wep was not subjected to a significant amount of peer review.

Once Wep was widely deployed, cryptographers practically fell over each other in their attempts to discover flaws in the protocol.

The first set of problems with Wep were discovered by a group of computer science grad students up the road from me at UC Berkeley, the same group of security wonks who have found security holes in everything from early versions of Netscape to GSM telephones. Based on the numerous theoretical holes in Wep, a smart-alec programmer created AirSnort, a utility that does pretty much what you would expect something called AirSnort to do - it vacuums down wireless packets until it is able to break Wep encryption.

After Wep was conclusively demonstrated to be ineffective, some manufacturers of wireless hardware scrambled to deploy improved security.

Most, like Cisco, decided to support encryption and authentication at the wireless link layer using variants of a standard called EAP. Others, such as Colubris, have moved to embedding IPSec VPN support in their wireless access points, which provides software-based authentication and encryption at the IP layer.

The good news is that these manufacturers seem to have learned from this experience and are basing their new solutions on protocols that have undergone more scrutiny than Wep had before it was deployed. The bad news is that differing approaches to solving this problem appear to be fragmenting the market, as most of these products are not interoperable.

Worse yet, low-end manufacturers such as Linksys are oblivious to the problem or just don't care. A 'security addendum' on Linksys' web page focuses entirely on how to configure Wep encryption and fails to mention the possibility that it might not be completely secure. Users are on their own to discover that, if they care about security, they should also be running a VPN over their wireless network.

It is tempting to blame the hackers, the cryptographers, or the annoying 'utility' programmers, but that won't accomplish much.

Ultimately, product manufacturers have the responsibility to follow a set of simple rules: A. If possible, use an established, thoroughly reviewed, protocol; B. If you have to develop a new protocol, let the cryptography community have a really good whack at it before you deploy it; and C. Don't put new protocols in silicon until you know they really work.

Comment on this article