Interview with Jon Edney, author of “Real 802.11 Security”

Jon Edney specializes in wireless networking and is a key contributor to the development of IEEE 802.11 systems. As a member of the technology consultancy Symbionics Networks, he deployed the first low-cost 802.11 designs.

In 1996, Edney co founded InTalk, Inc., the first IEEE 802.11 company to develop WLAN access points. After InTalk was acquired by Nokia Corporation, he focused on the application of Wi-Fi to public access networks. He is an active member of the IEEE 802.11 TGi security group.

How did you get interested in wireless security?

I’ve been involved in IEEE802.11 since the early days. In the early 1990’s there was hardly more than a roomful of people involved in the standards work – now there are more than 500 people at every meeting. In those days the application were specialized and small scale but some of us could see the potential for the technology to challenge Ethernet. The first requirement was to get to 10Mbps (the original standard was only 1-2 Mbps). The second issue was security. Every customer was concerned about security and, quite frankly, a lot of bunk was talked on the issue. There was no real security in the original standard. Everybody knew that WEP was only a lightweight privacy protocol because with the short key (40bits) it was open to brute force attack. The intent, even at that time, was that it you needed “military grade” security you had to add this on top. The problem really set in when vendors started marketing “128 bit” security. They lengthened the key but did not look at the protocol to see where the other weaknesses were. It raised expectations among customers that could not be achieved in practice. In my opinion it was the introduction of “128 bit” WEP keys that created a problem – something that was never adopted by the official IEEE802.11 standard.

When the weaknesses of WEP became public and the IEEE802.11 standards group opened up a task group on security I welcomed the opportunity to sign-up. There were only about 10 people in the early meetings but this grew to 70 or 80 people at the peak. Security is a fascinating subject embracing advanced mathematics, systems analysis, lateral thinking and plain cunning.

How long did it take you to write “Real 802.11 Security: Wi-Fi Protected Access and 802.11i” and what was it like? Any major difficulties?

It took about one year to write the book and another six months to get it polished and into production. Different writers have different styles. My approach is to set a word goal to be accomplished every day – mine was 1000 words a day, seven days a week. I didn’t make it – I averaged about 700! As you might expect the main problem was describing a moving target. In order to be as up to date as possible I had to write the book while the standard was progressing. Sometimes things would change direction. I had to throw away half a chapter when AES/OCB mode was dropped as the mandatory cipher for RSN! In the end the book as published is pretty close to the final draft of the standard. There have been a few tweaks since publication but nothing that really changes the picture.

What are your favorite tools for dealing with security when it comes to wireless networks and why?

Well up to now there have not been too many options. At home I turn everything on that I have. I run WEP and I also use MAC Address filtering. It wouldn’t keep out a determined attacker but I think it keeps out the neighbors. At some point I’ll upgrade my home stuff to IEEE802.11g and finding cards with WPA will be a priority.

The simplest solution for business use is to keep the access points on separate wiring and run the connection through a firewall to a VPN server. It’s a pain. You can see why people are itching to get the new full grade security solution so that they can safely put the access point where wiring already exists.

Despite the insecurities of 802.11, the number of wireless networks is growing rapidly. What should be done in order to raise awareness of wireless security problems?

There are really two classes of problem here. The first is in corporations where the IT staff is fully aware of security risks and take careful protection measures but employees drive a dump truck through the protections by installing an unauthorized wireless LAN. This can be a particular problem in companies that have lots of small branches and offices. All it takes is a proactive manager to go and buy an access point at the local computer store and connect it where his PC used to plug in and you have a breach. Furthermore it’s one that is almost impossible for the IT department to detect. The solution here is education by the corporation – education not just rules. People tend to ignore rules because they think the IT departments are “control freaks”. But if they understand the dangers they will cooperate.

I said there was two classes of problem. The second class is home users. This is more difficult because we are not in a position to educate and people have a strong tendency to think that bad things only happen to other people. Many, many people install wireless LANs with no security and default settings on the access point. I think that most people are actually aware that the wireless signal cold be intercepted but they probably don’t care that much – they may not feel their web browsing activity is that important to keep secret. I think fewer people realize that the wireless LAN is potentially an open door to their computer. Even fewer think about the consequences of letting a stranger use their broadband access to the internet. People use the Internet for illegal purposes – probably more that you realize. Law enforcement is getting better at tracing and tracking illegal net activity. The solution is to find an unsuspecting sucker and use their internet connection so that the FBI (or whoever) will trace the illegal activity back to their account. It not to say that they would end up in jail but most people would not want to be used in this way. I think if these sorts of dangers were more publicized people at home would rush to turn security on.

A significant part in the process of developing wireless networks is ensuring that the data on wireless devices is secure. What do you see as the biggest threats to that security?

I’m not sure what you’re driving at here. Maybe you refer to the security of the data while stored on the wireless device, as opposed to “in transit”. Of course this is a problem that applies equally to both wireless and wired devices. I suppose mobile devices are more vulnerable because they are more easily stolen or lost. There is clearly an argument that says information should be encrypted at source and decrypted only when used. In other words it would remain encrypted while stored on the device and only be decoded when the application needed to access it. In the extreme, the decryption would occur inside the microprocessor so that it could never be accessed out of context. I believe there are some ideas going forward in this area. In such a case it might be argued that in such a case security is no longer needed for the wireless links but, in practice, there are attacks other than on data content which need to be defended. I think you’ll still need separate wireless security for the foreseeable future.

Warchalking, Wardriving, Warspamming – these are just some of the terms we see frequently in the news. Do you see these actions as a real problem or is it just the media making things bigger than they are?

Well, far be it from me to suggest that the media exaggerate things! These attacks are real and go on everyday. But I have to say I’ve never seen anyone walking round my district with a laptop and a piece of chalk. For me, the novelty of war driving could wear off pretty quick. These days there are so many Wi-Fi networks out there, and so many of them are unprotected, you probably don’t need to drive anywhere. Chances are your neighbors are already open for business! This is the problem we need to address.

What are your predictions for the future when it comes to wireless security? There has been a lot of talk about the insecurities of the Wi-Fi Protected Access (WPA) security standard.

I have a lot of confidence in WPA. There has been press recently about a potential dictionary attack under some conditions. In essence this says that if you choose a bad password (or key) to protect your system you may be vulnerable to dictionary attack. So what’s new? The same applied to security systems the world over. If you choose a password like “Redskins” then a dictionary attack is bound to find your password. You can foil dictionary attacks by limiting the number of tries an attacker can make but at the end of the day the solution is pick good passwords! I’m not aware that there is any unexpected security weakness in WPA and is has been reviewed by the world’s best. I think the issue has been sensationalized.

The future? Well I think we need to work towards a generic security model across all network systems. The problem up to now is the security has been developed in islands. This is partly due to the separation of the IETF and IEEE organizations. There is a big feeling with everyone that all the standards need to hang together as a whole to ensure effective and security deployment.

What are your future plans? Any exciting new projects?

Keep an eye on the work of task group ‘e’ – quality of service. It’s a long time coming but could do some interesting things. My company consults on a range of IEEE802.11 related areas – check out intalk2k.com.