Two veteran researchers at AT&T Labs and several students at Rice University used "off-the-shelf" hardware to develop software that exploits a wireless encryption flaw in the 802.11 standard, which is used in Apple's AirPort and various other wireless LAN solutions, according to CNN. "Given this attack, we believe that 802.11 networks should be viewed as insecure," reads a statement from the researchers.
Comments
SSL, SSH, and other protocols that encrypt data before transmission are just fine. WEP encrypts data as it leaves the wireless adapter on a PC or handheld and decrypts it when it arrives at the receiving hub or adapter. Just like with Ethernet, dial-up, etc., anything encrypted at a higher level isn't susceptible to attacks below it. SSL is a negotiation that happens across a TCP/IP network; the data is strongly encrypted. This data would then be sent over the network, where WEP would encrypt it with its own methodology.
The point of WEP is to keep casual snooping away because 802.11b is easy to sniff and grab packets from. If you use a public 802.11b network, such as MobileStar at Starbucks, your POP password and account (as well as email and all Web viewing) are sent in the clear. Their network uses SSL to set up an account and register (safe), and then an open, unprotected network (no WEP even) for use.
I just installed an SSL-savvy POP server on my sendmail Linux box to avoid sending my password in the clear. You might also consider APOP (which restricts passwords to just email rather than a whole system), Kerberos, or SSH tunneling with F-Secure and anonymizer.com.
OR
Network Headlines
Most Popular
MacNN Sponsor
Recent Reviews
iHome iW2 AirPlay speaker
iHome generally isn't known as a luxury brand when it comes to audio, but it is prolific -- the company's docks and speakers are every ...
Logitech Ultrathin Keyboard Cover
One of the iPad's main weaknesses has always been productivity. It's not a question of apps; while it has taken a little time for a na ...
Logitech UE Air Speaker
If maybe a little more slowly than Apple would like, AirPlay is becoming a staple of the wireless speaker market for iOS devices. The ...
Most Commented
Popular News
Fresh-Faced Recruit
Joined: Aug 2001
What about SSL?
While the researchers were able to exploit known weaknesses within the WEP standard, does it mean that data that are encrypted PRIOR to being transmitted (e.g. SSL or other web-based security protocols) are also non-secure? For example, with medical records, many systems use 256-bit encryption keys to encode all data before it is transmitted over the internet, whether the medium is a standard land-line network or wireless 802.11b network is irrelevant. I suspect in such cases, the lack of security offered by WEP is not important, as the 40-bit encryption keys are redundant anyway. Can anyone answer this question with some certainty?