News

WECA "a little confused" by wireless security claims

by Guy Kewney | posted on 27 February 2002


Claims by RSA that they have produced a "standard fix" for the security failings of wireless LAN equipment, have been rejected by the Wireless Ethernet Compatibility Alliance. However, WECA does believe that the security problems for wireless LANs are effectively over.

Guy Kewney

Officials at the industry body which controls the "WiFi" name for wireless Ethernet, have conceded that the December claims made by RSA to have produced an IEEE security standard fix for the WEP vulnerabilities, were not correct.

WECA Chairman, Dennis Eaton of Intersil, conceded that the public perception of what happened when RSA claimed to have launched the fix, was some distance from the truth.

"However, although the December announcement was very confusing, I think it's been overtaken by events," said Eaton. "There was a concept called 'rapid re-keying' which they claimed to have embedded into the IEEE standard, but since then, it has dawned on the relevant committees that they could use the 802.1x standard to solve the problem."

Eaton was also dismissive about the importance of these security scares.

"There's been much talk about this 'man in the middle' hack which is supposed to nullify 802.1x," said Eaton, "but in fact, 1x is only vulnerable if used outside an authentication framework. And an authentication framework is what 802.1i will provide; to say that it doesn't work if you don't use an authentication framework is like saying a car engine won't get you to your destination if you don't have a body and wheels."

He pointed out that no matter what vulnerabilities might exist at the chip level for current WECA WiFi devices, most corporate users would never see. "If you use a virtual private network internally on your corporate LAN, then you simply treat the wireless network as an external network, and you'll be fully protected. Yes, it makes it harder for the home user; but security isn't a one-size-fits all issue. You have to look at the value of the data. In the case of a home user, it may be highly acceptable to use standard WEP," Eaton suggested.