News

Wireless security fix may not be as "official" as it seems

by Guy Kewney | posted on 31 January 2002


The 802 committee of Americans IEEE standards body may have fudged its fix for the notorious security hole in wireless LAN encryption.

Guy Kewney

The fix was developed by independent security company RSA, which has been giving the impression that it is an official IEEE standard.

However, installation engineers familiar with IEEE standard-setting say that the fix is temporary, and that the IEEE may well adopt a different standard when it updates the 802.11 specification.

The original announcement, in December 17, 2001 by RSA Security Inc said that it had "helped create a secure solution for the broken encryption standard in WEP (Wireless Equivalent Privacy) environments."

It went on to state: "The IEEE 802.11 committee has accepted the new 'Fast Packet Keying' technology created by RSA Security and Hifn, a market leader in network security and flow classification."

But a more accurate description may be found in its Web documentation of its fix, RSA says: "Has this solution been approved by the IEEE?" and answers this FAQ with: "The IEEE 802.11 working group has agreed to include this solution as an informative section of the 802.11i document."

The word "informative" does not mean "part of the standard" - merely that developers are informed that the standard has a "feature" which can be amended in this way if they so choose.

Just how significant this distinction may be is hard to tell. The vulnerability of wireless LANs to hacking is real - it can be done, and has been proven to work. But in the real world, an astonishing majority of WiFi LANs still don't use any security at all. Even the WEP security feature built in is not turned on. Accordingly, it's hard to get too excited about the weaknesses in an unused feature.

The 802 committee is expected to ratify some system of security at some point in the future, and no official word has been sent from the IEEE about which technology will be used for this. It could be that the RSA solution, suitably enhanced, may feature in it - in which case, RSA will be able to claim that nobody has been misled.

Officials of the IEEE 802 committee failed to respond to The Mobile Campaign requests for comments.