Wireless network industry eyes tighter security

CIOL Bureau
New Update

By Sinead Carew and Eric Auchard

NEW YORK: Short-range wireless computer networks, whose endemic vulnerabilities to hackers have become an industry joke, will receive a much needed security boost from new standards to be detailed by a trade group on Thursday.

The Wireless Fidelity Alliance, which represents major communication gear makers, will detail a standard dubbed Wi-Fi Protective Access (WPA) that will replace the notoriously weak security used in today's wireless short-range networks.

Wi-Fi has become popular as a way to connect computers to each other wirelessly within homes, offices and in public places such as airports or neighborhood blocks. Such short-range networks are seen as a low-cost means of filling gaps in long-range networks carrying mobile phone calls.

If and when equipment makers adopt the new standards -- a process that is likely to take some time -- they could help accelerate so-called Wi-Fi networks into far wider corporate use.

"It's hugely important because there have been an ungodly number of stories about how weak Wi-Fi was," International Data Corp. analyst Bob O'Donnell said. Existing Wi-Fi technology uses shared security code arrangements that only allow authorized users to link their computer to a specific wireless network. But once potential intruders figured out this code, they could easily snoop on computers linked to the network. This can be a trivial task for computers with sufficient number-crunching powers to break such codes.

The WPA standard includes more complex codes which are not shared by everyone on a network and these codes will be set to change regularly so that a potential hacker would have less time to figure out the code before it changes again.

Security embarrassment

The security push coincides with a week of demonstrations by grass-roots computer security activists who are collecting a patchwork of data designed to highlight the hundreds of unsecured networks that exist in major world cities. The decentralized event, which is known as the World Wardriving II, is taking place in more than 30 cities around the globe -- from Barcelona, Spain to Seoul, Korea.

Wardriving is a kind of pub crawl for computer hackers. Instead of seeing how many pints of beer they can consume, security professionals and hobbyists walk or drive around town keeping count of how many wireless networks they can invade.

The new standard, which should make such an event more difficult, includes several improvements on today's Wired Equivalent Privacy (WEP) standard, the alliance said.

"Casual tools used today to snoop on wireless networks definitely won't work with the new standard," IDC's O'Donnell added. "It seems like no matter what happens people find a way to hack, but this seems significantly stronger."

The Alliance, which includes a who's who of 180 communications gear makers ranging from Cisco to Agere to Texas Instruments, plans to test the standard during the next few months and expects to certify products based on WPA in February next year.

"We'll see the first certified products in February," Wi-Fi Alliance Chairman Dennis Eaton promised, adding that several companies already have development projects underway based on the standard. But analysts said it would take some time for WPA to be widely adopted even though it will be possible to upgrade existing wireless products to support the new standard.

One drawback is that you cannot mix products using WPA with computers based on existing security, O'Donnell said. "This could be problem if some people drag their feet on upgrading," he said of networks that mix different security methods. Yankee Group analyst Sarah Kim said that even if companies that focus on business customers adopt the improved standard quickly the take-up could be slowed down by companies that make consumer electronics.

"I doubt that the majority of low-end equipment manufacturers will adopt the new standard any time soon," she said. Part of the problem is that WPA is a taking elements of a security standard that the Institute of Electrical and Electronic Engineers hopes to complete in about 12 months.

The industry wants to improve security as soon as possible for obvious reasons, but companies making consumer gear might wait for the final standard before upgrading, Kim said.

(C) Reuters Ltd.