Guide To Wireless Security: Wi-Fi Anxiety
Lock up your laptops. Secure your airwaves. In the wide-open world of wireless, it isn't easy to keep out intruders.
For Kanawha County, West Virginia, the hacker's attack last December was a wireless nightmare. From a car parked outside the county courthouse, a silent intruder used a laptop with a wireless modem to ride the radio waves straight into the county's computer network. With a couple of keystrokes, he had seized control of the e-mail account of Kent Carper, one of the county's three elected commissioners, and sent county staffers a series of false and potentially damaging messages. He asked staffers to cut a $75 million check. Then, in an act of sheer bravado, the hacker took his tools inside the courthouse lobby, sat down between two state troopers and zipped off more bogus messages.
Nobody noticed a thing.
Fortunately this hacker meant no real harm. In fact, Kanawha officials paid him for the service. They wanted to find out how vulnerable their computer network, which included some snazzy new wireless components, was to attack. The answer--very vulnerable-- forced the county to shut down the wireless portions of its network. Wireless networking, it seemed, left all the data in the county's computers free for the taking. "Wireless security? I call it wireless insecurity," says the real Kent Carper, who ordered the hacking test done. "It's like leaving the doors to the county courthouse unlocked at night."
Wireless networks and gadgets are sweeping state and local government, but so is panic about wireless security. To be sure, the threat of hackers invading government networks is nothing new. But the new technology gives hackers, or "whackers" as wireless hacks are sometimes called, lots of new options. They can try to pluck sensitive government information literally out of the air. They might steal an employee's laptop or personal digital assistant for a front-door entrance into a network. Or they can wiggle the knobs of a number of wireless back doors, as Kanawha County's friendly hacker did. "You have to be really careful deploying wireless," says Tony Rosati, vice president of marketing at Certicom, a vendor specializing in wireless security. "The whole motivation for going wireless is better connectivity, but it gives that connectivity to everyone, including hackers."
Wireless worries among state and local agencies are so severe that many are holding back until a new generation of products comes out with stronger security features. They are following the lead of the federal government, which seems squeamish about using wireless, especially where national security concerns are at stake. The Pentagon in September extended a moratorium on the use of wireless devices for holding or transmitting classified information, citing the "exploitable vulnerabilities" of wireless technology. That finding was echoed by a November report from the National Institute of Standards and Technology, which recommended government agencies take a cautious approach to wireless security. "The technology's underlying communications medium, the airwave, is open to intruders," the report said.
Still, a growing number of state and local agencies feel confident they can keep the whackers out. And in any case, they're finding that the benefits of going wireless are well worth the risk. Police departments are starting to beam digital mug shots and fingerprints over the radio waves to laptops in squad cars. Auditors and inspectors are using PDAs to file reports from the field. Utility workers are using networked laptops to view maps on the scene during water main breaks. In all these cases, wireless offers a big productivity advantage: It saves mobile workers the hassle of making trips between the office and the field.
Wireless isn't just for field staff, though. It's increasingly popular in the traditional office environments of state buildings, courthouses and city halls. Even simple off-the-shelf hardware gives workers the freedom to haul their laptops to a conference room, for example, without having to plug in for Internet access or network connectivity. It's more than convenience that makes wireless local area networks, or LANs, attractive. Wireless hardware can prove much cheaper than lacing miles of cable through walls and under floors. And in historic buildings such as statehouses, where drilling holes through marble walls might prove difficult (or even illegal), wireless is sometimes the best networking option available.
Yet it is exactly this sort of in-the-office wireless that has the worst security track record. While "Wi-Fi" technology, also known commonly as 802.11, is usually intended for users inside a building, it also broadcasts the wireless signal out onto the street. Anyone can sniff out the location of a wireless network using commonly available programs with such odd names as "Airsnort" and "Netstumbler." It is a familiar game among computer geeks to take a laptop in a car on so- called "wardriving" trips around a city to find where these networks are. This is how the Kanawha hacker broke into the county's system so easily from the parking lot.
Wi-Fi equipment generally comes with security features, but some users simply forget to turn them on. Even when on, however, the security built into the current generation of basic Wi-Fi devices is so weak that any amateur can crack it. Unless information technology managers proactively layer in additional security features, hackers can somewhat easily gain carte blanche access to anything on the network. Not only can they steal sensitive government information, plant viruses and corrupt databases, but they can also pirate the government's systems to launch attacks on somebody else's computer network. Such an attack would falsely appear to be the work of a government employee rather than the hacker. "By default, these things are highly insecure," says Steven Jones, director of technology in Blacksburg, Virginia, where city officials have been using a wireless LAN to do some employee training. "You really need to put some time and energy into researching how to secure them."
The good news is that not all wireless devices are riddled with so many security holes. And the ones that are can be made secure enough to keep all but the most sophisticated hackers out. It takes some effort, though. Wireless networks require meticulous planning and relentless follow-up on the latest threats to break-ins and the newest methods for beefing up security. It's also a good idea to enforce strict policies about the laptops and handheld computers floating around in employees' hands--whether they're government-issue or not. "It's a matter of deterrence," Jones says. "You want to make your network difficult enough to break into that an intruder will say, 'The heck with this; I'll try someone else.'"
Some of the earliest Wi-Fi adopters in state and local government were legislatures. Not long after the Internet became popular, lawmakers demanded the ability to tote laptops around their capitol buildings and log on without a wire. But they don't like to discuss their security policies with outsiders, fearing that hackers might game any hints to their advantage. "The first element of our security policy is that we won't share, publish or make available the details of our security policy," says Michael Adams, director of legislative information services for the Colorado General Assembly.
In Florida, Sean Johnson, the IT director for the Florida House, agrees to speak with a reporter about security--and only at the most rudimentary level--only after verifying his identity. "We're really concerned about 'social engineering' attacks where hackers call us posing as someone they're not and ask a lot of questions," Johnson says.
One reason why wireless LANs are a security problem is that they're not very complicated to set up. The basic off-the-shelf technology is pretty cheap. Laptop users must install a special wireless modem, while handheld computers usually have these built in. The modems send signals back and forth to a box, called an "access point," that connects directly into the network. Access points have a range of about 300 feet and can both transmit and pick up radio signals through walls. Setting up a statehouse for wireless access requires scattering a half-dozen or more access points throughout the building.
Securing a wireless LAN, Johnson says, happens at a number of different levels. First there's authentication. Wireless laptop users have to enter an ID and password to log on, just as they would on a wired network. Next, the data being passed between the laptops and the network is encrypted, so that even if it is plucked out of thin air, it won't be easily readable. Finally, there's a security layer with the wireless computers themselves: Each machine has a unique identifying number. If a lawmaker loses a laptop or it is stolen, Johnson can lock the machine out from accessing the network.
There's more. Any hacker attempt to cut through these security layers would show up on an "intrusion detection system" that Johnson's staff uses. And on the off chance an intruder gets through, he won't find much: Data on the wireless network are kept separate from the legislature's internal network. "Even if a hacker is smart enough to get through all those layers of security, he's only into the wireless part," Johnson says. "That's still bad, but it's nowhere near as bad as if he's into the rest of the network."
RISING TO THE CHALLENGE
Florida is reaching well beyond the notoriously weak security features that come with off-the-shelf equipment. Their system uses 128-bit encryption, which makes it much harder to intercept and descramble data than usual. The trouble with Wi-Fi comes when users rely on the technology's weak security--or forget to turn it on in the first place. Another problem: "rogue" access points. Wireless technology is so cheap now that tech-savvy employees might be tempted to buy it and install it themselves in their offices or cubicles. Such a setup can jeopardize a government's entire network without the IT staff even knowing about it.
Publicized examples of attacks on government systems are rare but not unheard of. For example, the civil courts in Harris County, Texas, were experimenting last year with using Wi-Fi to connect computer systems in two buildings. A former courts employee, who went on a wardriving mission around Houston, sniffed out the wireless network and found it was easy to break into. The hacker, who insists he had no malicious intent, pointed out the vulnerability to the county's IT director.
It's likely that Wi-Fi worries will fade as industry groups work out new security standards and a new generation of wireless products hits the market. Does this mean that agencies that are itching to use Wi-Fi now should wait? Not necessarily. It just means that they have to be extra diligent about layering in additional security features. And they must understand that managing a wireless network comes with considerably more challenges than a wired one. "Today's security is tomorrow's hole," says Colorado's Michael Adams. "We're constantly battling new developments in wireless security that come up."
PLAYING THE ODDS
Talk with Terry Lowe and you'll get the impression that wireless anxiety is overblown. Lowe is the systems project manager in Lincoln, Nebraska, where municipal employees are getting hooked on Palm Pilots. Animal control officers use them to help locate owners of lost dogs. Parking enforcers use them to cross-check for unpaid parking tickets. Cops use handhelds to run license plate numbers and search for outstanding warrants. Even arborists use them to update databases showing the condition of city trees.
As Lowe sees it, the first step to wireless security is assessing risk. In Lincoln, the bulk of the data that city employees pass through the airwaves is public information anyway. So the city took steps to tailor wireless security to each agency, depending on the sensitivity of the information. "Take sidewalk inspection data," Lowe says. "If someone wants to snatch that out of the air, more power to him. We just don't see risk in that."
Lincoln's handhelds, like many wireless devices on the market, have robust encryption systems built in. They meet a standard known as FIPS 140-2, which NIST recommends for government users of handheld devices. In addition, since Lincoln's Palm applications are Web-based, all transactions run through a secure Web server.
Perhaps the biggest security problem with handhelds is that they are small enough to lose easily. According to University of Maryland marketing professor P.K. Kannan, who co-wrote a paper on mobile government, 80 percent of wireless security breaches happen when wireless devices are lost or stolen. Lowe has a solution for that, too. He keeps an inventory of serial numbers for each Palm in use. If an employee reports one lost or stolen, Lowe can block it from accessing Lincoln's network.
THE WEAKEST LINK
Police officers have been using laptops in squad cars to search criminal databases and do other simple tasks. Now departments are turning to a new generation of high-speed wireless networks that can send data-rich pictures through the airwaves. But there are security concerns. "The evolution toward automated, computer-controlled communications systems makes the threat of a system hacker more pressing," says a guide to communications security produced by the Public Safety Wireless Network, a federal initiative. "Depending on the system's features, hackers may infiltrate the system and reprogram radios, change security keys or reassign talk groups to different channels."
Police in Denver are testing a snazzy new wireless system where cops in their squad cars can use laptops to pull down mugshots, fingerprints, GIS maps and even detailed aerial photographs. The police officers can also receive and send e-mail from the field, something they couldn't do before. "Anything available to officers on their desktop is now available on the street," says tech chief Lieutenant John Pettinger, who is confident that his department has plugged the security holes.
Denver is using a service called Ricochet, which for many municipalities across the country is a name that echoes from the dot- com past. Ricochet runs on a network of transmitters hung mostly from streetlights, the leases for which a company called Metricom had negotiated with cities in 21 metro areas. Metricom later went belly- up, but in a fire sale, Denver-based Aerie Networks snatched up rights for the Ricochet network. Aerie is now negotiating with cities to light up the network again, so that it can sell service to private customers. And depending on the circumstances, the company is offering many cities free wireless access in exchange for using the light posts.
Denver was the first city to get Ricochet back on line (San Diego is the only other so far). It negotiated for 1,000 unlimited-access accounts, with modems, for free. The city is still figuring out how to divvy up the treasure trove among agencies, but police officials hope to have high-speed service in each of the city's 400 squad cars within months.
Pettinger seems unconcerned about security. The Ricochet signal does something called "frequency-hopping" from one light pole transmitter to the next, making it nearly impossible for hackers to grab data in mid-air. Ricochet also agreed to program the transmitters so that police data travel the airwaves in a different path than that of other private subscribers. Finally, Denver is using an encryption tool known as a "virtual private network," which industry experts agree only the most sophisticated hacker could crack.
Perhaps the greatest security risk is when cops stop for a break. They are prone to leave their squad cars unlocked when they dash in to buy coffee. Denver cops have had radios and shotguns stolen from their cars before. Are the laptops vulnerable? Pettinger has the ability to shut a lost or stolen machine out of the Denver Police computer network. Plus the thief would need to have--besides a ton of gumption- -the cop's user name and password. "Whenever you bring information out to people, you get more risk," Pettinger says. "But I think it's a manageable risk. Given the benefits officers are telling me they get from this, it's well worth it."