Category: hardware and networking

How can a ISP not be up to date on security ?

Posted by Dhananjay Nene – September 27, 2008

A few days back I blogged about wireless security becoming a prominent issue in India. In that I had essentially defended the ISPs given the fact that they could not be expected to ensure security of all the domestic routers that connect into their network.

I received a document in mail today from my ISP explaining the steps I need to take to secure the WiFi network. While it contained a number of useful suggestions, this one completely surprised me. Here’s a snapshot from the document.

WEP ?

Just to feel a little bit confident (or otherwise) about the suggestion, lets review what some other data sources say about WEP.

Wikipedia : Wired Equivalent Privacy

Beginning in 2001, several serious weaknesses were identified by cryptanalysts with the result that today a WEP connection can be cracked with readily available software within minutes.

Microsoft : Improve the security of your wireless home network with Windows XP

64-bit WEP (Wired Equivalent Protection). The original wireless encryption standard, it is now outdated. The main problem with it is that it can be easily “cracked.” Cracking a wireless network means defeating the encryption so that you can establish a connection without being invited.

The authors of one of the more important studies (circa 2006) “Intercepting Mobile Communications: The Insecurity of 802.11” on a summary page “Security of the WEP algorithm” state :

We have discovered a number of flaws in the WEP algorithm, which seriously undermine the security claims of the system. In particular, we found the following types of attacks:

  • Passive attacks to decrypt traffic based on statistical analysis.
  • Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext.
  • Active attacks to decrypt traffic, based on tricking the access point.
  • Dictionary-building attack that, after analysis of about a day’s worth of traffic, allows real-time automated decryption of all traffic.

Our analysis suggests that all of these attacks are practical to mount using only inexpensive off-the-shelf equipment. We recommend that anyone using an 802.11 wireless network not rely on WEP for security, and employ other security measures to protect their wireless network.

Note that our attacks apply to both 40-bit and the so-called 128-bit versions of WEP equally well. They also apply to networks that use 802.11b standard (802.11b is an extension to 802.11 to support higher data rates; it leaves the WEP algorithm unchanged).

Moreover the document refers to only one particular router configuration. So if the consumer (who is unlikely to be so hardware configuration savvy) owns a different router model, he has to figure it out for himself of how to configure his router based on another router configuration.

So it has been known to be insecure starting 2001, and this is the advice going out to home owners from the ISPs. This is somewhat scary. When the agencies that are probably the most likely educators in the realm of security are themselves offering such solutions, implementing security is going to be indeed tough.

Suggestion : Can all the ISPs in India collectively get together and create a security related site, and list out the various configuration steps for all the major models being sold in India ? (and please hire a consultant who makes sure suggestions such as WEP aren’t made).

The original full document containing the suggestions can be found here.

Should Wifi routers be required to mandate strong authentication

Posted by Dhananjay Nene – September 17, 2008

An interesting technology related issue has cropped up in India recently especially in the context of what is being suggested as apparent misuse of unsecured WiFi networks by terrorists.

To sum up, there seems to be some evidence linking the usage of unsecured WiFi networks by terrorists. This has led to a situation where Telecom Regulatory Authority of India (TRAI) seems to be requiring that all Wireless Networks be made secure and is directing the Internet Service Providers to ensure the same for all such networks connected to the internet. The ISPs claim (quite reasonably in my opinion) that they are unable to be able to ensure the same since people may connect up PCs from their home via WiFi routers and that they cannot monitor the status of such routers which are under the control of the respective families. More information on this issue here : TRAI plans to prevent WiFi abuse. There is also a thought to declare all unsecured networks are illegal which IMHO places a tremendous burden on families especially those who may not be as computer savvy.

There clearly are competing interests here :

(a) The government needs to ensure that all internet traffic is traceable. There might be a whole number of privacy concerns here but these are perhaps not relevant in this context, since there already seems to be a sufficient infrastructure to trace traffic to the IP addresses, what seems to be missing here is the traceability into the using party given the fact that anyone can apparently easily use a unsecure wireless network connected to the net.
(b) Many families may have installed such WiFi routers for convenient access to the net from their homes. They may not be particularly educated in all cases sufficiently to know and understand the necessity of and how to secure their domestic WiFi networks. Besides declaring unsecure networks as illegal may make it mandatory to require every family sufficient education on how to secure the network. (The current proposal seems to be putting this onus onto the ISPs)

While the following suggestion is unlikely to help the currently installed base of WiFi routers, here’s a thought. Can we not require and mandate that each such WiFi device require some minimum form of reasonably strong password verification before allowing WiFi based routing (ie. one can connect to the device to set the password in the first place), and manufacture this requirement into the firmware of each device (ie. there should be no reasonable way to bypass it). In other words, such devices will implicitly disallow any WiFi based networking except between a PC the router itself when no password has been set (The connection needs to be allowed so that the password could be set to some basic minimum required strength). It could then perhaps makes sense to declare devices which do not conform to these norms as not valid under the law. Moreover It is likely that current WiFi router providers could be required to issue a firmware upgrade for their existing models where such upgrades are feasible.

Its an interesting situation where common good needs to be balanced with that of individuals. This is probably not the only solution. Maybe such Wifi devices already exist and I simply haven’t been following the space adequately enough. I am also certain that strong password authentication is only a start and possibly there are other measures to secure the networks further .. but at least its a start which is unlikely to be controversial either from a user’s or vendor’s perspective. Maybe there are other solutions. While the issue is currently being debated in India, its probably relevant to all the corners of the globe. Any thoughts ?