IS YOUR WLAN SECURITY OUTDATED?
By: Russ Michel
In 2008, a team of German graduate students documented and demonstrated a proof-of-concept exploit that cracked TKIP (Temporal Key Integrity Protocol). TKIP
is one of the available methods for encrypting traffic on a wireless network, and is widely utilized in healthcare facilities worldwide. TKIP was developed as a
component of an interim quasi-standard known as Wi-Fi Protected Access (WPA), which was released in 2002. WPA was the replacement for Wired-Equivalent Privacy
(WEP) after significant flaws were revealed in WEP, the prevalent WLAN security mechanism at the time.
The news of this exploit of TKIP, called the Beck-Tews attack, caused some outcry in the Information Security community, but that quickly quieted as it became
apparent that the exploit worked only under very specific conditions. It could only crack a single packet (or only certain types) at a time, and that each packet
required 12-15 minutes to break. In effect, the exploit was determined to be impractical in actual use, and it became accepted as an academic study than a
real-life issue.
In late 2009, a pair of university researchers in Japan published details of a faster, simpler, and much more practical implementation of the Beck-Tews attack.
Known as the Ohigashi-Morii attack, it can break TKIP packets in approximately 1 minute, it works in a much wider spectrum of WLAN configurations, and it can be
effectively utilized as a man-in-the-middle attack in near-real time.
News of the Ohigashi-Morii attack created quite an immediate stir in the IT media and InfoSec communities, but once again, the panic faded. However, many VCS
clients and consultants still receive inquiries about the risk of the Ohigashi-Morii attack.
As with all such events, IT managers and staffers must assess the effective risk versus the cost and effort to protect from an exploit or vulnerability.
Effective risk assessment must factor in, among many concerns, the potential for damage to continuity of operations, loss/theft of sensitive company information
(and in the healthcare industry, ePHI), as well as the likelihood of actually being subjected to an attack. For the majority of healthcare organizations, VCS
considers the Ohigashi-Morii attack to be of low-to-moderate practical risk.
So, what can be done to mitigate the risk of the Ohigashi-Morii attack? As previously stated, TKIP was only intended as an interim measure until a new standard
could be promulgated. That standard, IEEE 802.11i, was ratified in late 2004. 802.11i incorporated the American Encryption Standard (AES) with CCMP to provide a
robust WLAN security suite, and is commonly known as WPA2. AES has no known realistically-exploitable vulnerabilities. The obvious answer is to eliminate the
use of TKIP by employing WPA2-based security methods to the maximum extent possible. Many hospitals today have refreshed WLAN client devices so that few older
non-WPA2-compliant devices remain in service; but in many cases, hospitals continue to rely heavily on mixed WPA/WPA2 environments, and in some cases, even WEP
still exists. Efforts should be devoted to retirement of any devices lacking 802.11i/WPA2 support, and on migration of capable devices to 802.11i/WPA2. Coupled
with a standards-based 802.1x Extensible Authentication Protocol (WPA2-Enterprise mode) or a strong passphrase (WPA2-Personal mode). Exclusive use of WPA2 offers
the most effective solution to a secure wireless LAN.
If you would like more information on this topic or the wireless LAN design, security, assessment, and deployment services that VCS has to offer, please contact
us at 610-444-1233 or vcs@getvitalized.com. We are also always available on our website
www.getvitalized.com.