Firewalling Your Frequencies
By Michael Grebb, Wed Apr 24 00:00:00 GMT 2002

Efforts to secure wireless networks are underway. But there are lots of cracks to seal, and current opportunity for data theft abounds.

It's no secret that more and more people are using mobile devices to connect to wireless local area networks (LANs), corporate virtual private networks (VPNs), and the Internet at large. Although the consumer population has been slow to adopt such habits, the legions of corporate road warriors are increasingly checking email and dialing into corporate VPN at airports and other wireless "hotspots"-usually on networks based on the 802.11 wireless LAN (Wi-Fi) standard.

What's perhaps less well known is that many of the same executives who strictly guard private corporate information under most circumstances often haven't taken even the most basic steps to secure their wireless transmissions. "Public-area hotspots tend not to use any encryption at all," says Trevor Fiatal, co-founder and chief security officer at Seven, a Redwood City-based wireless access company. "That's a huge risk area."

Eager early adopters

Experts wonder whether corporations are one horrible incident away from a wake-up call, especially as more executives use new devices such as personal digital assistants (PDAs) to communicate with their offices and surf the Internet. "It's just a matter of time," says Chris Klaus, chief technical officer and founder of Atlanta-based Internet Security Systems (ISS). He points out that security risks are rising as PDAs become more complex and PC-like. "Functionality corresponds to the complexity and how many security holes exist," he says. "As we add new functionalities to PDAs, we'll see a higher level of risk."

Already, Microsoft has been pushing hard to saturate the market with PDAs that use a stripped down version of its Windows operating system. The smaller OS--known under the "Windows CE" or "Pocket PC" monikers--is designed to work within the restricted processing power and hard-drive space of small handheld devices. Corporate users have begun flocking to such devices, which offer much of the functionality of a laptop computer (complete with optional keyboard attachments) but take up less space and weight than portable PCs.

So far, corporate users mostly connect to the office's secure corporate VPN to protect data, and then use the VPNs secure tunnel to go out into the larger Internet. But many such users still risk interception of their data before they reach the corporate firewall, especially if they use an unsecured wireless LAN. "There's a disconnect in people's thinking," says Dan Rivers, senior engineer at NMI Information Security. "People don't think of a PDA as a computer."

802.11b still saddled by slack security

Rivers and other security experts note that wireless LANs are especially vulnerable to attack, even if the individual is sending data to a secure VPN. Unless the user is only sending and receiving data with secure sockets layer (SSL) encryption, a corporate firewall at the VPN level doesn't necessarily protect data traveling to the VPN from the wireless LAN. "There's no way to ensure that someone can't mess up the data in transit," Rivers says. "Anyone within that light signal can see what's going on. That's broadcast data. If someone can identify the data, there's no reason they can't intercept that text data."

In addition, Rivers says that the lack of security at wireless LANs exposes all users to other less malicious but equally annoying hazards, such as "denial of service" attacks in which someone deluges the LAN with tons of data in order to overload it. For a busy traveler with 10 minutes to access the corporate network between flights, such an attack could rise above inconvenience. Others warn that even password or personal-information theft can occur when providing data to unencrypted sites.

"Every time you enter anything interesting, you better check that little lock icon to make sure it's secure," says Seven's Fiatal. "There are some good identity-theft opportunities there." In one case, someone intercepted a corporate traveler's password when he was accessing an adult site before a flight (presumably, a long one) at an airport hotspot. The hacker used his identity to run up $2,000 in charges.

Securing the VPN

To be sure, companies are already addressing security issues for wireless devices such as PDAs. Check Point Software, an Israeli security software firm that offers a variety of firewall products, in March launched "VPN-1 SecureClient," which is being touted as the first VPN-based firewall designed specifically for PDAs using Microsoft's Pocket PC operating system. For anywhere from $35-92 per remote user (depending on volume), firms can now protect the increasing flow of data between the corporate VPN and workers using wireless PDAs in the field.

"When you're logging into the corporate network, you don't want someone malicious to piggy-back on that," says Johnnie Konstantas, Check Point's product marketing manager. Already, pharmaceutical company Novartis is rolling out firewall software to simultaneously protect 10,000 of its wireless PDA users. Check Point sets up an "always on" firewall at the VPN gateway, securing all data flowing to and from devices. So far, Novartis is Check Point's first and only customer, but the company predicts demand will soon swell. "Looking at the interest that has been expressed, I have to think that the opportunity is quite large," Konstantas says.

Of course, securing the VPN doesn't necessarily protect a user who just wants to access the Internet from a wireless PDA without tunneling through a VPN. But companies that sell wireless LAN equipment are starting to embed secure firewalls right into the local routers that direct Wi-Fi traffic at each hotspot. "Rather than burdening PDAs, you're going to see it move to the router," says Kevin Allan, product line manager for the business routers unit of Netgear. The limited processing power of PDAs makes installing a separate firewall in each one impractical, he says. "There's a tradeoff between security and performance," he says. "The processing that's required will slow down the performance of the device."

Indeed, Bluesocket, which sells wireless LAN equipment, now offers firewall protection in its "WG-1000 Wireless Gateway" product designed for wireless LANs. "The guy who could be your biggest competitor may be sitting right next to you," says Dave Juitt, Bluesocket's CTO and chief security officer. "And he could gain access to your marketing drive."

Overselling the risk?

Of course, security companies and consultants arguably have an incentive to create the impression that corporations are at dire risk. But despite the risks now facing wireless data users, any widespread wireless security disasters appear unlikely in the near future. According to Forrester Research, only about 11 percent of corporate travelers access their offices on the road via using PDAs or mobile phones, even though the universe is constantly growing. It's hardly the kind of volume that's likely to bring down an entire company (unless, of course, someone intercepts sensitive information from a senior official's PDA or laptop). Even then, it's more likely someone would try to damage rather than steal data.

"Unless you're a specific person who has been specifically targeted, it's unlikely someone would steal your contacts." says Bob Brace, VP of mobile solutions at Nokia Internet Communications, a unit of Finland-based Nokia. "But it's a real threat that someone could damage the device." Of course, most PDA users synchronize data with a host device often, meaning that in most cases they would be able to retrieve it later.

In addition, many simply use the carrier's cellular network to access data-a far more difficult transmission path for hackers to exploit because of the encryption already inherent in such networks to identify data packets and send them to the correct wireless devices and phones. That's partly the result of the history of cellular networks in which phone cloning and other nefarious activity caused problems. "The licensed spectrum providers have really focused on protecting the service because there was so much fraud before," says Juitt. Adds Fiatal: "The nature of cellular networks is much more difficult [to hack]."

PDA viruses among us

But as more and more users receive email, along with attachments, in wireless devices, the risk of contracting a computer virus has never been greater for wireless laptop users-even if hackers have yet to unleash serious viruses targeting wireless PDAs. "We haven't really seen the hacker underground figure out ways to do it," says ISS' Klaus, whose company regularly prowls hacker chat rooms and email lists to spot trends. "You're not hearing stories about how Hacker Joe broke into a company because of a PDA." Of course, that doesn't mean it won't happen eventually. "Realistically today, I don't know of any viruses for PDAs," says Brace. "But I imagine something will come out in the next year to 18 months."

One possibility, according to David Potts, worldwide director of applications for Texas Instrument's OMAP platform, is a virus that infects a PDA through an insecure wireless network and then lies dormant until the PDA user synchs up to his desktop computer at the office. If the corporate firewall hasn't been configured correctly, a PDA virus could use the synch port as an entry point to infect the entire corporate LAN. "So do you protect your PC or the device?" he says. "The device should have some kind of protection. You can't just depend on the PC for that."

At the same time, corporations should do more than simply deploy a hodge-podge of firewalls, VPNs, and other device protections and hope they all somehow work together. Rather, experts recommend a comprehensive security plan that addresses all aspects of the corporate network-including wireless devices. "Firewalls are an essential component of security, but they are no more capable of protecting corporate assets from intrusion than a locked door is capable of protecting a family from robbery," stated a recent research report by Jupiter Media Metrix. "Firewalls, VPNs, public-key infrastructure (PKI), and other hot technologies are merely elements of a master plan that must be orchestrated across an entire enterprise to secure its assets."

Meanwhile, security experts report that many firms have only dipped their toes tepidly in the waters, even though it seems only a matter of time before the use of wireless LAN hotspots to access corporate VPNs and the Internet moves out of the early-adopter stages and into the mainstream. In addition, wireless users need to stop assuming that security is a given. "A lot of people get excited that they can connect wirelessly, but then they don't think about encryption," notes Allan. That may change as hackers discover the potential green fields out there.

"The technology is really interesting," says Rivers. "But until people see something really bad happen with it, security isn't a prime consideration." An attitude adjustment might be only a news headline away.

Michael Grebb has previously written for The Industry Standard, Business 2.0, and eCompany. From Washington DC, he covers the impact of mobile technology on modern society.