Meru has launched security software that can jam radio signals from rogue access points and scramble genuine signals to make it harder for hackers to overhear them.

"We offer radio jamming and scrambling, without changing anything on the client," said Joel Vincent, Meru's director of marketing. "It's layered on top of standard protection."

Despite years of development, the Wi-Fi security standards still leave possible gaps, said Vincent. Meru's architecture, he said, allows RF security that cannot be easily deployed on other systems.

Hackers can gain a lot of information by passive listening to the traffic on a Wi-Fi network, even one that is protected by encryption. Normal means of detecting and blocking rogue access points can miss "agile" rogues, which are synchronised with a normal WLAN's scanning cycle, and efforts to block them the network add extra throughput, said Vincent.

Wireless voice can also be a security problem, as handsets often don't support WPA: "Secure wireless VoIP needs extra hardware," he said.

Meru's Wi-Fi system, which it calls a fourth generation Wi-Fi LAN, and explains in this white paper, was designed to make voice on Wi-Fi work, but eliminating hand-overs between access points. All access points use the same radio channels (up to twelve channels, in the latest version), and signals are routed according to the network's knowledge of where the client is.

This requires a very granular control of access points - including the timing of packets - which Meru is now exploiting to provide RF-level security. The access points can scan while they serve data, rather than using separate dedicated scanners, or scanning according to a cycle.

When a rogue is detected, nearby access points can jam it by sending a noise spike exactly timed for the moment the rogue is sending a packet header. "We use radio signals to make rogue signals look like noise," said Vincent. "It's based on a microsecond level of timing."

The system can also protect genuine transmissions from eavesdropping by sending a directional "scrambling" signal - a mass of noise that drowns the signal out for all but the legitimate client. "We can take the noise out and get the packet back, because we made it," said Vincent. "We use a directional technique, and outside of the beam we transmit noise."

Meru clearly feels that RF-level security is a unique feature compared with other Wi-Fi products. Unlike software upgrades from other vendors, it is charging money - the module costs $2,500 in the US, for 50 access points. "Not all Meru users will pick it up," said Vincent. "For some people, doing encryption of the data and payload will be fine."