Wi-Fi security vendors are releasing new products to protect customers against weaknesses in the WEP encryption scheme, even though it has been obsolete for years.
AirTight Networks has launched a system that detects and prevents attacks on wireless networks secured by the WEP protocol, which are still in widespread use in retail systems, even though the protocol was cracked in 2001, and swiftly replaced by WPA. In April, security experts showed how to crack WEP in three seconds..
"We are typically talking about handheld devices used in retail for inventory management, known as 'hand guns'," said Sri Sundaralingam, director of technical marketing at AirTight. "There are hundreds, if not thousands of these devices that retailers still have, as well as legacy cash registers and VoIP phones that only support WEP."
The use of WEP security in shops is ironic, given well-publicised breaches such as the break-in over unprotected wireless that cost US retailer $118 million, and the Payment Card Industry (PCI) standards designed to secure credit card details.
WEPGuard, which will be a free feature in the next version.5 of AirTight's SpectraGuard intrusion protection system, is due later this year (read our review of the current version). It pro-actively seeks and blocks WEP cracking attempts, and prevents spoofed identity attacks and the use of compromised WEP keys. "While WEP is fundamentally broken, WEPGuard provides the best available solution for companies to go beyond passive techniques and actively manage and mitigate risk," said the AirTight announcement.
The product will meet the PCI standards, said AirTight, thus saving retailers money and reducing the risk of paying the kind of damages taken from TK Maxx.
Rival AirDefense bought out a "cloaking" solution in April, which injects "spoof" WEP packets into the air, to put crackers off the scent, but AirTight dismissed this approach in a presentation at the DefCon 15 hacking convention in August.
"While some suggest that injecting chaff into the data stream is an effective way to confuse hackers, it is a passive approach which continuously eats up bandwidth and merely masks the problem leading to security by obscurity," said Pravin Bhagwat, CTO for AirTight. "Only active protection gives any measure of protection along with other best practices."
"It is going to take a few more years [to get rid of WEP completely]," said SundaraLingam. "Retail/manufacturing customers have customised applications running on these handheld guns and these applications need to be moved over to newer devices that support WPA/WPAv2."