Last Modified:                                                                                                



Homepage / Publications & Opinion / Silicon.com

Peter Cochrane's Uncommon Sense: Your communications - compromised
"All very basic but oh so effective."
Is Wi-Fi much more insecure than wireline networking? How many security clangers do you drop while on your mobile? Listen in to Peter Cochrane's latest thinking...

Of all the emotive topics IT generates, security seems to be the one most frequently and irrationally debated. As a general rule people's attention to security is inversely related to the actual risk, value or need.

Companies pour resources into making email 100,000-fold more secure than any physical mail process, while employing temporary staff with minimal background checks, thereby leaving the security doors wide open. On the physical side it seems to be generally accepted networks built from copper wires are reasonably secure, while those built from optical fibre are incredibly secure - and all things wireless are as leaky as a sieve.

Perceptively I think it goes something like this: Anything new or misunderstood immediately goes to the top of the security list without any thought or analysis. For example, most people understand that access via paired copper cable means digging it up, climbing a pole or entering a telco/cableco building, office or home. Then with the use of a pair of alligator clips it is possible to tap the line and extract any information - audio, video or data - as seen fit. This, by the way, is mostly far from the truth but it will suffice for this discussion.

Optical links, on the other hand, present a far greater challenge in the minds of most but the reality is alligator clips for optical fibre do exist. By merely bending a fibre over a reasonably tight radius, light leaks out through the cladding and can be detected by a simple optical collector. So again, the recovery of audio, video or data information without a user knowing is, in theory, relatively simple once physical access is achieved.

For radio, all someone basically needs is an antenna to suck information right out of the ether. Of course, if it is a microwave radio system or directed beam of some kind, it means finding the right location so you can actually intercept the waves. But if the system is an omni-directional mobile phone or wireless LAN (WLAN), or just a PC on a desk that simply radiates energy in all directions, it can all be picked up with relatively unsophisticated equipment. This then looks like a different proposition.

In recent months there has been a bevy of new software (for example NetStumbler and AirSnort) that can scan the airwaves for WLAN signals, list what is available and reveal their descriptors and vital statistics. Many programs not only list the network names and crack the Wireless Equivalent Privacy (WEP) protection currently used on WLANs, they reveal passwords and other data. The very fastest algorithms can now decode a 40-bit WEP in a matter of minutes by gathering thousands of samples of repeatedly transmitted header information.

In effect all you have to do is passively monitor one wireless transmission after another, make comparisons, and gradually the encryption key, network name and password emerge. This is all very basic but oh so effective.

Many people have been surprised the WEP designers didn't anticipate this would happen and only specified a 40-bit key. The good news is that there is a 128-bit key option giving improved security and dictating much longer monitoring periods. So WLAN/Wi-Fi remains reasonably secure for the present and represents about the same level of inconvenience to those trying to break in as a pair of copper wires.

Does any of this mean we should stop using wireless transmission? I don't think so. It would be foolish to abandon any technology on the basis of its momentary exposure to interception.

The reality is that anybody wishing to intercept communication in any form - be it over copper, fibre or wireless - has their work cut out to a modest degree. Physical access is the first priority, followed by software having the capability to decrypt the information. But remember that the vast majority of communication on this planet enjoys no form of encryption or protection and the interceptions remain very small.

When compared to the number of conversations that are overheard in a room or on a train, or indeed the number of credit cards that are compromised after handing them to a waiter, hotel reception or gas station attendant, or indeed the easy access to printed mail in unguarded mail boxes and the ease of reading a PC screen over someone's shoulder, then the risk is very small.

It would be imprudent indeed not to take adequate precautions with our information and the protection of our commercial interests. The fact that wireless networks can be hacked today in terms of basic access to the network doesn't mean to say we can't increase the length of WEP keys or add further password protection and encrypt our files and folders prior to transmission.

So if you have really important data you do not wish people to access, it's very simple: protect it before you send it. But also remember to look over your shoulder to see who is eyeing your screen, listening to your phone call, trying your door or window, or accessing your paper mail.

This column was typed edited on my laptop on BA2020 flying Denver to London, edited in a coffee shop at Ipswich Station and emailed to silicon.com from a start-up in Chelmsford via a high-speed LAN.