Security Problems in Local and Personal Wireless Networks

As is always the case with new technologies, a whole range of legal problems affecting data protection has accompanied the arrival of local and personal wireless networks. Wireless communication offers various advantages, such as lower cable infrastructure and greater mobility for users, but these benefits are offset by the increased risk of communications being intercepted or bugged via radio frequencies. The standards for wireless networks must therefore always provide for data encryption in the transmission protocol, but this can be achieved only through a public key infrastructure, and this involves expenditure in terms of technology and organisation.

For local area networks (LAN), in addition to the customary market standard Ethernet-Standard IEEE 802.3 (cable) there is also Standard 802.11 (wireless) with its encryption protocol WEP (Wired Equivalent Privacy). Experience has shown, however, that WEP is not always implemented, and even when it is activated, there still remain certain shortcomings and difficulties (static encoding keys must be defined for every terminal). And in addition to this, within a radius of several hundred metres the wireless access points using Standard 802.11 share the same available bandwidth for all mobile terminals (with a data rate of up to 11 MB in the case of 802.11b and 54 MB for 802.11a). In the case of 802.3 switches on the other hand, the bandwidth (10 or 100 MB) is individualised for every permanently cabled terminal and this serves to reduce markedly the risk of a major bugging "onslaught". A connection can be established with an active access point only if the wireless terminal logging on knows and transmits the network name (SSID: Service Set Identifier) and more importantly, only if it uses the shared keys authentication procedure (WEP protocol with a 104 bit key augmented by a 24 bit initialisation vector). A weakness of the RC4 algorithm used by this protocol lies in the high probability of producing the same vector again. This shows just how complicated the implementation of encryption solutions continues to be.

For personal area networks (PAN), which establish wireless connections between portable computers, personal digital assistants, mobile telephones and other personal equipment, the valid standard is the IEEE standard 802.15 (based on the Bluetooth specification), which has a data throughput of 732 KB within a range of around 10 metres. This standard fortunately also provides for authentication and data encryption procedures which again involve the use of keys. This seems to mean that systems without keying-in facilities will be forced to use a standard key and will be vulnerable to bugging and even to the uncontrolled forwarding of data. In any event experience has shown that caution is called for during the introductory phase of this kind of technology.

In a still more local environment, wireless keyboards and a wireless mouse are being used with increasing frequency to connect with the workplace. While it is undeniable that this development has ergonomic and practical benefits, it must not be forgotten that passwords used to access highly protected information are usually entered using the keyboard, and the wireless transmission of such data can obviously be intercepted and decoded without great difficulty.

[July 2002]