It is reasonable to say that we should not concern ourselves too much with security on our cell phones. If you use an analogue cell phone anyone with a decent scanner can tune in to what you are saying – no way around that. But GSM phones use encrypted technology that enables secure voice and data transfer during calls. GSM technology uses an algorithm to ensure the authenticity of the caller and the integrity of the channel, even when you are roaming in a foreign country.
The most interesting, and potentially contentious area of wireless security is that concerning wireless LANs or Wi-Fi networks. These are fast becoming the connection method of choice, whether in the humble home office environment, over a coffee in your local Starbucks or in a corporate office. It is a regular occurrence that someone is sitting in an office or a hotel in a metropolitan area and picks up a network signal of a local wireless network. Wireless signals do not recognize corporate or geographical boundaries and are only limited by the propagation configuration of the network. Even in an office environment you will find small areas or “blind spots” where the coverage is very weak or non-existent. So, it is possible for the random surfer to “happen upon” or “jockey-back” on someone else’s network. So how do you protect against this happening?
Wireless local area networks use spread-spectrum technology – a technique that makes the radio signals difficult to intercept. Most Wi-Fi systems also include a form of user logon and password protection. Of course, the spread spectrum signals can be intercepted with a relatively simple wireless card and many networks do not properly set up the password feature and will allow ready access to someone typing the word “any” as a password. The fact that “employees” have to go through some form of physical security before they can access the network only adds to the notion that wireless networks may not be as secure as equipment manufacturers would have us believe.
The problem with wireless security is essentially a technical issue with the way the signals are encrypted. The original wireless LANs (WLANs) used the Wireless Encryption Protocol (WEP). This was then replaced in late 2002 with the Wi-Fi Protected Access (WPA). Essentially, WPA offered improved data encryption through the use of temporal key integrity protocol (TKIP). The TKIP feature scrambles the keys using a hashing algorithm and ensures that the keys have not been tampered with. WEP only uses a static key that is seldom changed by users. This cryptographic weakness caused many of the security breaches in WLANs because intruders could, with relative ease, generate an encryption key and access a wireless network.
While WPA offers enhanced security features over WEP, not all industry observers are completely satisfied. A recent problem was highlighted with WPA concerning the use of poorly chosen passwords for a network. Criminals intent on compromising a WLAN can use simple dictionary software to overcome the system password. In fairness, this weakness only manifests itself when short, text-based keys are used and does not signify a fault in the WPA protocol. WLAN manufacturers can circumvent this problem by incorporating the ability to generate random keys across the network and putting in place user requirements concerning the length and style of passwords.
Microsoft responded to this potential threat by providing a Windows XP download that alters the way the operating systems communicates with the Wi-Fi network – using separately generated keys for each system user rather than one, albeit encrypted, key for the network connection.