April 12, 2001, 10:32 AM — As security experts watch the airwaves get crowded with wireless transmissions
of voice and data, they see their field becoming more vital--and complicated,
in this world of mixed network protocols.
Unlike the Internet, which uses only a handful of standard protocols, the wireless
world is built on many disparate protocols that don't necessarily work together
at all. This lack of standards complicates the security of wireless networks,
which discourages their wider adoption.
Effective security requires widely accepted standards, agree security gurus
and vendors at the RSA Conference here this week. Discussion at the gathering
has tackled proposed new protocols, algorithms, and networks for both the wired
and wireless worlds.
While still in their infancy, wireless broadband and other forms of wireless
networking, including home LANs, show great promise as an alternative to wired
services used by businesses and home users. But unless the security of those
networks can be assured, the young industry could be stillborn, the security
experts warn.
To protect you, these networks will have to incorporate new security protocols
and algorithms as well as some existing methods found on the wired Internet.
But agreeing on which standards to adopt may be as big a challenge as getting
the high-speed services out the door.
New toys raise risks
"Modern expectations of the Internet include [service that's] always on,
handy, and immediate as well as secure," says Shawn Abbot, president of
IVEA Technologies, a developer of security infrastructure products for e-commerce.
"But the challenge of these connected personal devices is that they put
more personal data into cyberspace, raising the threat to privacy."
The most dire risks include forms of identity theft. Someone might learn and
misuse your personal information through eavesdropping or information tapping,
Abbot says.
Also, marketers are eager for the opportunities offered by global positioning
functions, which could let them target ads or services based on your location.
But "location-based services only magnify these threats, increasing the
need for trust from consumers," Abbot adds.
Current networks won't do
Today's mobile phone and paging networks--used for wireless devices--weren't
really designed to meet the security needs of transactions, corporate communications,
and network-based personal profiles, the experts agree.
The traditional mobile phone network has limited security, says Yiquin Lisa
Yin, research leader at NTT DoCoMo's Multimedia Communications Labs. "The
proprietary protocols and algorithms only provide security for the air interface
and not the whole network," Yin says.
The air interface in traditional cell phone networks includes the traffic between
the handset and the cellular base station, Yin says. Then, the base station
connects to a core network for the carrier, often with little security between
them, she adds.
On the reverse end, Internet data connects to the core network through a wireless
application protocol gateway. There, it is temporarily decrypted and then re-encrypted
in a mobile-phone-friendly format, Yin says.
That WAP (wireless application protocol) gap isn't a big deal for simple applications,
but it's becoming more important with transaction services, Abbot agrees.
But Yin urges security improvements not for the gateway, but for every link
in the network. She says security in traditional networks is not flexible enough
to handle new attacks, or even to be beefed up to support new applications like
commerce.
New speeds require better security
Besides security, wireless nets need a speed boost to support sophisticated
WAP services, Abbot says. Today's circuit-switched mobile phone networks are
simply too slow. "Until packet-switched networks dominate, WAP won't be
that great," he adds.
GPRS, a packet-switch network extending from today's GSM (Global System for
Mobile telecommunications) system, promises speeds up to 150 kilobits per second,
a sizable improvement when compared with the 9.6 kbps of current GSM systems.
GPRS uses limited bandwidth efficiently and can send and receive small bursts
of data, such as e-mail and Web browsing.
But with that speed comes need for better security to support the many applications
that speed makes possible. Several standards offer answers, Yin says.
