A wireless LAN hardware company is set to publicize a RADIUS server security hack that can thwart the recently ratified 802.11i protocol and any WLAN infrastructure that keeps encryption keys housed in access points rather than on a central switch. Aruba Wireless Networks Inc. will bring its findings to the Internet Engineering Task Force meeting in San Diego next week, said Aruba officials.
Aruba stands to benefit from the vulnerability report because it develops wireless hardware that keeps encryption centralized on the switch rather than on access points, but officials said the vulnerability is critical for IT managers who think the new protocol will keep their WLANs secure all by itself. "We've collaborated with Microsoft [Corp.] and a bunch of other players to expose some vulnerabilities to wireless," said Merv Andrade, chief technology officer of Aruba, in San Jose, Calif. "802.11i is only one cog in the security wheel. If you're not watching your back, you might be lulled into a false sense of security." Microsoft officials did not respond to requests for comment.
News source: eWeek