[Previous entry: "fun with big caps (and crypto)"] [Next entry: "If you've ever wondered who made these things"]

02/23/2005: "Spokane, WiFi and Parking"

music: Happy Talk/It's Immaterial

Only in Spokane would you find the city government bragging about parking meters.

Long-time readers of this blog may remember that I predicted that the whole "Wi-Fi Zone" bit was about parking fees, and Spokane's inability to service the debt on its White Elephant "Parkade".

The trial of this technology in Spokane, however, does have a very unique element. This is the first time in North America that such parking pay stations are being used with wireless technology.

My take is that Parkeon couldn't sell its equipment to anyone, so they've allowed Spokane a free trial. For those of you who don't know, Parkeon was formerly "Schlumberger e-City", but is now part of Apax Partners, a VC firm. If Vivato isn't already sucking air, then perhaps Stalter and crew are trying to get Apax to throw some money in the pot. I know some of the Apax guys, and they're too smart for that by half.

Here's the problem. There is money (or worse, your credit card number) flowing over those wireless links, and Vivato's first-generation product doesn't support anything that could ever be called "secure 802.11". Its WEP, or WEP with 802.1x, but the chipsets inside are crippled, and are unlikely to ever support TKIP, and without TKIP, WPA isn't possible. While it is possible that Vivato has implemented TKIP (and the Michael MIC) for its first-gen product, I find it telling that the datasheet doesn't claim TKIP or WPA, and that Vivato has not re-certfified with the Wi-Fi Alliance, which would be necessary to claim "WPA" on any revision of that datasheet.

If Vivato still only supports WEP with 802.1x, then the situation is dangerous to the credit rating of anyone who uses it. On August 8th, 2004, a hacker named KoreK posted new WEP statistical cryptanalysis attack code to the NetStumbler forums. The attacks have since seen better implementations in aircrack and WepLab. Still, the new attacks change everything. Now the only issue is the total number of unique IVs captured, and a key can often be cracked with hundreds of thousands of packets, rather than millions. The key actually leaks out the IV stream. I've read analysis that says that WEP is now a "5 mintues and you're cracked" wash-out.

So, until I hear differently, it looks to me like many, many credit-card numbers are about to start flying through the air in Spokane, ready for anyone with a copy of readily-available software to start grabbing them at will. Unless there is some new Vivato firmware in beta, Spokane just set itself up to be the next Bestbuy.

And, even if I do hear differently, I claim the whole thing is a huge hack waiting to happen unless Vivato has implemented per-STA keying. Agere pullled a fast-one here with 802.1x, and its a dirty secret inside the Wi-Fi industry. Perhaps the Vivato deal with Devicescape (aka Instant802) will help solve the problem here.

To be clear, for the sake of the City of Spokane, its citizens, Apax, and whats left of Vivato, I hope that someone with a security bend insisted on this problem being solved before money starts to flow.

The more I sit and think of it, the more it makes sense to re-port the Instant802 software on top of the Agere chipset and use the rest of the management layer that already runs on all of Vivato's other products. Too many people in the industry know that WEP is a non-starter, even with 802.1x. If you own a Vivato 12xx series product, call and demand to see the latest firmware.

Still, even if Vivato has implemented WPA, it brings its own set of fun. TKIP can be used as the lever for a DoS attack. If an AP running TKIP sees two bad MICs within one minute, it assumes it is under attack and kicks all users off the AP and invalidates all key material. This requires only generating bad unicast packets toward the switch which appear to originate at the parking meter. As few as two such events in 60 seconds will take the parking meter offline for a full minute. It non-trivial (but possible) to keep all parking meters associated with a given Vivato switch bound up. Technical details upon request.

Please note that Parkeon uses GPRS for its wireless solution everywhere but Spokane. Given that GPRS data service can be bought for $20/mo, flat-rate from several carriers, I don't understand the economics of using WiFi for the parking meters. Perhaps Tom Sowa will investigate and explain.

In other Vivato news, Steve Renda, Vice President of Marketing and Corporate Development at Vivato, has left the company. The executive bleed-off continues. Vivato's management still refuses to acknowlege that the CFO left months ago.