Wi-Fi baby is thrown out with the bath water

3-MIN READ3-MIN

Published: 12:00am, 9 Dec 2003

China's decision to outlaw Wi-Fi must be one of the oddest responses to a security hole that has ever been made.

For most people in the security industry, the idea of legally compelling companies to enforce security is nothing new. It is an idea security guru Bruce Schneier has been promoting for many years: 'Liability forces companies to protect the data they're entrusted with.'

But when he talks about law, he does not suggest legislating for or against a security standard; he means companies that produce lax security products should be legally liable when those weaknesses are exploited by criminals.

For China to respond to a weakness in a standard by banning it is an unrealistic overreaction, as is the demand that companies in China immediately switch to China's new and cryptically named GB 15629.11x standard.

With the world watching the international wireless standards as defined by the Institute of Electrical and Electronics Engineers (IEEE), the vast majority of wireless network buyers will continue to follow IEEE standards. This entails buying equipment manufactured in China. To ban the production of 802.11x equipment would send those buyers to Taiwan, Europe, the US or elsewhere. It would not mean the world would adopt the China Broadband Wireless IP Standard Working Group's standards. It is too late to enforce a ban. Instead, what China needs to do is work with the international standards bodies instead of trying to replace them.

The weaknesses of Wi-Fi are well known, and many solutions have been put forward. Companies that can afford it can make their existing networks as strong as they like and those that cannot only need to wait till next year to buy 802.11i equipment, which is likely to be unbreakable - for now.

In Hong Kong, Wi-Fi's weaknesses were emphasised again last week, when the Professional Information Security Association (Pisa) released its second annual wardriving report, which found that while the number of wireless access points on Hong Kong island had leapt the vast majority were still unsecured. So, while China is worrying about Wired Equivalent Privacy (Wep) security, only 69 per cent of Hong Kong wireless users even bother switching it on. And while the much stronger 802.11g specification has been around for some time, Pisa found few people were using it - just 2.6 per cent of access points in western Hong Kong Island, compared to 9.1 per cent in the east.