Don't assume WPA security
Once again, a three-letter acronym is not magic pixie-dust
By Seán Captain, PC World | PC World | Published: 00:00, 05 July 2004
In addition to being faster than their predecessors, new Wi-Fi-certified 802.11g wireless products promise better protection from snoops, thanks to Wi-Fi Protected Access (WPA) encryption technology. But even though the WPA standard was introduced about a year ago, some 802.11g products may not support it.
The good news: In our informal tests with a half dozen Wi-Fi access points and 14 internal and external adapters, WPA worked on all products certified for interoperability by the Wi-Fi Alliance industry group. Also, a Windows XP patch that Microsoft issued last fall can fix some incompatibilities.
The bad news: Certification is far from universal, especially in certain Wi-Fi product categories; some uncertified products had problems; and it's not always easy to tell what offerings (and technologies) have been certified.
Users in the US have a problem: the worst offender in improperly representing certification was Microsoft, whose Wi-Fi products were available there. Although Microsoft announced in May that it was leaving the wireless networking business, it intends to continue supporting its products, and they are still on sale. A spokesperson says that the company plans to issue a patch enabling WPA in July, although this will reduce throughput to about 7 Mbit/s - well below the minimum 12 to 14 Mbit/s that industry experts estimate users should expect with 802.11g devices that have WPA enabled (as you know, the 54 Mbit/s quoted on the package of 802.11g kit inflated, even without turning WPA on).
Although Microsoft's MN-700 access point/router displays the Wi-Fi Alliance's certification label for WPA prominently on the box, the device failed to establish a WPA connection with any of six 802.11g wireless PC Cards (including Microsoft's own MN-720 model) and with six of eight tested notebooks using integrated 11g wireless. Not all of these notebooks and cards were certified for WPA, but all connected with several other WPA-enabled routers. Wi-Fi Alliance representatives say the Alliance certified the MN-700 for the 802.11b and 802.11g standards with security turned off. Spokesperson Brian Grimm says the Alliance will contact Microsoft about updating its labelling.
Microsoft's certification is correctly reported in the certified product database on the Wi-Fi Alliance's Web site. The database is a good resource to consult before you buy, and it is responsive. We did find some instances where items appeared in the wrong category - for example, D-Link's DWL-G650 PC Card appeared on the list of internal cards, not external cards as it should have. However, this had been corrected by the time this article reached Techworld.
WPA is an option?
Technically, WPA is not part of the 802.11g standard, but in September 2003 the Wi-Fi Alliance began making WPA support a requirement for most products to pass 11g certification tests.
But 802.11g certification is no guarantee of WPA compliance. That's because products submitted for testing before last September - including the Microsoft MN-700 - were exempt from the Wi-Fi Alliance's WPA requirement.
Other name-brand Wi-Fi products we tested were also certified for 802.11g but not WPA. Still, most managed to work together with WPA enabled. The only exception, besides the Microsoft MN-700, was IOGear's GWA 501 access point/router, which is not Wi-Fi-certified for anything. It did establish WPA connections with four cards and three notebooks; but it failed with two other cards and five other notebooks we tested, including two using the Wi-Fi chip in Intel's Centrino mobile technology.
How important is Wi-Fi certification?
Corporate IT departments generally demand it, but it appears to be less important to small businesses and to home users. So some vendors, such as IOGear, skip certification altogether, while others begin selling a product before it has been certified, assuming that it will pass later on. Netgear's new WGT634U Wireless Media Router, for example, has been on the market since April but was still awaiting certification at press time. The Wi-Fi Alliance, however, says that about one in four products fail the test on their first attempt, mostly because of WPA glitches.
Regardless of the equipment you have, you can increase its chances of working with other products by installing the manufacturer's latest drivers and firmware and the latest updates for your client software from Microsoft or whoever. The original Windows XP update adding WPA capabilities had bugs that sometimes killed connections. Go to this link for the fix.
WPA-certified products may be hard to find in certain categories. That's because WPA wasn't required for 802.11a products (including 11a/g combos) until October of 2004 - and even then it was required only for basic equipment such as access points, access point/routers, notebook and desktop cards, and notebooks with built-in wireless.
For devices such as media receivers, printers, print servers, PDAs, and Ethernet-to-wireless bridges, WPA wasn't required for Wi-Fi certification until late January 2004. Few current devices support WPA, certified or otherwise, though most do offer WEP (Wired Equivalent Privacy), its weaker predecessor. A few access points, such as those from SMC, can support both WPA and WEP clients simultaneously. But in that case, a hacker could access the network by cracking the weaker WEP encryption. And if your access point doesn't support both encryption schemes simultaneously, you'll have to use WEP unless all of your equipment supports WPA (incidentally, this will be a weakness with many public hotspots for some time).
Bottom line: make sure products are certified to what you want
WPA provides strong security for wireless networks, but be sure that you buy the latest Wi-Fi-certified products to avoid incompatibilities. Products on the Wi-Fi Alliance's certified list are the safest; contact the vendor if you're in doubt. And be prepared to wait anywhere from several months to as long as a year for specialty equipment with WPA certification to become widely available.