Anyone assuming 802.11-based wireless LANs are secure is in for a wake-up call. A report to be released this week details a significant weakness in the RC4 encryption algorithm used to secure such networks.

In the report, Weaknesses In The Key Scheduling Algorithm For RC4, cryptographers Adi Shamir and Itsik Mantin of the computer science department of the Weizmann Institute in Rehovot, Israel, and Scott Fluhrer of Cisco Systems have identified a hole in RC4 that lets almost anyone with a wireless LAN-enabled notebook and certain software available from various sources on the Internet retrieve a wireless network's key that can unscramble encrypted data traversing the network.

RC4 is a standard encryption algorithm from RSA Security Inc. used in a number of applications, including 802.11's Wired Equivalent Privacy encryption scheme. WEP uses a 40-bit key, which many experts say isn't robust enough to secure a network. The new-found weakness in RC4 compounds the problem. The IEEE-802.11i Task Group is developing a WEP2 standard, which uses a stronger 128-bit security key.

Although it's impossible to make any network foolproof, analysts say, administrators too often rely on default security or simply assume security is inherent. Craig Mathias, a principal with Farpoint Group, recommends proprietary encryption techniques or virtual private network technology. "You're not going to make it impossible to break in," he says, "but at least make it difficult."