Wi-Fi

Just say no to WEP


Whether you're running a home wireless network or a corporate wireless network, you need to know the truth about Wired Equivalent Privacy (WEP). When WLAN hardware first came out, WEP was the standard encryption scheme offered to secure that wireless network.

By design, WEP protects a wireless network from eavesdropping. However, it has significant and well-documented vulnerabilities.

Weak Encryption Protocol?

WEP's major flaw is its use of static encryption keys. But the encryption standard isn't the problem.

WEP uses RC4 (also known as ARC4 or ARCFOUR) to protect the confidentiality of the transmitted data. However, every device on the network uses one key to encrypt every transmitted packet. That means an eavesdropper using a wireless hacking tool can intercept enough WEP-encrypted packets to eventually figure out the key.

Of course, you can mitigate this vulnerability by periodically changing the WEP key; most routers allow you to store up to four keys. But if you change the key on the router, that means you also have to change the key on every device on the network. Depending on the size of your network, this can quickly become a time-consuming, never-ending task.

WEP is so insecure and/or time-consuming to add even a small level of confidentiality to your WLAN, but what can you do? Why don't you switch to Wi-Fi Protected Access (WPA) or WPA2?

WPA

While there are several flavors of WPA available today, the easiest to use and most widely supported version is WPA Personal -- often called WPA Pre-Shared Key (PSK). Using this encryption is relatively easy.

To encrypt a network with WPA Personal/PSK, configure your router with a plain-text pass phrase between eight and 63 characters long. Using an encryption protocol called Temporal Key Integrity Protocol (TKIP), WPA uses that pass phrase -- along with the network service set identifier (SSID) -- to generate unique encryption keys for each wireless client.

Those encryption keys continuously change at the beginning of each transmitted frame. WPA cycles to a new key and broadcasts the change.

Roadblocks

Very few wireless devices sold today don't support WPA. However, WEP is always the first option for encryption (alphabetically), and most consumers don't know the difference between the two.

When it comes to client computers, Windows XP Service Pack 2, Windows Vista, and Mac OS X support WPA. When setting up the client, just make sure the data encryption -- TKIP or Advanced Encryption Standard (AES) -- matches the router's setting. Most routers support AES, which offers a stronger encryption cipher than the one used by TKIP.

Final thoughts

Properly configured, WPA provides your WLAN great protection from roaming wireless hackers. And here's one last suggestion: Change the default SSID. Most routers default the SSID to the name of the company that makes the router (e.g., Linksys).

In addition, avoid dictionary words in both the SSID and WPA. If you can use WPA2 (which uses AES), then use it. When it comes to security and encryption standards, using the latest and greatest standard is always a good thing.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

44 comments
bill.beckett
bill.beckett

You know, I'm NOT saying that wow WEP is awesome, hey everyone use WEP because it's immune to cracking. However, I'm just not seeing the 1 minute cracking deal. I've collected a million packets from my home wireless network. Running aircrack against it right now and nothing for an hour now.

bill.beckett
bill.beckett

You know, I'm NOT saying that wow WEP is awesome, hey everyone use WEP because it's immune to cracking. However, I'm just not seeing the 1 minute cracking deal. I've collected a million packets from my home wireless network. Running aircrack against it right now and nothing for an hour now.

Marty R. Milette
Marty R. Milette

Is this supposed to be NEWS? Next thing we'll hear is that IBM PCs don't run on DOS anymore! ;)

jenninju
jenninju

Question: For the small network [home] using a basic Linksys WAP and Time Warner cable modem, does specifying allowed MAC addresses suffice, or is that hackable also? Thanks. Judson Jennings

krolrules
krolrules

I guess this is why I use WPA2!

flemming.v.mortensen
flemming.v.mortensen

WEP w no SSID broadcast and MAC address filtering is adequate security for home and small-office usage. Kind regards fvmREMOVE@THISnethotel.dk

edjcox
edjcox

My thoughts are this. Any encryption is better than no encryption. The average neighbor where I live isn't even capable of setting up a network yet attacking the encryption on it. Very little of the data to be gained is of consequence and that which is on my system is alternatively encoded with an RSA token encryption device... Diminishing returns... I am faced with a multiple year system where older machines employ old USR cards and corresponding WEP only ability and newer machines using BELDEN and other vendors. My router can handle any or all of them but I am faced with te lowest common denominator, so "WEP encryption is better than no encrcyption at all... Nice article... Keep chasing the ultimate hackers, but they really are not out here in force trying to view my kids IM's and Email...

grephead
grephead

WEP is the default encryption for many wireless devices used in things like Point of Sale systems. In fact, the largest hack of credit cards at TJX/TJ Maxx (45+ million) was accomplished by compromising the WEP key at a store from a parking lot. TJX used WEP as the encryption standard between the stores and systems in the central office (this is the part where your jaw should be on the floor). Anyone who believes WEP is a viable encryption method should read up on the TJX compromise and continuing financial exposure and consequences for that corporation.

technical
technical

well, most PDA do not support the WPA yet.

dalton.salisbury
dalton.salisbury

TKIP is based on RC4 as well. The way I understand it, TKIP is only harder to break because there are fewer packets with the individual cipher key. The security flaw is still present, it just takes more time.

godzillex
godzillex

Assuming there is no WEP (or other security protocols) in place, I could easily see how a drive-by intruder could access my network and use it to surf the 'Net. But I am not quite clear as to how it would be possible for him to access my drives and install spyware on it? Would a software firewall prevent him from doing so?

salmonslayer
salmonslayer

I teach networking at a local community college, and a large portion of this is spent on Information Security. The first rule of thumb is that any security is better than no security. Think about your house - even if all you have is a small handle lock doesn't mean you leave your house open. Yes, it can be broken but locks are generally meant to keep honest people honest. The second rule of thumb is that the most efficient security level to maintain is just slightly better than your neighbor (or your competition). Typically, a person trying to circumvent any security will go for the easiest target first. That said, if WEP is all you have, then you would be foolish not to use it. By using WEP, no SSID broadcast and MAC address filtering, you can develop a fairly secure network. You can also take this a step further and use a non-standard IP subnet, and limit the number of available IP addresses to around the number of devices, assign static IP addresses to specific MAC addresses, and disable DHCP.

nhahajn
nhahajn

There are numerous free and open source programs that will find non-broadcasted SSID's so that's not going to stop any 12 year kid these days. And with a little research anyone can spoof a MAC address. So if you want your home network cracked in day thats fine, but don't recommend that any small office leave themselves wide open.

amer83
amer83

I doesn't agree with the idea that says : "Any encryption is better than no encryption" because encryption cause an overhead and in wireless environment this overhead is a vital matter because wireless channel bandwidth is less that wired channel bandwith. so in my opinion having encryption method that just consume my resources and did not protect me from the real hackers is really selly idea. regards

Neon Samurai
Neon Samurai

It's a great wifi scanner when I'm out and around but WEP is the best it supports so it doesn't get to connect to my home network.

bill.beckett
bill.beckett

Ridiculous post. I can understand not wanting people to think that just because they run WEP that they are invulnerable BUT to act like WEP is near equivalent to running a wireless network wide open is silly. It takes tons of packets to crack a WEP key. The FBI can do it in about 2 minutes. Most people out there are not the FBI.

georgeou
georgeou

TKIP has been weakened to around 90 bits worth of equivalent security but it's FAR from being broken. AES is obviously the best but not everyone supports that and TKIP is kind of the lowest common denominator. You should read about these myths on what works and what doesn't. http://blogs.zdnet.com/Ou/?p=454 WEP can be cracked in under a minute now with the latest cryptanalysis tools. http://blogs.zdnet.com/Ou/?p=464

Marty R. Milette
Marty R. Milette

You have no idea how open and exposed most computers are when connecting to a network -- ANY network. There are thousands of software vulnerabilities discovered all the time -- and even your 'security' software such as AV scanners, firewalls, etc. can have known, open, published vulnerabilities. Face it, even if you don't fall into this category, the 'average PC user' is too stupid to properly secure their system. They'll share drives and printers, and leave passwords blank, and have no security whatsoever. All a hacker has to do is a simple port scan and look for the right ports open to become interested enough to start a more focused attack. As a simple example, when I was in Kosovo, on a US ARMY POST, I connected to an OPEN WiFi connection, scanned the other systems on the network and found DOZENS of juicy targets. Just for fun, I connected to shared printers and had them print a few pages of "YOU HAVE BEEN HACKED!" just to get their attention. I was just having FUN, but someone really determined to cause mischief could have scored all the data from the hard drives, formatted them, installed viruses, keyloggers or whatever the hell they wanted to do. NO PROBLEM!!! For the knowledgeable hacker, most systems are swiss cheese -- full of holes and juicy targets. 15 minutes of war-driving in any major city in North America may give you a wake-up call. Or just watch some of the videos on Google Video to see some hilarious examples of just how INSECURE most of the world is. If you aren't shocked after that -- well, I don't know what to say! :)

nhahajn
nhahajn

There are numerous articles on Techrepublic and others describing why not broadcasting your SSID can actually open up even more vulnerabilities. I still say none of those things should be used on anything other than a home network where you really don't care if the bored neigbor kids uses your internet access to download torrents.

Servicemaster
Servicemaster

Great job salmon. Finally someone came up with more help than just NO WEP. But only in in the situation, when you have no other option. And what about a firewall? Isn't that a next speed bump after braking the WEP, SSID, MAC filtering, non-standard IP sub, limited number of IPs, atc?

EValente
EValente

I did the WEP+MAC address filtering for a friend's home settings. He has two addresses registered in the router: laptop and a PC in an adjacent room registered. How would anyone find the MAC addresses of these two machines without access to them?

georgeou
georgeou

Anyone that wants to crack it can do it in under a minute now using the latest tools. The FBI isn't using some fancy multi-million dollar secret weapon to crack WEP; they're using the free Auditor CD distro and they've cited that as one of their favorite tools.

godzillex
godzillex

Thanks for your detailed reply Marty, I appreciate it. My question was really focused on discovering the various mechanisms used by the intruders to access an (open) Windows system, and you seem to have done good job explaining them, particularly with some of your colorful examples. Based on your reply, I can see that disallowing SHARED resources (drives, printers) would be something that I will need to do. FYI, I also happen to live on the paranoid side of the fence. I have a router, software firewall, anti-virus, anti-spyware, and routinely patch my OS with updates. I have also cut down the amount of unnecessary Windows services to an absolute bare minimum. To round it out, I also examine the various "auto-start" registries (and there a few!) on the daily basis. And yes, I do use WPA (AES) for my wireless network. If there are any other things that you feel I must do to gain a better protection, please let me know. (I particularly liked the SHARED resources tip.) Thanks.

nhahajn
nhahajn

Sorry, my post should of rad "if" you don't care that the neighbor kid using your connection. Which by the way I would care about it, but alot of people don't seem to. I would say that as cheap as routers are these day, poeple at home have no excuse not to upgrade to at least WPA. XP has support for it, as does most equipment people have in there home connected wirelessly. And if you don't reccomend it to people's home networks you are setting up and working on you have no business do them in the first place.

nhahajn
nhahajn

Yeah but little Johnny wannabe is also going to be using Netstumbler so not broadcasting your SSID is giving a false sense of security. If WEP is all you got, then its slightly bette than nothing, but if you are a small business, the added expense of new WPA equipment is worth the cost. Johnny may also figure that it's worth the extra one minute to crack WEP and see whats there to test his skills - and for the fun of it. I'm only saying that by telling someone that not braodcasting the SSID is any increase in security is false.

Marty R. Milette
Marty R. Milette

This kind of 'don't care' attitude is the major cause of some very serious security problems coming up very, very soon! Just because, "you really don't care if the bored neigbor kids uses your internet access to download torrents" does NOT mean that this is not a problem. Would you perhaps care a little more if a peodiphile was downloading child pornography through your connection and you were put in jail because your IP address was tracked as the downloader? Would you care a little more if terrorists were using your open WiFi connection to place VoIP calls to their terrorist buddies in Iraq, Iran or Afganistan to help plan the next 9/11? Would you care a little more if the RIAA handed you an invoice for $500,000 for downloading pirated Music, DVDs and/or software? Can't happen to you? THINK AGAIN!!! Do some searching on the web and find out just how responsible YOU CAN BE for what happens through your Internet connection. And remember one thing. YOU ARE RESPONSIBLE - YOUR name, address, personal information, credit card, bank account and everything else is LINKED TO YOUR INTERNET CONNECTION through your ISP. And think also about the ASSUMPTION OF GUILT people face now instead of the presumption of innocence that most people THINK they have. In this case, IGNORANCE IS NOT BLISS. The excuse, "Duh,I guess someone used my open connection" has already been laughed out of court a hundred times. YOU ARE RESPONSIBLE. If people knew this, they may be just a little more careful about securing their systems...

salmonslayer
salmonslayer

The issue here is that SSID is broadcast by the access point about ten times per second. Essentially, the wireless access point is shouting "I'm Fred" to everyone within earshot, ten times per second. With SSID broadcast disabled, the client must probe to find the access point. Essentially, the client is shouting "Are you there, Fred?" until Fred answers back. Up until that time, Fred remains mute. Some people have stated that since the client is broadcasting this, it can be picked up and then the person who was sniffing the airwaves now has the SSID and can use it. The only thing is, that person would have the SSID considerably earlier if it was broadcast. The biggest problem is that the typical home user doesn't understand much about security. They want something that works and when they turn the wireless on right out of the box, it works so they don't mess with it. As a result, there are a large number of access points with either the default password or no password on the router's web interface, all using DHCP with over 200 free IP addresses and a default SSID. In a recent drive, I located close to forty wireless access points. Of these, about half had the SSID of Linksys, default, etc. Needless to say, this is a much worse thing. Yes, WEP can be broken. Nobody is denying that. And yes, WEP is not suitable for a business environment. Nobody is denying that either. But little Johnny Hacker-Wannabe is going to do some wardriving and pick off the low-hanging fruit first and hit the wide open systems before he even attempts to break WEP on another system.

mm1968
mm1968

Sorry guys, as a test I setup a wifi network at a friends house. We used WEP with the longest key supported (which I didn't see) we also had the SSID switched off, and mac address filtering enabled. All I had was an *audit* distro and my laptop, first try - I'd never tried this before, never even booted up the distro before the test. Within 1 hour I had the WEP key and spoofed his mac address and was happly surfing the web via his router. Again this was a test, we had to prove if WEP was viable for a WIFI network we were about to setup for 1 of our customers - the test proved it was not. Oh yeah I forgot to mention, I was quite drunk whilst doing all this ! Our test was done before the latest tools were released. The latest tools and procedure can break WEP in less than 1 minute. You decide but I won't be using WEP again.

Neon Samurai
Neon Samurai

The home security system is more like running IDS software on your home network. It detects the intrusion and notifies someone. WPA (versus WEP) is more like replacing the 5$ lock on the front door with a 100$ lock except that they both come in the same package and you need only pick which to take out fo the box and use. Hm.. do I use this lock with a toothed key that can be bumped open in under ten seconds or do I use this other key with the little wholes drilled in it's sides that can't be "bumpbed". The encryption standard is still a key of some form where the security system is intrusion detection. I'm not looking for debate though; just thought the clarification may be of interest.

bill.beckett
bill.beckett

Your analogy is excellent. One that I should have used. It is much like locking your car...why do we lock our cars? They're really not "secure". We all know that if someone wants to steal it, it's as good as stolen. We lock them because it is a small, simple step towards security. Much like locking our house at night. If our valuables or in the computer sense, our data is valuable enough AND the risk is high, then we take additional steps to secure it, ie, alarm system or computer side, WPA.

Neon Samurai
Neon Samurai

I'm not saying WEP is as good as an unlocked router so just leave it unlocked. We're long past the days of "password are not secure so do like I do and just press Space then Enter." I'm saying that if WEP is all your router or some *key* gadget supports then that's the best you got to use and shouldn't use less. I'm also saying, if your router and *key* gadgets support WPA then you have no excuse for using WEP unless you are intentionally leaving your network open for whatever reason. This is not saying "don't lock your car because a thief can get past it in ten seconds". This is saying "don't leave your car unlocked and don't think that leaving the windows rolled up (WEP security) is going to stop someone from opening the unlocked door. In my case, it was PalmOS supporting only WEP so I could either reduce security in a crouded residential neibourhood (wasdriving territory) or use current security standards and only allow connections from WPA supporting devices. Your right though, if WEP is the best you got then use it. If there is the option to use something better, WEP is not the choice you should make though.

bill.beckett
bill.beckett

Thank you Salmon. Someone who agress with me. My God people, I realize the thing is easy to crack but it does take A LITTLE bit of effort. It's not like firing up kismet, then rifling through clear text packets. I've done the hacking and cracking, frankly< the process is a pain in the a$$. WEP is insecure, yes it is. Hoping every anti-WEP person feels a little better now.

salmonslayer
salmonslayer

"WEP is as good as leaving the router completely open." Please, tell me where you live. Obviously you feel that unless your house is secured like Fort Knox, there is no point locking it at all. Again, any security is better than no security. Yes, WEP is problematic and can be broken. But then, given enough time and energy, any security measure can be broken. Remember, security is not a state but an ongoing process. DES was once secure too. So it takes a few minutes for a person to break WEP. It also takes a few minutes for a professional car thief to steal your car. Does that mean you don't bother locking it? You use what you have. If WEP is all that you have, and you can't get another more secure router, then use WEP. If your router has other options, then by all means avoid WEP but to say that it is as good as leaving your router open is totally incorrect.

Neon Samurai
Neon Samurai

If the machines are connected by WIFI then the machine MAC is in every network packet they transmit. You just sit outside the house but within range of the router and you've got a valid MAC, IP, SSID and WEP passkey. WEP is less than a speedbump. MAC filter are only cosmetic. SSID broadcast hiding does nothing. At minimum, you should be using a WPA pre shared key. WEP is as good as leaving the router completely open.

jim
jim

It amuses me when I go to an office or home where they're shredding all of their "free credit card" offers, yet, using WEP or nothing for their wireless LAN security. If I wanted to steal an identity, I'd sit in my car with a laptop, crack a few of those wep nets, log into that shared "C" drive,add some startup code to their registry and check my anonymous Yahoo mail in a few days for the keystrokes to their banking and credit card sites... get the picture??? I think that's motivation enough! (I used to feel as you did until a friend of mine sat at my kitchen table and used my office laptop to crack into my home "secure enough... who would want it anyway" WEP protected network. It took him about 5 minutes to get everything set up and as my son started to check his myspace site, within a few minutes, he was in my network!)

bill.beckett
bill.beckett

That's fine, I understand your points but I still say it's better than nothing. One has to be motivated enough to go to the trouble of obtaining the tools, installing, doing the cracking and sniffing. If you're a store, like the aforementioned TJMAXX incident then yes, people will have motivations to go after your data.

IT cowgirl
IT cowgirl

Auditor CD distro is a Linux distribution with security tools which run from the CD. Use Google search and you can answer your own questions and find your own links, as well as catch up on the reality of WEP.

Neon Samurai
Neon Samurai

WEP is easily cracked these days. Besides, if your router offers WPA and WEP, why would you choose to use the lesser of the two encryption protocols? As for giving you the name of the software you need to go on a cracking spree in your own local area; ain't happening, this isn't that kind of website. I'm pretty sure the "auditor's CD" previously mentioned is the same distro I build my audit systems with. This is not some high tech james bond piece of gadget software worth billions of dollars we're talking about; it's a freely available tool that anyone can easily download and use. If your hardware is limited to WEP then that's the best you can use without buying better hardware. Don't fool yourself by believing WEP is anything more than a speedbump though. I've a few wifi gadgets on my own network that don't get to connect because they don't support greater than WEP and I'm not about to leave a WEP trap door open into my house.

bill.beckett
bill.beckett

Have to see it to believe it. What's the software called? I'll run it at work against a known WEP key