Breaking and Entering: WEP Whacked Again
by Arnold Reinhold, Principal
Wired equivalent privacy (WEP) is a security protocol commonly used with the wildly popular WiFi (802.11) wireless networks. It’s no secret that the encryption scheme used in WEP has serious flaws. At a recent presentation to the Information Systems Security Association, a team from the FBI demonstrated their ability to break into any WEP-protected network in a matter of minutes. According to the FBI team, it usually takes five to ten minutes, but the demo break took just three.
The FBI used the latest generation of WEP-cracking tools, widely available on the Internet. Older methods required accumulating a large number of message packets, something that can take hours on a lightly used network. The newer tools force the network to send the required packets, whether the network is in use or not, hence the fast crack times.
The implication of this demonstration is that enterprises should switch to more robust security systems to protect their wireless nets. The strongest solution is to use secure tunneling software, such as IPSec for all connections to the corporate network. Next best is to employ WiFi-protected access (WPA), the successor to WEP. WPA comes in two flavors: the basic variety WAP that is backwards compatible with most network cards on the market (but not all base stations), and WPA2 which uses the stronger 802.11i protocol, including AES encryption. WEP2 works only with newer equipment. While WPA2 should be spec’ed for initial network buys, WPA is far stronger than WEP and make sense for network upgrades.
Both WPA and WPA2 operate in two modes: “enterprise” and “personal.” Enterprise is more complex and expensive to install because it requires the use of a RADIUS server to manage keys, but the greater security is worth it. The personal version, which is typically used in homes, small offices, and branch offices of larger organizations, requires each user to enter a common password or passphrase. If personal-mode users select the typical 6-8 character passwords that corporate networks require for login purposes, the resulting system will still be insecure. A password with a minimum of 14 randomly selected letters should be used with WPA and WAP2 personal modes.
The situation surrounding wireless security is fairly alarming. A recent drive-by survey in Andover, MA, found that 60 percent of wireless sites had no security. A similar survey in London (UK) revealed 67 percent of sites with no security enabled. Part of the problem is that it is easier to implement wireless networks without enabling security, and once a network is set up, administrators seem loathe to look back. They invariably find other tasks to occupy their attention. This seems to be the case even though security incidents are still escalating and wireless hacks are frequent. Almost all the sites that enable security use WEP, even though its insecurity has been known for years. It is as easy or even easier to use WPA as it is to use WEP. Many WEP systems require a long hexadecimal code to be entered, while WPA requires only a password or passphrase. Not only is it still possible to buy wireless products that use WEP, but most make you hunt for the WPA option. Vendors could help by making WPA the default security choice instead of WEP.