News

WEP: Wireless security's broken skeleton in the closet

Andrew R. Hickey

Wired Equivalent Privacy (WEP) as a wireless security solution has been analysts' wireless whipping boy for years. But, for some reason, many companies still have some level of WEP in use within their organizations.

Recently, however, a team of German researchers devised a new attack against WEP that can cause it to fail in roughly 20 seconds on a busy 802.11g network and 80 seconds on 802.11b. If the network is idle, it can cause WEP to fail in 52 seconds on 802.11g or just over three minutes on 802.11b. This new attack uses the aircrack-ptw algorithm.

Many experts agree that although this new way to crack WEP and expose the network is frightening, it should serve as an additional reminder that WEP isn't all that secure in the first place and that companies should be looking at newer wireless security standards such as WPA or WPA2.

"It's just yet another wake-up call to the people who should be using the standardized WPA2," said Burton Group senior analyst Paul DeBeasi. "It's a reminder of how fast someone can crack into your network and access information."

Lisa Phifer, vice president of Core Competence Inc., took DeBeasi's warnings one step further.

"WEP was broken back in 2000, and better solutions -- first WPA, now WPA2 -- have been readily available for five years," she said. "Any company that cares about WLAN security should have migrated off WEP a long time ago."

WEP cracking tools have been getting steadily faster over

Requires Free Membership to View

the years by reducing the traffic required to guess a WEP key, according to Phifer. The latest attack scenario reduced the time required to crack a WEP key from an hour to less than a minute, using active packet injection. Still, with WEP's inherent lack of security, she said, the new cracking tool may have little impact.

"Anyone with incentive to crack your WEP key can probably wait an hour," she said. "Those WLANs still using WEP keys due to legacy equipment are probably not using anything like 802.1x to automatically refresh those keys. If a static WEP key is used for six months, an hour isn't going to greatly impact their window of exposure."

Phifer doesn't mince words when telling companies how to protect themselves from WEP cracking and other vulnerabilities: "Avoid using WEP. I can't stress that enough."

She suggests that companies retire and replace legacy devices that don't do at least WPA-PSK.

"But, if you really can't do that, isolate WEP devices on their own VLAN/subnet and do everything you can to permit only expected traffic from known devices," Phifer said. "For example, block all but expected application connect requests and authenticate the device/user when they connect to the application server. This won't keep traffic private, but it will stop key crackers from penetrating further into your network. If you have a wireless IPS, configure it to alert you to active WEP cracking attacks, and decide what action to take -- shut down affected APs, re-key devices, physically track down the intruder."

AirDefense, maker of a WLAN protection platform, this month introduced a WEP cloaking module designed to help companies preserve their investment in legacy handheld devices and to avoid the costs of expensive upgrades and training.

The WEP cloaking module uses the AirDefense Enterprise platform using wireless sensors to protect handheld devices from passive and active attempts to crack WEP encryption keys.

AirDefense makes a tool to protect WEP deployments, but David Thomas, vice president of product marketing, said companies should still be looking to upgrade.

"We've been out there telling customers for a long time that WEP is obsolete and they should get rid of it," he said. "But certain folks have a great number of embedded devices, and they're too costly to get rid of."

In retail, for example, many devices support WEP only and run at about $2,000 apiece, meaning an upgrade would cost a great deal.

"When they're looking at upgrades, it costs a fortune," Thomas said, citing one AirDefense retail customer that would have had to pay $8 million for device upgrades. "It's not that they don't want to do it. If customers have a way to proactively move away from WEP, we want them to."

Thomas noted that the recent finding by researchers confirms the need to phase out WEP and reinforces the idea that tools like AirDefense's WEP cloaking module should be a stop-gap solution.

"Research like this is always an interesting and good thing," Thomas said. "It's basically saying that WEP is broken again."

Many companies feel "guilty" about still using WEP, he said, and for many it's a skeleton in the closet.

The WEP cloaking module lets companies transition from WEP to WPA or WPA2 at their own pace, Thomas said. It's a stop-gap solution that allows them to upgrade on their own time.

DeBeasi called it "unfortunate" that many companies still use WEP. Still, he is quick to admit that in the world of WLAN security, "as bad as WEP is, it's better than nothing. It's so easy to take it out of the package, turn it on and that's that."

DeBeasi said some companies avoid deploying newer wireless security standards like WPA and WPA2 because they can be seen as complicated and have many moving parts. Upgrading requires supplemental software on laptops, configuration of network infrastructure, configuration of back-end authentication servers, and other steps.

"For some, security is a tad complicated," he said.

Some companies that still use WEP -- like the companies AirDefense targets with its WEP cloaking module -- probably can't afford to buy the equipment necessary to upgrade to WPA or WPA2. Some can't afford to upgrade laptops that support WPA clients. Many retail companies, for example, use barcode scanners and other devices that can only support WEP.

"If a company is still using WEP, I tell them, 'I'm glad you have something on, but...'" DeBeasi said, adding that for those who went from having no wireless security to using WEP, he reminds them, "Don't rest on your laurels."

According to Phifer, companies that use devices that won't integrate with WPA should be the only exception to the rule.

"There are certainly exceptions like small-footprint devices with old embedded Wi-Fi chips that don't speak WPA -- point of sale terminals, barcode scanners, handsets," she said. "Companies that are unable or unwilling to upgrade those legacy devices were already extremely vulnerable to WEP cracking before aircrack-ptw."