Tag Archives: wep

Wireless Security: Why WEP is Bad

Fellow geek Andy Riordan emailed me in regards to a video we recorded a while ago on wireless (WiFi) access points. I haven’t used WEP for wireless security since WPA was available as an option. I refuse to run anything less than WPA on my home wireless network, although it was recently revealed that WPA has also been cracked. What’s so bad about WEP? Andy’s here to explain…

WEP does indeed stand for Wired Equivalent Privacy, which is a rather hopeful name considering that WEP can be cracked in less than 60 seconds now. How? Well, when you connect to a WEP network, the router sends you a randomly generated “hello” message. The connecting machine then encrypts the message using the WEP key and sends it back to the router. The router then decrypts it with the WEP key, and if it matches the original, unencrypted (“cleartext”) message, the machine is authorized.

This is bad. Why? Well, first we have to look at how the encryption and decryption is done. You may or may not be familiar with bitwise operators, but in this case we’re dealing with “exclusive or”, XOR. XOR, like other bitwise operators, operates on bits. If the 2 input bits are 0 and 0, it puts out 0. If they are 1 and 0, it puts out 1. If they are 0 and 1, it puts out 1. If they are 1 and 1, it puts out 0.

To encrypt the data for WEP, the data is XORed with the key (getting “cyphertext”). To decrypt, the cyphertext is XORed with the key, reversing the operation and returning the cleartext. When you think about it, that really can be shown visually (hope it doesn’t get mauled in the mail):

Cleartext   0 1 1 0 1 0 1 1
Key         1 1 0 0 1 1 0 1
Cyphertext  1 0 1 0 0 1 1 0

Now, to decrypt:

Cyphertext  1 0 1 0 0 1 1 0
Key         1 1 0 0 1 1 0 1
Cleartext   0 1 1 0 1 0 1 1

As you can see, we end up with the original message. (Cryptography is fun!)

However, this is where the problem is. Remember what we did to authenticate with WEP – we got sent a cleartext message, and then sent back the cyphertext results. What happens when we XOR the cleartext with the cyphertext?

Cyphertext  1 0 1 0 0 1 1 0
Cleartext   0 1 1 0 1 0 1 1
???         1 1 0 0 1 1 0 1

That byte looks a lot like one we’ve seen before. I wonder what it could be…

Key         1 1 0 0 1 1 0 1

Well, darn. That’s our key. An attacker can get our key just by XORing two things exchanged when a connection is made. It can’t be all bad, though, since a connection has to be made before that can happen, right? How often do you disconnect a machine and reconnect it? A few times a day. They would have to be lucky to catch you doing it.

Except that there’s another vulnerability which makes booting everyone off the network and causing a reconnect easy. Thus, our friend the cracker needs only to force a disconnect of all clients, then watch for the handshake and XOR the two pieces of information exchanged between the router and one of the clients.

That’s why you use WPA now. WPA is pretty much competely safe, if you have a good password. Rule 1 (or perhaps it’s 0) of security is that you never use a short, easily guessable password. Using a short, easy to guess password opens you up to the dictionary attack, or as I like to call it, the Gandalf attack. Scream elvish words at the router long enough and the gates of Moria are bound to open to one of them. Make the “word” long enough (32 characters is good, and is about what I use since some devices have issues with 64) and it will be impossible to guess. Again, a lock is only as secure as its combination. In your case, for instance, I don’t recommend a password of “Pixie”.

Now, for the banking/email question. This brings us to the realm of diffie-hellman key exchange. Many a beginning cryptographer has lost his life to the tangle of bits and factored prime numbers that awaits us here, so suffice it to say this: If there is an SSL connection between you and your web site of choice, you are safe. All your traffic will be encrypted, and will not be decrypted until you get to the site. You’re safe, as long as you have an SSL connection to the site itself, regardless of whether it’s an open wifi hotspot. If you don’t have an SSL connection and they give you a WEP or WPA key, don’t think banking will be secure – if they gave the key to you, they gave it to others, too!

Now, there are caveats (aren’t there always with technology?). Notice I said “If there is an SSL connection between you and your web site of choice, you are safe.” I don’t want to have to send you HTML mail, so mentally underline the first part of that sentance. What’s to stop the hotspot from saying “Ah, he’s going to ‘MyBankSite’ – take out their certificate (the part that contains their “public key” – what you use to encrypt your data to send to them. Note that public and private key encryption are one-way operations – if you encrypt something with the public key, it cannot be easily decrypted with that same key. When I say “easily”, I mean it would take a supercomputer thousands of years.) and put in our own public key. That way, we can decrypt his traffic on our end, look at it, then encrypt it with his bank’s public key and send it on.” Well, in a word, nothing is stopping them. This is known as a man-in-the-middle attack.

Wait, nothing is stopping them? How am I safe, then? Well, nothing is STOPPING them, but their key won’t be signed by a signing authority. A signing authority basically verifies that a given key belongs to a given site, and then when someone asks whether a key belongs to ‘MyBankSite’ they check their database and see. The “someone” who asks is your browser. This is done automatically in modern browsers – if you have the SSL indicator in your browser somewhere on ‘MyBankSite’ (this varies by browser – it usually comes in the form of a lock in the statusbar), that means the browser has checked the site’s credentials out with a trusted authority (VeraSign, etc) and it has checked out. If you get a site that can’t be verified but has a certificate, you will be warned – as in the case of our scheming wifi friends. Thus, if you see a warning, run far, far away.

Whew. Well, that certainly only scratched the surface, but it should help some. Glad I didn’t type that on my phone.

How to Secure Your Wireless Network

Add to iTunes | Add to YouTube | Add to Google | RSS Feed

One community member wrote: “After years of mistrust about wireless networks and creative use of Ethernet cabling I have now adopted a wireless network in my home for a laptop to access anywhere in the house. I have over the past week, done a lot of research and have some tips the community might want to consider in relation to the setup and/or use of wireless networks.”

Here are actually TWO Top 5 lists for helping make your wireless network more secure!

  • Am I secured? If you haven’t set up security passwords yourself then it’s not likely that you will be secured. To find out, simply go to ‘My Network Places’ on your PC and scan for your wireless network. In the list that appears, there should be a picture of a padlock next to the name of your network. If there is no padlock, then you need some security.
  • Use WPA. Most new routers now offer WiFi Protected Access (WPA) passwords as well as Wired Equivalent Privacy (WEP). WPA offers increased security, and if your computer and other hardware is compatible, you should always use WPA as it is far harder to hack into than previous encryption methods.
  • Added security. You should also always have comprehensive anti-virus software such as Norton or McAfee installed on your computer to protect you from viruses that can open your PC up to hackers. Make sure that these are always kept up to date by regularly checking for updates on the provider’s website. You should also use a firewall – many routers have one built-in but you should run one on your PC too.
  • Isolate your wireless signal. Wireless isolation works to make your signal invisible to anyone searching for WiFi in your area. Wireless Broadband UK is built-in to some routers but must be physically enabled by the user – so check your router’s manual for Wireless Broadband tips on how to do this.
  • Use an access list. If you’re still worried, you can create an access list. All computers have their own Media Access Control (MAC) address – a way of identifying each individual computer – and you can tell your router which MAC addresses it can allow access to; blocking all others. This means that anyone wanting to use your wireless signal would not only have to have your password but would have to be on the access list too.
  • Encrypt it! The first and most important consideration if you are thinking of running a wireless network is to make sure that you have not left the network totally unsecured, I say totally unsecured as no network is ever 100% secure and this is especially the case with wireless networks as they allow easier access for potential unsavory characters to get in. An unencrypted wireless connection can allow anyone within the range of your wireless signal to immediately connect to it and start using your Internet connection for personal and/or criminal purposes and also access any files you may have shared on the hard drives of the machines connected on the network.

    There are many guides available on securing your wireless network available on the Internet and your router’s manual should also provide a guide in doing so. A lot of the terminology and setup options may at first seem very technical to you but the couple of hours of research/setup is valuable time to spend where your privacy is concerned.
  • Be aware what you share, Most people using a wireless network or any network for that matter usually want to share files between computers on the network. Make sure you do not share any files in these shared areas which are in any way confidential or important enough that you would not want anyone to potentially see them. For example you might want to share some mp3s on a computer to listen to on another computer in your house which is fine, however sharing say a document with your bank details etc on is a definite no no.

    If totally unsecured, anyone within range of your wireless network can access any of these files without you noticing. Securing your wireless network will 99.9% of the time stop this intrusion but as mentioned no wireless network is 100% secure so just avoid sharing important files.

  • Be aware of public hot spots. There are many wireless hot spots in coffee shops or in general, wireless is everywhere! and where there is an abundance of something there are usually some individuals lurking about ready to exploit it. If you are thinking of or do use these wireless hot spots there are some things to remember. Turn off your shared files, even if they are only mp3s, it is still wise to make sure they cannot access your hard drive.

    Make sure any sites where you enter login details are secure. This can normally be determined with ‘https’ in the URI in the address bar or the padlock symbol in the bottom right of your browser window. This is because computers sharing the same network as you can (with the right software) see exactly what you are sending or receiving over that network unless that information is encrypted. This also means that it is possible for someone to snoop in on what websites you are visiting or the email you are sending (be aware that most secure sites merely secure the login details you enter, after that everything is visible on the network) so it is advisable to be a bit conservative on what you do on the Internet in these places. It is certainly a wise idea to wait until you get home to check your bank balance online or make an online purchase.

  • Keep your computer up to date and behind a firewall. Making sure you have your computer’s operating system up to date, a virus program installed and a firewall initiated on your machine should be something you have implemented anyway. However with the increased security risk a wireless network can expose you to, these things are totally essential in keeping you safe and secure. It is also the case I have found that users will often keep their main desktop computer up to date but neglect a laptop that they do not use as often. These laptops are likely the candidate machine that the user will be using to access a wireless network.
  • Turn it off. Simple yet most effective tip. If you are a moderate user simply turn your router/wifi off when you are not using it or schedule the wireless connection to only be off at times you know you will not be using it. If it is off then your wireless network is 100% safe.


Want to embed this video on your own site, blog, or forum? Use this code or download the video: