Wireless Security: Why WEP is Bad

Posted by


Fellow geek Andy Riordan emailed me in regards to a video we recorded a while ago on wireless (WiFi) access points. I haven’t used WEP for wireless security since WPA was available as an option. I refuse to run anything less than WPA on my home wireless network, although it was recently revealed that WPA has also been cracked. What’s so bad about WEP? Andy’s here to explain…

WEP does indeed stand for Wired Equivalent Privacy, which is a rather hopeful name considering that WEP can be cracked in less than 60 seconds now. How? Well, when you connect to a WEP network, the router sends you a randomly generated “hello” message. The connecting machine then encrypts the message using the WEP key and sends it back to the router. The router then decrypts it with the WEP key, and if it matches the original, unencrypted (“cleartext”) message, the machine is authorized.

This is bad. Why? Well, first we have to look at how the encryption and decryption is done. You may or may not be familiar with bitwise operators, but in this case we’re dealing with “exclusive or”, XOR. XOR, like other bitwise operators, operates on bits. If the 2 input bits are 0 and 0, it puts out 0. If they are 1 and 0, it puts out 1. If they are 0 and 1, it puts out 1. If they are 1 and 1, it puts out 0.

To encrypt the data for WEP, the data is XORed with the key (getting “cyphertext”). To decrypt, the cyphertext is XORed with the key, reversing the operation and returning the cleartext. When you think about it, that really can be shown visually (hope it doesn’t get mauled in the mail):

Cleartext   0 1 1 0 1 0 1 1
Key         1 1 0 0 1 1 0 1
—————————-
Cyphertext  1 0 1 0 0 1 1 0

Now, to decrypt:

Cyphertext  1 0 1 0 0 1 1 0
Key         1 1 0 0 1 1 0 1
—————————-
Cleartext   0 1 1 0 1 0 1 1

As you can see, we end up with the original message. (Cryptography is fun!)

However, this is where the problem is. Remember what we did to authenticate with WEP – we got sent a cleartext message, and then sent back the cyphertext results. What happens when we XOR the cleartext with the cyphertext?

Cyphertext  1 0 1 0 0 1 1 0
Cleartext   0 1 1 0 1 0 1 1
—————————-
???         1 1 0 0 1 1 0 1

That byte looks a lot like one we’ve seen before. I wonder what it could be…

Key         1 1 0 0 1 1 0 1

Well, darn. That’s our key. An attacker can get our key just by XORing two things exchanged when a connection is made. It can’t be all bad, though, since a connection has to be made before that can happen, right? How often do you disconnect a machine and reconnect it? A few times a day. They would have to be lucky to catch you doing it.

Except that there’s another vulnerability which makes booting everyone off the network and causing a reconnect easy. Thus, our friend the cracker needs only to force a disconnect of all clients, then watch for the handshake and XOR the two pieces of information exchanged between the router and one of the clients.

That’s why you use WPA now. WPA is pretty much competely safe, if you have a good password. Rule 1 (or perhaps it’s 0) of security is that you never use a short, easily guessable password. Using a short, easy to guess password opens you up to the dictionary attack, or as I like to call it, the Gandalf attack. Scream elvish words at the router long enough and the gates of Moria are bound to open to one of them. Make the “word” long enough (32 characters is good, and is about what I use since some devices have issues with 64) and it will be impossible to guess. Again, a lock is only as secure as its combination. In your case, for instance, I don’t recommend a password of “Pixie”.

Now, for the banking/email question. This brings us to the realm of diffie-hellman key exchange. Many a beginning cryptographer has lost his life to the tangle of bits and factored prime numbers that awaits us here, so suffice it to say this: If there is an SSL connection between you and your web site of choice, you are safe. All your traffic will be encrypted, and will not be decrypted until you get to the site. You’re safe, as long as you have an SSL connection to the site itself, regardless of whether it’s an open wifi hotspot. If you don’t have an SSL connection and they give you a WEP or WPA key, don’t think banking will be secure – if they gave the key to you, they gave it to others, too!

Now, there are caveats (aren’t there always with technology?). Notice I said “If there is an SSL connection between you and your web site of choice, you are safe.” I don’t want to have to send you HTML mail, so mentally underline the first part of that sentance. What’s to stop the hotspot from saying “Ah, he’s going to ‘MyBankSite’ – take out their certificate (the part that contains their “public key” – what you use to encrypt your data to send to them. Note that public and private key encryption are one-way operations – if you encrypt something with the public key, it cannot be easily decrypted with that same key. When I say “easily”, I mean it would take a supercomputer thousands of years.) and put in our own public key. That way, we can decrypt his traffic on our end, look at it, then encrypt it with his bank’s public key and send it on.” Well, in a word, nothing is stopping them. This is known as a man-in-the-middle attack.

Wait, nothing is stopping them? How am I safe, then? Well, nothing is STOPPING them, but their key won’t be signed by a signing authority. A signing authority basically verifies that a given key belongs to a given site, and then when someone asks whether a key belongs to ‘MyBankSite’ they check their database and see. The “someone” who asks is your browser. This is done automatically in modern browsers – if you have the SSL indicator in your browser somewhere on ‘MyBankSite’ (this varies by browser – it usually comes in the form of a lock in the statusbar), that means the browser has checked the site’s credentials out with a trusted authority (VeraSign, etc) and it has checked out. If you get a site that can’t be verified but has a certificate, you will be warned – as in the case of our scheming wifi friends. Thus, if you see a warning, run far, far away.

Whew. Well, that certainly only scratched the surface, but it should help some. Glad I didn’t type that on my phone.