Eliminate WEP!

Eliminate WEP!

Summary: It's time to eliminate WEP.

SHARE:
TOPICS: Wi-Fi
21

My blogging colleague George Ou has updated his excellent article on Wireless LAN security myths that won’t die.  It's an excellent article that does an good job of "mythbusting" WiFi security myths. 

Popular WiFi myths include gems such as:

  • Using MAC filtering will prevent unauthorized machines from connecting to your network
  • Disabling DHCP and SSID makes it hard/tough/impossible for hackers to connect to your system

Both of these are totally bogus tips but you'll find both being recommended by people who really should know better.

I agree with 99.9% of what George says in the article, but there's one part that I don't agree with.  Here's the bit that puts my teeth on edge:

If WPA security isn't available to you, at least run WEP as a 10-minute deterrence mechanism.

NO!  If you have technology that keeps you bound to WEP in any way, it's time to (ethically) dispose of that kit and spend some cash.  WiFi hardware and software that can't be upgraded to support WPA should be eliminated. 

There's hardly any difference between running a WEP-protected WiFi network and an unprotected WiFi network. True, it will prevent an honest person hooking in to your network, but it's not the honest people you need to be worried about…

Eliminate WEP!

[poll id=118]

Topic: Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • Try telling that to Nintendo DS diehards

    I'll admit I'm not up on the most current news about the DS, but last I heard it still does not support WPA, only WEP. As such I know a lot of people who run their home networks with WEP. And they aren't going to trash them simply because of a network issue.
    Michael Kelly
    • Yup, PSP was like that and I slammed them for it

      Yup, PSP was like that and I slammed them for it when the Sony PSP first came out. A year later they actually fixed it.

      Nintendo should be shot for forcing people to downgrade their network security to WEP.
      georgeou
  • On the other hand

    This really only applies to a business. Home owners may not have the time/money/motivation/or need to make the change. While WPA-PSK is better, is it necessary for the average Joe? Does anyone know of hackers expending the effort to break into a person's home network? Why would they spend the time when so many are unprotected?
    mtgarden
    • Is it necessary for the average Joe?

      [i]While WPA-PSK is better, is it necessary for the average Joe?[/i]

      The answer is YES. But beyond the obvious rejoinder, there's no need to be worried about the average Joe. Worry about yourself, as that's where the rubber meets the road on such issues. So ask instead: Is it really necessary for me? Once again the answer is YES.

      For every average Joe following along, feel free to follow the same sage advice. ;)
      klumper
  • The whole point of security

    ... is to make it easier to get what you want some other way.

    Your basic front-door lock is almost trivially easy to defeat (much easier than WEP) and guards things that (I should hope) are much more valuable than some portion of your Internet bandwidth. Yet nearly all of us consider it adequate.

    OK, so WEP is easy to break. Yawn. If someone wants Internet bandwidth badly enough to sit parked in front of my house, wait for me to light up a wireless session [1], then crack the WEP key -- well, I'm more inclined to pity them than fear them.

    I suppose they could make me look bad by spamming from my IP, but that's about it -- and there are much easier ways to do it. Including the Starbucks down the street, which at least has toilets. That couple of weeks parked in front of the house has got to put an almighty strain on anyone's bladder.

    As for cracking my systems and getting access to my justly-feared recipe for Mesquite-Smoked Chile Verde, they're out of luck. All of the non-Internet traffic is encrypted independent of IEEE802 protocols.

    [1] Could be a long wait. The last one was several weeks ago.
    Yagotta B. Kidding
    • Naivety won't save your bacon

      [i]OK, so WEP is easy to break. Yawn. If someone wants Internet bandwidth badly enough to sit parked in front of my house, wait for me to light up a wireless session [1], then crack the WEP key -- well, I'm more inclined to pity them than fear them.[/i]

      I've used various sniffers and backdoor scripts before (for educational purposes mind you), so I can tell you this first hand. You have no idea who may be entering, if they're peeing in a cup in front of the house or pimping from next door (or around the corner for that matter). If they're resourceful enough to get past your ramshackle defenses, don't be surprised if they're also more resourceful than simply tabbing for free bandwidth. You may think you're locked down and hardened, but they may think (or find) otherwise. And if they happen to wear a black hat, you're as good as pwnd as the saying goes, at least to whatever extent you're exposed. On most PC's and networks weak links exist. It rarely takes long to find 'em either, at least once you're past the front gate.

      I know, I know, rootkits and keyloggers always manifest elsewhere, they're the exclusive pawnage of the weak and uninitiated, and would never happen on marginally [WEP] defended setups. Uh, right.

      So ask your self this: Do you feel lucky? Well, do you ... (well, you know how that script ends). ;)
      klumper
      • Utterly moot

        [i]I've used various sniffers and backdoor scripts before (for educational purposes mind you), so I can tell you this first hand. You have no idea who may be entering, if they're peeing in a cup in front of the house or pimping from next door (or around the corner for that matter). If they're resourceful enough to get past your ramshackle defenses, don't be surprised if they're also more resourceful than simply tabbing for free bandwidth. You may think you're locked down and hardened, but they may think (or find) otherwise. And if they happen to wear a black hat, you're as good as pwnd as the saying goes, at least to whatever extent you're exposed. On most PC's and networks weak links exist. It rarely takes long to find 'em either, at least once you're past the front gate.[/i]

        If they're going to get past the firewall, they don't have to use the wireless -- they can go straight for the Internet connection from clear 'round the globe.

        Again, the point of security measures is to make it easier to get at your valuables by some other means. There's no point in expending major efforts locking down my wireless when the same DMZ is already available via the Internet.
        Yagotta B. Kidding
        • You're just making the job easier

          [i]There's no point in expending major efforts locking down my wireless ...[/i]

          It's only moot in your mind. To a bad guy it's a matter of finding a weak link, so why leave such an obvious one in place? What is to be gained by leaving yourself exposed in this way? You do realize you can enable WPA just as easily as WEP, right? If your equipment isn't up to the task, you should consider upgrading it. Practically every router and WNIC card and adapter produced during the last few years is WPA capable (or firmware upgradeable). If improving your security perimeter is of no concern to you then it becomes a moot point indeed, but only by design. At that point I'd call it another example of [i]user error.[/i]

          Some folks wear seat belts, others don't. Even though most safety belt detractors know they should, they'll often cite the fact they're uncomfortable or too much of a "hassle". Others claim they are superior drivers and always drive defensively. Most are simply too damn lazy for their own good. Even though it amounts to a black and white safety difference, some will persist in their refusal until it comes back to bite them. C'est la vie.
          klumper
  • All Depends....

    What you have, what you need & what you want.

    As well as other factors/variables.

    I think "myth" may be too strong, in regard to Static, MAC, WEP & SSID hidding etc. As they may not the penultimate solution, but adequate in some/many situations & useful

    Yes.... WPA/WPA2 can be better. But is it necessary for everybody.

    I'm guessing the goal of this is primarily for preventing casual unauthorized bandwidth usage.

    If there is more please enlighten me..

    Very OT,
    but interested in your take on the some of the weekends news. As I think it is related to Dell & OEMs providing Linux reinstalled & support.

    HPaq (or some script reader at ) support. Indicates using Linux Violates warrantry repair for hardware.
    (a sticky/unresponsive keyboard)

    http://enterprise.linux.com/enterprise/07/03/23/1430204.shtml?tid=3&tid=7


    The other that Dell in Germany had provided a refund for someone who did not want Windows Vista & works.

    http://linux.slashdot.org/linux/07/03/25/1944209.shtml


    The last one I thought would be of interest, as you are in the UK, which may or may not be similar to the US, & easier access to others in the EU. Like Germany & France etc where they already Sell Systems with Linux.

    What are the major chains there? Do they already offer Linux preinstalled systems with support?
    LazLong
    • Don't be a casual fool

      [i]Yes.... WPA/WPA2 can be better. But is it necessary for everybody.[/i]

      The answer is YES.
      klumper
      • Yup, when it costs nothing extra and is the easiest to implement

        Yup, when it costs nothing extra and is the easiest to implement, why would anyone use anything else? It's almost like some people just need to argue for the sake of arguing.

        The funny thing is, WPA/WPA2 is actually easier than WEP 104-bit because you're entering 10 random alpha-numeric characters versus 26 HEX digits yet WPA/WPA2 is infinitely better than WEP. Even more ironically, WEP is easier than MAC filtering yet it's infinitely better.

        So it seems the more effort you put out, the less secure you are yet we have people who assume just the opposite and that they can only afford to be insecure.
        georgeou
        • No contest

          One [WEP] provides marginal protection which at this point in time amounts to illusionary safety at best, while the other protocol [WPA/WPA2] provides the real thing, an effective barrier when configured properly (which couldn't be easier to implement, as you stated). In the end the two don't even compare, so why even persist in such dead-end arguments?

          If you're going to argue this, you might as well proclaim W95 or W98 are roughly as safe as WXP SP2 or Vista, since few would care to target W95/98 machines at this late date. Now you can fool yourself this is the case, and think you're riding high and dry on one of those rickety platforms, but something called reality is going to have the last say in the end.

          Your defensive posture should never hinge around an obvious weak link, and WEP is WEAK. Today when you're running either Open or WEP, you are in effect hanging a sign that reads "Come on in and have a look around stranger, the door is unlocked. Oh and don't mind the WEP handle, just shake it a bit and she'll open right up!"
          klumper
  • I don't endorse WEP, just pointing out what it is

    I don't endorse WEP, just pointing out what it is and how it's much more effective as a deterrent than all the nonsense methods like SSID, Static IP, MAC filtering. People should try to get their free upgrades to WPA and avoid WEP-only hardware. If they're not willing to do anything, at least run WEP as a 10 minute stop gap.
    georgeou
    • free WPA upgrades not available

      I've got wifi at home and I've helped a local charity with their wifi. In many cases, there is no support for the older wifi cards. I'd enable WPA - but these cards don't have any avaliable upgrades. Charities can't afford to replace their equipment. They also need to allow certain vip visitors to use the network - even if the visitor can't use WPA.

      WPA makes sense for businesses. Perhaps it makes sense in large cities. It's hard to justify the cost in rural America where we have lower incomes and fewer attackers.
      GreggN
      • Rarely an insurmountable issue

        You can always cite some examples where budget restraints won't (or can't) budge, but for the vast majority of home networks and SOHO's, this really won't be an insurmountable issue. Being more isolated helps for sure, but if the issue spins solely around cost, most equipment upgrades won't cost an arm and a leg nowadays (beyond equipment that can simply be firmware upgraded, or buttressed with soft solutions). At least if you're looking to match or beat the performance specs of older, non-WPA gear.

        With Pre-N and N MIMO being all the rage today, the cost of models built on G, Super G and early MIMO standards have never been more attractive for home users. Currently this class offers the best combination of performance and value, some of it being almost dirt cheap when on sale. Moreover, anything produced during the last few years will be WPA (PSK) or WPA2 (AES) capable, so there is little reason not to opt for dynamic key encryption if security means anything to you. Considering we're now reaching the 4 year mark from the time of its introduction, and WEP has been proven to be easily exploited, I'd say it's about time.
        klumper
        • Who's Sending me the money to replace it?

          You know what folks, technology is not the end all be all of everyone's life! Having the latest/greatest of technology used to be a driver in my life, but then I realized what it is - a tool to make my life easier. That's it, nothing more, nothing less.

          When technology gets in the way of making my life easier, it is then a problem and gets chucked in the bin. As I responded to the original post in Georges column, I have devices that are perfectly functional but don't allow me to run as secure as I would like, but they make my life more pleasant or easier, so I live with it.

          The same is true in the real world - I just remodeled my house and put in a whole bunch of glass windows so I can see the outside world - they are easily defeatable with the most primitive tools (a rock), and sometimes I open them with only enough technology to keep out the most casual user (a screen, used to keep out bugs). If I wanted an extremely secure home I shouldn't have put in windows and doors, but steel plates. That way I am secure from a snooper looking in, bugs, and primitive and advanced attacks like rocks.

          But, since wireless security seems to be more important than usability I would ask which of you folks that is proposing replacing all my gear with WPA compliant devices please send me a check? I will be needing a new wireless music streamer (AppleTV will do nicely - $299), a new PDA (A dual mode will work for me - $999 w/out contract), and a new laptop for my wife ($699 should about do it). So if any of you are ready to send me the $2000 necessary to secure my WiFi to you standards I will live with security that is good enough for me.

          Personally I would rather spend $2,000 on a new dock (that I can see through my insecure windows) and on some wine to drink with my wife while I connect wirelessly from the end of it with my PDA...
          ruprick_z
          • You'll think twice about heightened security if you get pwnd

            [i]You know what folks, technology is not the end all be all of everyone's life! Having the latest/greatest of technology used to be a driver in my life, but then I realized what it is - a tool to make my life easier. That's it, nothing more, nothing less.[/i]

            While this is true in one vein, you'll think twice about heightened security once you get pwnd. Sadly this occurs everywhere, and often when you least expect it. Hopefully it won't happen to you, but in general things are only going to get worse before they get better. And it goes without saying, the more complex your electronic reach, the harder it is to bring the whole matrix up to effective standards. It's simply the price you pay for being spread wide on gadgetry and doohickeys, and thin on security. To one extent or another we're all victims of this curve. All you can do is look to shore up the weak links anywhere you can, while being mindful your "reach" doesn't supersede too wildly the basic primers of security.
            klumper
  • WEP is better than nothing or the myths.

    Although minimal effect, WEP does provide an actual level of protection. Granted, this is like using tempered glass in place of bullet proof glass to protect Bank tellers from robbery.

    Compare this to turning off the AP Broadcast which is similar to installing miniblinds to hide the bank.
    nucrash
    • It doesn't protect you from me

      And that isn't saying much.
      klumper
      • If I really wanted to screw with hackers...

        I would let them on to my WEP WLAN, but here is the kicker... I wouldn't have that Wireless AP go to anywhere but a Firewall and require all clients to VPN past it. This is what we had to do pre WPA days.

        Who is to say I am not doing the same at home ;)
        nucrash