Hack most wireless LANs in minutes!

Hack most wireless LANs in minutes!

Summary: Even after two years of WPA certification and nearly one year after 802.11i ratification, you might be wondering why I'm still talking about WEP encryption.

SHARE:
TOPICS: Wi-Fi
39

Even after two years of WPA certification and nearly one year after 802.11i ratification, you might be wondering why I'm still talking about WEP encryption. The fact is, I would love to stop talking about it if there weren't such an overwhelming percentage of corporations, retail outlets, and hospitals still using WEP. Although WPA brought us TKIP (think of TKIP as WEP 2.0) encryption and 802.11i brought us AES encryption, the upgrade process has been extremely painful and many products still don't support TKIP let alone AES. The sad state of wireless LAN security is that the majority of corporations and hospitals still use dynamic per-user, per-session WEP keys while the majority of retail outlets that I've seen still use a single, fixed WEP key.

In the past, a hacker was at the mercy of waiting long periods of time for legitimate traffic on a wireless LAN to collect 10 million of packets to break a WEP key. In my previous blog on this topic, which was based on Mike Ossmann's WEP article, I alerted you to the startling fact that even wireless LANs that used 802.1x/EAP authentication to dynamically assign unique per-user, per-session WEP keys were no longer safe against WEP hacking since WEP cryptanalysis had improved 50 fold. Instead of waiting for hours or even days for those 10 million packets, you now only needed about 200,000 packets to break WEP. Even though dynamic WEP key rotation could change a user's WEP key every few minutes or so (note that key rotation isn't always implemented by default), the new WEP cryptanalysis techniques put even dynamic WEP in striking range. Now with the new active attacks on WEP described in Ossmann's follow-up article, hackers no longer need to passively wait for legitimate packets on a wireless LAN because they can actively inject packets into a wireless LAN to ensure a speedy packet collection session. The end result is, any WEP based network with or without Dynamic WEP keys can now be cracked in minutes! If you're scared, you should be and you'd better go back and read the recommendations in the end of my previous blog if you're still running WEP in any form.

Topic: Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

39 comments
Log in or register to join the discussion
  • One solution

    is to GIVE IT UP! If you can access the LAN, then you can break into it - its the same reasoning as DRM - if man can make it, man can break it. "Wireless security" SHOULD be a oxymoron. The "wireless realm" should be an EXACT replica of the "real world out there" - wild, dangerous and untamable. When I come home, and lock my doors and turn out the light - I have done most everything I can to be "secure" from the "outside world". The chance of someone breaking in and attacking me is EXACTLY the same chance that some security hole can be exploited in WEP/WEP2/AES. If you can accept that LIFE is a b*tch and then you die - you can accept that TRUE wireless security can contribute to the b*tch part.

    The WiMAX steamroller will require universal access - and anonomous sharing of bandwidth. This is akin to TRUE FREEDOM - and of course, true freedom has its costs.
    Roger Ramjet
    • You're very confused

      To lump WEP, WEP2, and AES together is utter nonsense. To lump WiMAX which is a wireless ISP technology and not wireless LAN is also silly. To say that wireless LANs can't be as secured period tells me you don't know what you're talking about.
      george_ou
      • Name Calling

        george_ou, try backing your assertions up with facts and information instead of just calling other posters "silly" and claiming they don't know what they are talking about. I thought these forums were for constructive conversations, not name-calling when someone disagrees with your article. By the way, I didn't think "Chicken Little" was due for release until later this year. Is the sky really falling?
        gsvanwinkle
        • Clarifications

          Mr. Vanwinkle,

          If you thought my calling someone's COMMENTS silly is offensive to you, I'm sorry. However, please don't put words in my mouth since I NEVER called a poster silly. One thing that I can assure you is that the original blog is quite factual and accurate.

          On the other hand, it seems quite hypocritical for one to take such offense at alleged (but untrue personal attacks) and turn around and call someone "chicken little".
          george_ou
          • Prophecy

            I've read several of your articles. Doom and Gloom and prophecy of impending disastrous consequences are not uncommon themes in them. Histrionics are rather unconvincing. While it's well documented that Identity Theft is a fast growing crime and that the amount of time and money a victim spends trying to correct their records is extreme, I don't see you providing any ties between your wireless security threats and those victims. What percentage of the stolen identity information was purloined from your perceived wireless network shortfalls.

            More important, what happens when the next set of hacks make it so that your recommended security scheme is able to be hacked in minutes? There will always be a way around the system. I'd rather see the time and money spent attacking the real sources of the identity theft. Track down the thiefs. Prosecute them. Sentence them to lengthy prison stays, and let the rest of us enjoy our lives.
            gsvanwinkle
          • Why are you changing the subject?

            What do you mean "perceived"? What part of my blog or the linked articles from Mike is not factual? What part of the fact that most Hospitals and Retail outlets and even corporations can be broken in to in minutes?

            Just because YOU don't see it doesn't mean it doesn't exist. While I completely agree with your stance on being tough on criminals (which our current systems lacks due to certain politics), that is not in the scope of my blog. This blog focuses on a particularly easy vector of attack that is very popular with hackers and cyber criminals.

            The other thing is, why are you speculating about the soundness of good security standards and spreading FUD that they?re just as easy to break? While it?s true that all security mechanisms eventually need to be updated, good security protocols like SSL/TLS based authentication and AES encryption have been rock solid for years without incident. AES? predecessor DES has been cryptographically sound for nearly three decades and only lacks in key length and has since been upgraded with 3DES and then AES. So what if it is possible that future security standards will need to be updated too? Are you simply suggesting that we just all give up period?

            You?ve made many wild allegations at me for which you provide zero evidence to back up. You?ve called me a shill, a shill for who? You?ve questioned the integrity of my original blog yet you fail to point out any specific flaws. You?ve claimed that I have used personal attacks because I labeled some comments silly, yet you?re the one that labels me ?chicken little?. Then you turn around and spread FUD about the recommendations that I am making with nothing to substantiate your claims. Do you see a problem here?
            george_ou
          • The lady doth protest . . .

            I do see a problem here. Your histrionics.

            Where's your evidence?

            By the way, You used the word shill, not me.
            gsvanwinkle
      • Not so

        If I deploy a fake WiFi server in your area, and your machine connects and allows you internet access, then I can intercept and decode your data - since it has to go out over the (hardwire) internet in another form. Now where's your vaunted security?

        What I am saying is that you should treat wireless connectivity as hopelessly insecure - and take steps accordingly. That means that you encrypt things EXPLICITLY - and NOT rely on the underlaying WEP or whatever to do it for you. In the future, when WiMAX is ubiquitous and public sharing of bandwidth is the next great evolution of "share" or "open", security over wireless cannot be guarenteed. I'm just saying don't even do it.
        Roger Ramjet
        • Not with server side authentication

          The "evil twin" network doesn't work against EAP-TLS or PEAP based networks. You have to have a server side certificate that I trust before you can get me to connect to you. This is why in my previous blog http://blogs.zdnet.com/Ou/index.php?p=28 and http://blogs.zdnet.com/Ou/index.php?p=28, I recommend that even hotspots implement server side certificates to eliminate the evil twin.

          There is no difference between building a VPN that you trust because it secures layer 3 to building a Wireless LAN that you trust which secures layer 2. Actually, the Wireless LAN is a little more secure since it secures you deeper down on the OSI model. Both must use strong authentication based on PKI and both must use strong encryption based on AES. This is why I say it is wrong to suggest that a secure Wireless LAN is a fool's errand.

          As for WiMAX, that is the same as a hotspot though I still recommend the use of PEAP authentication to avoid password theft. A good VPN would have to be used for secure access to a private LAN. Still, this is off topic.
          george_ou
  • It'll take real pain to resolve the issue

    Until some serious losses start to mount for users of WEP, they'll continue to use it. The pain has to be greater in it's use than the pain to ditch "functioning" equipment before users/purchasers will feel compelled to kill off their current investment and dump more money into equipment.

    While Roger Ramjet would have us curl up and die, I think it's more productive to see that WEP was simply the first attempt at shelter, continuing Roger's analogy. Of course the lean-to isn't very secure. But we progressed and now have reasonably secure homes. If we didn't, we'd sit around with shotguns on our laps huddled in the corner, which of course most of us don't do.
    ejhonda
    • Wasn't talking about the home

      I'm not talking about the home in this blog. Homes are probably much easier to secure than a large organization because of its small scale. All that is needed for decent home security is to use WPA-PSK which doesn't even require an authentication mechanism so long as a random string is chosen for the PSK.
      george_ou
      • Sorry to confuse you

        "The home" was only being used as an analogy, brought up by an earlier post. Everything that was said is applicable to the commercial environment.
        ejhonda
        • Good Analogy

          The analogy of the homes was good, but for a different reason. The strength of shelters are usually based more on environment than a fear that someone is going to break in. Go to comfortable tropical environments where the only thing to worry about is rain, and that's what the shelter protects against. Move to a more hostile climate with snow, wind, and violent storms and the shelters become more substantial to defend against them.

          Until the need is there, we don't build something stronger. When was the last time you heard of someone in Hawaii insisting on R-22 insulation?

          Same for WPA over WEP security. Until there is a physical need for it (read that to mean hacks costing more than the upgrade), most companies won't care or bother.
          gsvanwinkle
          • Still, it IS irresponsible to do that ...

            I agree with you that most companies won't bother until the hacking costs outweigh the upgrade costs.

            However, I still think that it's irresponsible for companies to do such things, and then claim that they actually care about my privacy.

            If my insurance company, hospital, bank or whatever implements a wireless LAN, and my personal information gets out because somebody throws up a fake server, it's bad for me, and I won't even realize that I've been compromised.

            If companies keep wanting to shoot for the lowest, level and then be dragged kicking and screaming upwards, I don't want to deal with them.
            coffeenite
          • Your Options

            You certainly have the option of choosing which companies you want to deal with, as does everybody else. Keep in mind, your information has been subject to compromise ever since records have been kept. Identity theft is nothing new, it went on for decades before wireless networks existed. Early cases involved people faking charge card invoices manually. There is no surefire solution. I favor stronger prosecution and sentencing of the violators.
            gsvanwinkle
  • The issue CANNOT be resolved until...

    The manufacturers of wireless devices get off their collective asses and start putting WPA support that people are buying these days.

    I'm not talking about cards and routers. I'm talking about things such as Media Receivers, etc...

    If you look at most of the non-card/router devices on the market you'll see "802.11g Support" written all over the box in big letters. But when you go to config them, you'll find that the vast majority of them do NOT support WPA, only WEP.

    Even brand-new devices just being shipped are guilty of this.

    And since you can't enable WPA on the router unless ALL devices support WPA, guess what. Everyone ends up going back to WEP eventually.

    So THERE is your problem.
    BitTwiddler
    • Selling new WEP only devices should be illegal

      Good point on the media receivers. Some brand new products that are being released this year and just announced at this year?s CES had WEP only support. This isn?t just shameful, it should be a crime. For example, Buffalo and D-Link are guilty of this with their media receivers. It?s been 2 years since WPA was released and there is no excuse to not support it on a brand new device.
      george_ou
      • Good luck

        I can go to the local Home Depot today and purchase a gas appliance (ventless stove) that is illegal to install or use in the state of NY - the same state it's being sold in. Now why would I want to purchase it if I can't legally use it? Yet Home Depot (and others) continue to sell them to unwitting consumers.

        With that logic still ringing in your ears, I say good luck in trying to legislate something like WEP out of existence when you can't even bar the sales of something that was deemed unsafe for use.

        As far as the excuse, it probably boils down to the same excuse Microsoft has hid behind in their lax security settings: make it as simple as possible for the consumer. WPA adds complexity to the setup compared to WEP.

        As always, the money is the only thing that business will listen to. As soon as WEP stops selling, then vendors will stop producing WEP devices.
        ejhonda
        • Sooner or later guys like you bring up Microsoft

          Actually, Microsoft and their Access Points (now discontinued) were the first on the market with a simple XML based security scheme and the first to default to a secure wireless setup. You just took the floppy to another computer and set it up with a few clicks. Their current version uses a USB stick standard and it's very easy to set up. WPA-PSK mode is actually much simpler than WEP.
          george_ou
  • Cost vs. Benefits

    The benefits of upgrading to a "Temporarily" secure wireless network needs to outweight the costs of the upgrade. If it's going to cost a business $$$ to refit all of their wireless network, and they've seen no evidence of hacking, you're going to be hard pressed to convince them that the upgrade is essential. Keep in mind that the current mindset is that, "No matter what technology is used, eventually it will be hacked. Why spend the money if we haven't had the problem yet?"

    Shrill rantings over the risks won't change corporate mentalities. Only costs incurred as a result of a hack will change it. As far as making it "a crime" to sell anything less than your recommended security scheme of the moment, I've seen enough regulation over too many products to last me 10 lifetimes.

    The $$$ bottom line is what will control the security needs of most companies. If their current system isn't incurring losses or costs, they won't mess with it.
    gsvanwinkle