Mephisto2

WEP stands for Wired Equivalent Privacy and was the original encryption technique defined in the 802.11 standards. It was supposed to offer good security but has proven to be fundamentally flawed.

Initially, only 40bit keys were required, but that has since risen to 128bit.

However, based upon the fact that WEP relies on RC4 (not the strongest encryption standard), and uses 24bit IV (Initialization Vectors) to generate the WEP key itself, a good hacker can "listen in" and when they have captured enough packets can decode your WEP key. In other words, they can break your encryption.

This is often called the Airsnort attack, after the first popular tool designed to exploit it, but it was originally described as the Fluhrer style attack, after one of the authors who wrote a white-paper describing the vulnerability. Some people also call this WarDriving (or WarWalking). However, WarDriving is simply the process of driving around with a laptop and a wireless NIC, trying to find wireless networks. You would be appalled at how many are not secured properly and the WarDriver simply has to associate to get access to the network. That is what WarDriving is, not the specific cracking of the WEP encryption.

As a matter of historical (and geeky) interest, the term WarDriving is an evolution of the older hacker term WarDialing. WarDialing is the process of setting up a modem to systematically dial phone numbers, on the off chance you will eventually get a modem to respond. In the old days, most modems were simply configured to accept an incoming call and if you were lucky enough hit upon a number with a modem attached, more times than not you got inside that computer system. Remember, this is back in the 80's when most large computer systems still used modems for Sys Admins to do remote management, or even send email etc.

This is the way the hacker got into the Pentagon in the movie "War Games". Remember that movie?

Well, WarGames.... WarDialing... WarDriving.... get it?

Basically, the process is the same. Keep searching until you find an unsecured entry point and bingo... you're in.


Now, back to WEP.


The big problem with WEP used to be the fact that if a hacker collected enough packets, they could break your encryption. Originally the only way to address this was with enterprise class authentication protocols (based on something called EAP, or Extensible Authentication Protocol) that dynamically assigned a different WEP key to the user each time they logged on. When they logged on the next day, or when they roamed from Access Point to Access Point (remember large companies are generally going to have several APs on a floor), they would get a new WEP key. You could even configure the system to automatically create a new WEP key every few minutes, even if the user didn't roam. The most famous and popular EAP mechanism that provided dynamic key management (as it was called) was and still is Cisco LEAP.

By changing the WEP key every few minutes, every time the user logged on, and every time the user moved around the building, it made it very difficult for the hacker to collect enough packets using the same WEP key to successfully crack it.

But home users were still left in the dark. The only way they could avoid this kind of attack was to manually change the WEP key as often as possible. This is a pain, but you must remember that 90%+ of wireless hacking attacks are "opportunistic"; in other words they are WarDriving attacks. If someone has to dick around capturing packets and trying to decode WEP keys, they will probably move on to somewhere less secure. But dedicated or geeky hackers do exist and they do use Airsnort. That' why it's a good idea to change your WEP key as regularly as possible.

The good news is that WPA does all this automatically for you in the background. It effectively uses a different WEP key for every single packet. In other words, no way a hacker can decrypt your WEP key in a WPA environment.

It also allows you to setup a "timer" that means both the Access Point and the client regularly agree a brand new WEP key on a regular basis. This is handled by entering what's called a shared secret (or sometimes passphrase) on both devices. When the timer runs out, they both run the passphrase through an encryption algorithm and come up with a new WEP key independently. But because they both have the same passphrase, the new WEP key is identical for the Access Point and the client. Voila! You have a new WEP key and you never transmitted it over the air.

The problem lies with the length of the passphrase. Originally the specification called for a 20 character passphrase, but the equipment manufactures whined that this was too long for their dumb customers. The standard was revised to allow for passphrases of 8 characters minimum, instead of 20. The real problem is that with a short passphrase, you can actually be more vulnerable to attack!!! In other words, if you use WPA, make sure your passphrase is at least 20 characters long. It's worth it.


So, in summary


WEP = bad, old, vulnerable.
WPA = good, new(ish), secure if you use long passphrases
802.11i = excellent, new, rock solid Pentagon class security
WPA2 = same as 802.11i, just a different name


I haven't touched on 802.11i or WPA2 (or RSN, Robust Security Network) standards here, as they are mostly enterprise class solutions, but if anyone is interested please just ask.



Mr Mephisto