WEP Just Isn’t Enough Protection Anymore

The discussions about how insecure WEP is have been going on for a while. I introduced a number of you to these WEP security (or insecurity) analyses, one by the University of Berkeley, and another by the University Of Maryland, almost a year ago. Those were academic publications, and a bit heavy on theory.

Also, there was AirCrack, a WEP Key Cracking tool, provided generously to the Internet community. The instructions for AirCrack I could master, with slight difficulty.

In December 2004, and then March 2005, SecurityFocus published WEP: Dead Again, Part 1 followed by WEP: Dead Again, Part 2. These two articles outlined how WEP could be cracked, with some skill required.

In May 2005, TomsHardware, a well known computer enthusiasts web magazine, published an article, which some are calling WEP Cracking For Dummies, that suggests “After reading these two articles, you should be able to break WEP keys in a matter of minutes.”.

Part 1: Setup & Network Recon, was published in early May, and Part 2: Performing the Crack, a week or so later.

Maybe a month after WEP Cracking For Dummies, we now have WEP Cracking For Dummies: The Video, where you can watch an entire WEP crack being done before your very eyes.

The cracking process, shown in the 5 minute video, uses 3 components of the Auditor Security Collection, available online.

  • Airodump to sniff packets, and get the MAC address of an unprotected Wireless Access Point.
  • Aireplay to choose, and inject, packets back to the target, yielding the IVs when the right packets are injected.
  • Aircrack to take the IVs generated by Aireplay, and compute the key.

If made part of a bootable CD-ROM, you can run Auditor from your laptop without doing any system work – just boot from CD.

To describe the situation in plain terms, your typical script kiddie wardriver would have been found, last year, shopping at Frys Electronics. This year, at Walmart, or maybe ToysRUs.

If you’re still protecting your wireless LAN with WEP, it’s time to move up. This week, if not sooner. But, when you setup WPA, use a strong passphrase (or a random sequence).


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: