WEP: Even Deader Than Before

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

It takes about a minute to microwave a cup of coffee, make a bed -- or crack Wired Equivalent Protocol (WEP) security.

It's long been known that WEP is insecure. Indeed, that's why the Wi-Fi Alliance came up with Wi-Fi Protected Access (WPA), which now is required for gear to be certified by the organization. WEP's insecurity doesn't mean that a lot of gear in the field isn't still using the discredited approach, however.

It's been reported at Newswireless and elsewhere that WEP got another kick in the shins this week when three researchers from Darmstadt Technical University released a paper that suggests the system can be beaten in about a minute.

Hacking WEP involves collecting enough of the bits floating through the air to decode the pass phrase protecting the link. The researchers have figured out a way to drastically cut the number of packets -- and hence the time needed -- to have a good chance of guessing the pass-phrase. http://www.wi-fiplanet.com/news/article.php/3670601

Wi-Fi Planet has a good description of the researchers' work. Initially, 4 million to 6 million packets had to be collected to do the job; that number eventually shrunk to 500,000 to 2 million packets. The Darmstadt researchers used a tool called aircrack-ptw to cut the packets necessary to 40,000.

Doing so, the piece says, provides a 50 percent chance of guessing the key. Incrementally raising the number of packets plucked from the air -- and slightly increasing the time span -- improves the odds of successfully cracking the code. For instance, the tool has a 95 percent chance of guessing the pass-phrase if it has 85,000 packets with which to work.

It would be wrong to dismiss the importance of this news by saying that WEP was hacked anyway. The new tool makes it so easy to crack the code that even a minimal level of protection has disappeared. That's disquieting, since the reality is that corporate inertia and budgetary constraints often keep organizations from doing what they should do. Bottom line: A lot of corporate systems still rely on WEP. Security staffers should pay particular attention to their telecommuting contingent, since these workers tend to fall through the cracks of corporate policies and, in most cases, pay little attention to security matters.