In the 802.11 standard, WEP is defined as "protecting authorized users of a WLAN from casual eavesdropping." As such, WEP is not a terribly strong form of protection and is subject to numerous exploits based on vulnerabilities and weaknesses. Numerous papers, in fact, describe in detail how WEP can be defeated. Likewise, tools that exploit WEP's weaknesses are widely available online.
WEP is based on a stream cipher called RC4, which is a symmetric encryption algorithm. The same key used to encrypt WEP traffic is also used to decrypt that same traffic; for that reason, that key is called a shared key. Because stream ciphers encrypt ongoing streams of data, they're easy and efficient to implement in hardware. But any given stream of communications should be encrypted with a unique key that is never reused to avoid potential compromise of intercepted traffic. The problem is that WEP's design includes no provision for managing keys between sender and receiver when data must be resent (as will often be the case in wireless communications, in which packets are routinely lost or dropped in transit).
WEP designers tried to circumvent key management by appending an IV (initialization vector) -- a 24-bit number to a common 40-bit shared secret key -- so that many 64-bit keys based on the combination of both numbers could be shared. (The IV is shared in the clear, so that partners need only share the 40-bit secret key.) But because there are only 224 IVs available, and no mechanism to change the secret key when all IVs are used up, reuse of keys is inevitable. Thus, anyone who monitors a WLAN long enough will be able to detect reused keys, and to use larger amounts of data to guess the 40-bit shared secret key. Likewise, combining the 24-bit IV with the secret key produces sequences of key values that are not sufficiently different to resist concerted decryption attacks. Such attacks are now well known, and tools to exploit them are widely available. (The HP white paper titled "Wi-Fi Security -- Addressing Concerns" documents such attacks; see the "resources" section at the end of this IT Guide for a hyperlink.)
Wi-Fi access points use a special value called a SSID (Service Set Identifier) to distinguish wireless networks from one another. Access points often arrive preconfigured with defaults set by the manufacturer; if these values (which are well known) aren't changed, it's easy for outsiders to detect and attempt to access a WLAN. SSIDs should always be reset, and normal rules for setting strong passwords (not subject to dictionary attack, not easy to guess, mixture of letters, numbers, and other characters, and so forth) also apply.
WEP's well-known weaknesses notwithstanding, many access points use open authentication (no encryption whatsoever) by default. WEP's challenge response mechanism (which provides a cleartext string that the party attempting to log on must encrypt using the WEP key) also makes it easy to guess WEP keys in use. Interestingly, many experts recommend using open authentication with other more secure methods than WEP (as you'll read in the next section titled "wireless security options and add-ons") to strengthen WLAN security.
But when SSIDs or WEP keys are reset, they must be reset manually so that the administrative overhead involved on existing networks can be prohibitive. This is easy when setting up new clients, but a annoying at best when dealing with existing clients (particularly when a lot of them are already active).
|
Printable version
