[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Researchers crack WEP WiFi security in record time


By Peter Sayer
IDG News Service 
04 April 2007

The WiFi security protocol WEP should not be relied on to protect 
sensitive material, according to three German security researchers who 
have discovered a faster way to crack it. They plan to demonstrate their 
findings at a security conference in Hamburg this weekend.

Mathematicians showed as long ago as 2001 that the RC4 key scheduling 
algorithm underlying the WEP (Wired Equivalent Privacy) protocol was 
flawed, but attacks on it required the interception of around 4 million 
packets of data in order to calculate the full WEP security key.

Further flaws found in the algorithm have brought the time taken to find 
the key down to a matter of minutes, but that's not necessarily fast 
enough to break into systems that change their security keys every five 

Now it takes just 3 seconds to extract a 104-bit WEP key from 
intercepted data using a 1.7GHz Pentium M processor. The necessary data 
can be captured in less than a minute, and the attack requires so much 
less computing power than previous attacks that it could even be 
performed in real time by someone walking through an office.

Anyone using WiFi to transmit data they want to keep private, whether 
it's banking details or just email, should consider switching from WEP 
to a more robust encryption protocol, the researchers said.

"We think this can even be done with some PDAs or mobile phones, if they 
are equipped with wireless LAN hardware," said Erik Tews, a researcher 
in the computer science department at Darmstadt University of Technology 
in Darmstadt, Germany.

Tews, along with colleagues Ralf-Philipp Weinmann and Andrei Pyshkin, 
published a paper about the attack showing that their method needs far 
less data to find a key than previous attacks: just 40,000 packets are 
needed for a 50 percent chance of success, while 85,000 packets give a 
95 percent chance of success, they said.

Although stronger encryption methods have come along since the first 
flaws in WEP were discovered over six years ago, the new attack is still 
relevant, the researchers said. Many networks still rely on WEP for 
security: 59 percent of the 15,000 WiFi networks surveyed in a large 
German city in September 2006 used it, with only 18 percent using the 
newer WPA (WiFi Protected Access) protocol to encrypt traffic. A survey 
of 490 networks in a smaller German city last month found 46 percent 
still using WEP, and 27 percent using WPA. In both surveys, over a fifth 
of networks used no encryption at all, the researchers said in their 

Businesses can still protect their networks from the attack, even if 
they use old WiFi hardware incapable of handling the newer WPA 

For one thing, the researchers said, their attack is active: in order to 
gather enough of the right kind of data, they send out ARP (Address 
Resolution Protocol) requests, prompting computers on the network under 
attack to reply with unencrypted packets of an easily recognisable 
length. This should be enough to alert an IDS (intrusion detection 
system) to the attack, they say.

Another way to defeat attacks like that of the Darmstadt researchers, 
which use statistical techniques to identify a number of possible keys 
and then select the one most likely to be correct for further analysis, 
is to hide the real security key in a cloud of dummy ones. That's the 
approach taken by AirDefense in its WEP Cloaking product, which was 
released Monday. The technique means that businesses can 
cost-effectively protect networks using old hardware, such as 
point-of-sale systems, without the need to upgrade every terminal or 
base station, the company said.

If your network supports WPA encryption, though, you should use that 
instead of WEP to protect your private data, Tews said.

"Depending on your skills, it will cost you some minutes to some hours 
to switch your network to WPA. If it would cost you more than some hours 
of work if such private data becomes public, then you should not use WEP 
anymore," he said.

Subscribe to InfoSec News