Wifi is everywhere these days. It’s rare to hear of a computer or device coming to market without wireless capabilities that make networking with other home or business assets a breeze. Wireless can also be great for extending network coverage to places that prohibit physical cabling. One major aspect of wireless networking that home and business users often forget, though, is that while you may be adding range and convenience for authorized users, you’re also extending the range and convenience footprint for attack. One of the inescapable downsides of the proliferation of technology is the increased attack vectors it inevitably introduces. Every new device attached to a network and every new function configured can often become another avenue for malicious entry or public availability of sensitive information.

Many of you know that we have a keen interest in finding and eliminating opportunities for unauthorized access to sensitive data. We spend good portions of our time testing new technologies in our home and office labs and love to bring our findings to the workplace. One of our hobbies through the years has been wireless penetration – monitoring wireless signals with the intent to trick access points into giving us access to a network. In these blog entries, we hope to help shed some light on common wireless networking mistakes, why they present security problems, and how to go about ensuring that your assets are safe. Today, we’re going to start with a quick introduction by explaining why you should stay far, far away from WEP encryption for your home and business.

WEP (Wireless Equivalent Protection) is the weakest encryption type for IEEE 802.11 wireless networks.

Introduced in 1999 as one of the first ways to encrypt information passing across a wireless network, WEP proved to be a great step forward for otherwise unsecured wireless networks. Even today, many wireless networking devices come with WEP as their primary encryption type.

Keep in mind that in 1999 there were limited numbers of homes and business utilizing wireless capabilities, so the security implications were not yet apparent. As with any new technology, though, the more popular wireless networks became, the more vulnerabilities and security holes began to show themselves as attackers focused their attention on them. Even after introducing higher security standards such as 64, 128 and 256-bit encryption keys, many of the original security vulnerabilities were not fixed, merely made it harder and more time consuming to exploit.

One of the problems with WEP is the way that it establishes encrypted connections. It utilizes an RC4 cipher (the encryption method) and an IV (an unencrypted key used to initialize the encrypted stream) in a way that allows attackers to record the transmission of data and use it to decrypt the security key. This means that the only thing an attacker needs is for you to use your network – surf the web, transfer files, anything! Once they have recorded enough data, they can easily establish the key. As time went by, researches discovered ways to falsely inject IV’s into a wireless network that wasn’t experiencing much traffic an exploit an inherent flaw in the design to trick the access point into confirming the transmission and passing a packet back to the source. This allowed attackers to decrease the amount of time and passed data required to crack the network.

Key Found!
A picture of the success screen for Aircrack-ng, a wireless cracking suite available for multiple computing platforms at no cost.

Jumping back to now – 2012 – automated tools for cracking WEP encryption are widespread, easily available and free.  Modern computers (even low-power netbooks) can crack a WEP network in less than a minute. Sites all over the Internet explain how to do it, too. Once an attacker gains access to a wireless network, they have essentially bypassed a major part of your security. Supposing there are not more firewalls in place between them and their target, gaining access to a wireless network often means complete access to a person’s home or business. From there it’s just a matter of setting up shop and finding the information they came for – all without even having to knock on the door.

Folks – WEP is bad. If you have devices or computers that aren’t compatible with newer wireless encryption standards, they should really be left behind or configured with newer peripherals that add the compatibility. Standards like WPA and WPA2 add significant security to home and business wireless networks and should always be configured over WEP. When you purchase a new access point or have a Verizon or Comcast technician install a new unit, be sure to either configure it yourself before connecting devices and getting discouraged by having to reconfigure everything, or have the technician configure it on day one. (Here comes the shameless plug) We’ll also be more than happy to talk to you about your wireless configuration, whether it be for your home or your office. Many times we can reconfigure your wireless encryption settings by setting up a remote screen sharing session with a computer connected to the network. As always, though, you can feel free to give us a call anytime if you’re unsure about your configuration.

Next time we’ll go into the security vulnerabilities of newer wireless protocols and what you can do to defend your network assets. Also stay tuned for our upcoming article about protecting your data when using public wifi.