Don't use WEP for Wi-Fi security, researchers say
German researchers got into a 'protected' network in 60 seconds
IDG News Service - The Wi-Fi security protocol WEP should not be relied on to protect sensitive material, according to three German security researchers who have discovered a faster way to crack it. They plan to demonstrate their findings at a security conference in Hamburg this weekend.
Mathematicians showed as long ago as 2001 that the RC4 key scheduling algorithm underlying the WEP (Wired Equivalent Privacy) protocol was flawed, but attacks on it required the interception of around 4 million packets of data in order to calculate the full WEP security key. Further flaws found in the algorithm have brought the time taken to find the key down to a matter of minutes -- not necessarily fast enough to break into systems that change their security keys every five minutes.
Now it takes just three seconds to extract a 104-bit WEP key from intercepted data using a 1.7-GHz Pentium M processor. The necessary data can be captured in less than a minute, and the attack requires so much less computing power than previous attacks that it could even be performed in real time by someone walking through an office.
Anyone using Wi-Fi to transmit data they want to keep private, whether it's banking details or just e-mail, should consider switching from WEP to a more robust encryption protocol, the researchers said.
"We think this can even be done with some PDAs or mobile phones, if they are equipped with wireless LAN hardware," said Erik Tews, a researcher in the computer science department at Darmstadt University of Technology in Darmstadt, Germany.
Tews, along with colleagues Ralf-Philipp Weinmann and Andrei Pyshkin, published a paper about the attack, showing that their method needs far less data to find a key than previous attacks: Just 40,000 packets are needed for a 50% chance of success and 85,000 packets for a 95% chance, they said.
Although stronger encryption methods have come along since the first flaws in WEP were discovered, the new attack is still relevant, the researchers said. Many networks still rely on WEP for security: 59% of the 15,000 Wi-Fi networks surveyed in a large German city in September 2006 used it, with only 18% using the newer WPA (Wi-Fi Protected Access) protocol to encrypt traffic. A survey of 490 networks in a smaller German city last month found 46% still using WEP and 27% using WPA.
In both surveys, over a fifth of networks used no encryption at all, the researchers said in their paper.
Businesses can still protect their networks from the attack, even if they use old hardware incapable of handling the newer WPA encryption.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts