Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Replacing WEP has become an urgent priority

Cracks have got faster.

Article comments

Q:I heard about a new WEP cracking technique. Can you explain it?

WEP has been generally recognised as broken since 2001 when Fluhrer, Mantin, and Shamir, commonly known as FMS, published their paper 'Weaknesses in the Key Scheduling Algorithm of RC4.' However, WEP is still in widespread use despite the common knowledge that it is severely inadequate, and at most provides a minor nuisance to an attacker.

This could be from a myriad of reasons, after all many embedded devices were produced when WEP was the de-facto standard for securing WLANs and it can take a while for them to be upgraded or replaced. It can also take a while for what anyone involved in security day-to-day knows to trickle out to the rest of the world, and as a result many people setting up wireless networks in SOHO environments may think WEP is still the way to go.

Whatever the reasons, WEP is unfortunately still being used.

Initial tools based on the FMS technique needed to capture on the order of 5 to 10 million frames to crack WEP. This is in order to get enough frames encrypted with "weak" (initialisation vectors) IVs, which can be correlated with bytes in the RC4 key used to encrypt the contents of the frame. Among the tools that implemented this technique was the original version of AirSnort. However the attack was viewed as impractical as it could take quite a while (at the time) to collect enough traffic. Still a stop-gap solution was developed - using WEP with 802.1X to cycle WEP keys automatically. By doing this, any single WEP key wouldn't be in use long enough for an attacker to crack it.

However, new tools developed that expanded the number of IVs that were usable for determining the key in addition to techniques for generating traffic (ARP re-injection). With these advances it still took a significant amount of time to collect data, though only one million or less frames were required for recovering the key.

Recently, new advances in WEP cracking have been made by Pychkine, Weinmann, and Tews from the Technical University of Darmstadt.

In short, the researchers developed a method for recovering the key with as few as 40,000 frames, which can be done in roughly one minute using ARP re-injection. While the probability that the correct WEP key will be recovered with so few frames is merely 50 percent, the probability increases significantly with a small increase in the number of gathered frames. For instance, if you've gathered 85,000 frames it will be possible to recover the key 95 percent of the time.

Pychkine, Weinmann, and Tews initially released the proof-of-concept for their research as aircrack-ptw, a modified version of aircrack-ng, but it has since been integrated into the aircrack-ng codebase. Given that the tool is widely available it may be a good idea to look at make it a higher priority to upgrade or replace any WEP based equipment that you still have.

Andrew Lockhart is lead security analyst at Network Chemistry, author of O'Reilly Media's Network Security Hacks, and author of Snort-Wireless, an open source project adding wireless intrusion detection to Snort. He is also an editorial board member of the . This article appeared in Network World.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *