WEP Broken Even Worse

collin.m writes in with news of results out of Darmstadt. Erik Tews and others there have demonstrated how to recover a 104-bit WEP key in under a minute, requiring the capture of fewer than 10% the number of packets the previous best method called for. The paper is here (PDF). Quoting: "We were able to extend Klein's attack and optimize it for usage against WEP. Using our version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets... for 85,000 data packets [the success probability is] about 95%... 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz..."

Re:Who even still users WEP?

[Knara]

No. Even a cursory glance at your laptop next time you are in a commercial parking lot will tell you that (or at an apartment complex).

Re:Who even still users WEP?

[Eugenia Loli]

There ARE people out there who are FORCED to use WEP because they use it with older devices that don't support anything else. It would be very expensive replacing all these specific/mobile devices just so they can use a new encryption.

Re:Who even still users WEP?

[ukatoton]

2 words: Legacy Hardware I have 2 computers in my house with cards that don't support WPA. If I were to set my router to run with WPA, then my sister would not be able to connect to the network. If i told her the security implications, she wouldn't understand nor care. Upgrading the network would mean me footing the bill for new wireless cards unless I can convince my dad that there is a real reason to upgrade to better security. However, this is unlikely.

Re:Can ARC4 be used properly at all?

[Lehk228]

disable wireless security and implement real security, such as a RADIUS login. then set up a firewall rule to allow unauthenticated devices to access nintendo's servers

Re:Who even still users WEP?

[jrumney]

All my pieces of wifi equipment but one support WPA-PSK, but it only takes one piece of equipment to tie me to WEP.

Re:Can ARC4 be used properly at all?

[drinkypoo]

disable wireless security and implement real security, such as a RADIUS login. then set up a firewall rule to allow unauthenticated devices to access nintendo's servers

Login authentication does not prevent a man in the middle attack of the breakin sort.

You need end to end encryption, including encrypted login and certificate verification with secure exchange made pre-connection to provide security over a wireless link.

Just another reason why if it's not a PDA or a tablet, you should be using a wire. You can get 100' or more of CAT5E for the price of a 802.11G access point, and an 8 port 10/100 FDX switch with port autonegotiation (auto-crossover, too) is about $20. Good jacks will run you $5 per end. Patch cables are a buck and longer cables are just a few bucks.

Re:Back in the courtroom

[TheGratefulNet]

its modded as funny BUT its a VERY valid defense, I would think (ianal).

there is significant doubt as to who the user of a wireless lan really is.

in fact, it now makes sense to DOWNGRADE wireless AP's due to this...

(and then just run ssh on top of it, for sessions that truly need privacy).

Re:Can ARC4 be used properly at all?

[zippthorne]

It's not the wire that's expensive, it's the holes. In fact, those aren't even the expensive bit. It's the properly out-of-the way and invisible that's expensive.

Re:Who even still users WEP?

[zippthorne]

It's faster than his Internet connection, which apparently is a cable modem. No need to go significantly faster than the main bottleneck. Especially if the LAN is mostly used to share the WAN anyway.

Re:Can ARC4 be used properly at all?

[Belial6]

I agree with you. That is why I really annoys me that in this day and age, builders are still not putting conduit in walls during construction. I understand a 20 year old house not having conduit in the walls. I can even understand a 10 year old house not having conduit, but any house built in the last 5 years should have conduit to every room. We already know that whatever is in the walls today will be inadequate in another 10 years.

Re:Simple, cheap, easy solution

[Gothmolly]

Wireless is NOT cheaper than cable. A wireless card for my PC was $29. To run wire, crimp the ends, drill through the floor, and install an outlet box would be more than that, just in parts. Scale it up to a few people in the house, and throw in an occasional laptop, and the cost of wiring becomes ridiculous.

Re:Who even still users WEP?

[drinkypoo]

So.. your answer is "people who don't upgrade." Not to sound discriminatory, but I'm pretty sure he wasn't including you in the question, much the way when I say "Who doesn't run a firewall?" I'm not including people who still use C64s. Talk to us again when all your hardware supports WPA, but you still use WEP anyway.

Well, that was an incredibly arrogant response from someone who refuses to examine reality.

How many environments are you familiar with in which everything is always upgraded all at the same time, in which all of the hardware works the first time, and in which you never become dependent on a legacy product for any length of time?

Here in the really real world, we often have reasons to utilize legacy hardware. What if I've got one of those $1500 bar code scanner boxes and it doesn't support WPA and there's no upgrade to provide it? Am I going to spend $1600 for this year's model with two more buttons and WPA support? Or am I going to keep using this device as long as I think I can get away with it? What if I don't have budget to buy a replacement? What if it's not even my decision?

Like I said, here in the real world, we often have to use suboptimal equipment. And I assure you that huge numbers of corporations, including those amongst the fortune whatever, are still using wifi gear with no WPA support on a daily basis.

Re:Can ARC4 be used properly at all?

[valkraider]

Unless you live in an apartment, this is not remotely true. Running your own wires is, well, trivial unless you are physically disabled in some significant way.

Uhmm, methinks you have not actually done this much... Or at least not in many houses.

Things like lath&plaster, plumbing, strange placement of studs, lack of crawlspaces, windows, carpet, laminates, tile, doors, fireplaces, and foundations - all sorts of stuff really makes it not, well, trivial.

Re:Can ARC4 be used properly at all?

[kakos]

Get a clue. The weakness in WEP has everything to do with a vulnerability in RC4 (specifically this one [drizzle.com]). The vulnerability is due to the fact that there is a weakness in RC4's key scheduling algorithm that allows an attacker to obtain the whole key from only a very few bits that just happen to be in the first 24-bits of the key. Since the IV does repeat, it is easy to obtain packets with the weak key bits. However, if WEP did not use RC4, that vulnerability wouldn't be there and you couldn't break WEP using that attack.

The most obvoius solution.

[Randseed]

The most obvious solution is to have each machine that connects over wireless use a VPN. Everything coming in over anything other than the VPN is discarded.

Since this is Slashdot, I request a community service: Come up with a script/whatever where this is simple.

Re:Who even still users WEP?

[JWW]

Hell, out of 5 wireless networks I can "see" from my house, two have no encryption on whatsoever.

I mean, no matter how bad WEP is, you'll never be able to hack into a WEP network as fast as you can an open one.

It may be where I live, but around town there are open networks virtually EVERYWHERE.

Conduit

[xquercus]

The only real conduit one needs in a house are a crawlspace and an attic.

Re:Can ARC4 be used properly at all?

[rossz]

You've obviously have never been married.

Re:Can ARC4 be used properly at all?

[linzeal]

The last house I lived in I had RJ-42 jacks in every room, it took 2 days to snake the cable from the upstairs to the downstairs. Wireless for me is good for outside and not much else. I guess if you live in an apartment you really can't but what geek here can't go get a 500' spool and wire their house in a weekend?

Re:Can ARC4 be used properly at all?

[dagamer34]

MAC addresses can easily be spoofed. Get a clue, pal.

Re:Can ARC4 be used properly at all?

[Belial6]

That is a perfect example of what I consider a bad builder. One that is putting in things that are designed to make people THINK they are getting quality, when they really are not. I could care less about Cat-5 and coax, if you just put in a conduit. That builder has already created a situation where the wiring is out dated. Gigabit wants Cat-6. If he had put in conduit, every one of his houses could be rewired by the homeowner with very little fuss. But since the builder didn't care if the house was maintainable, he just slapped in some wire, and sprinted that he did it as a bullet point on the sales sheet. Part of the problem though is that the buyers ooohhh and ahhhh about the cat-5, and don't even think about what they are going to do in a few years.

Re:Can ARC4 be used properly at all?

[thealsir]

Common Slashdot Format(TM)

1. Story posted about $SECURITY_PROTOCOL being broken on $BROKEN_DATE at $SEVERITY
2. Comments ensue recommending ridiculously complex/impractical solutions (in typical slashdot lore) getting modded up
3. Comments ensue about how ridiculous and complex those impractical solutions are, getting modded down/up on a 50/50 basis
4. Actual common-to-do, easy to implement solutions, like the WPA2 in linksys routers, are not discussed or modded
5. Extreme architecture biases/overall naivete about NO security implementation being completely secure is prevalent in a lot of comments
6. Sometimes, people come in to right these fallacies in the free market way, by posting.

Put short, wires are not a solution, no encryption protocol is flawless, the risks/rewards of wireless should be known and the technology should be used accordingly. But improvements in protocol and advancements in technology, especially relatively easy to implement ones, should be emphasized.

Re:Can ARC4 be used properly at all?

[Builder]

How much less could you care ?

Re:Can ARC4 be used properly at all?

[evilbessie]

Um no, gigabit networks need Cat-5E not necessarily Cat-6, most Cat-5 is actually Cat-5E these days anyway, although I would still check you are using Cat-5E if you need gigabit.