WEP Broken Even Worse

collin.m writes in with news of results out of Darmstadt. Erik Tews and others there have demonstrated how to recover a 104-bit WEP key in under a minute, requiring the capture of fewer than 10% the number of packets the previous best method called for. The paper is here (PDF). Quoting: "We were able to extend Klein's attack and optimize it for usage against WEP. Using our version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets... for 85,000 data packets [the success probability is] about 95%... 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz..."

Re:Who even still users WEP?

[drinkypoo]

AFAIK I have precisely zero pieces of 802.11 equipment with WPA support. I have a broadcom PCI 802.11G adapter, it MIGHT have it. NONE of my 802.11b hardware does. The laptop I use, which work owns, does have WPA support, but nothing I have will speak WPA to it anyway. If I need security I use VPN and firewall all other traffic.

Re:Who even still users WEP?

[Southpaw018]

Unfortunately, Nintendo has outright refused to support WPA on the DS. Those who use the DS online regularly must either fall back to WPA or resort to completely unsecured communication. Or change their router's settings every single time they want to play online.

Nintendo's response to this is, last I checked, "well, disable WEP and then turn off your computer," which is obviously ridiculous.

Re:Does this still depend on weak IVs?

[tbo]

For some reason I can't get the paper to load, but anyway, does this still depend on weak initialization vectors?

According to the article, the attack does not require weak IVs. They haven't actually tested against WEPplus, but expect the attack to still work against it. In other words, WEP in all its forms is now nothing more than an electronic "No trespassing sign" and 3-foot fence.

Re:Can ARC4 be used properly at all?

[stinerman]

The problems with WEP have nothing to do with RC4. The problem is that the initialization vectors end up being reused because they are only 24 bits. Reusing IVs is a major no-no when dealing with a stream cipher. And to compound that, the implementation allows for a 50% chance to use the same IV after only 5000 packets. (see wikipedia)

RC4 is still just as secure as it was before these WEP attacks.

Re:What about 64 and 128 bit?

[!ramirez]

Because there's a 24-bit IV, or initialization vector, that is not strictly considered part of the keyspace.

Re:What about 64 and 128 bit?

[Galaga88]

Not a stupid question, a good question.

WEP uses a 24 bit initialization vector, and the rest is left for the actual key. So 40 bit = 64 bit - 24 bit IV. Same for 128 = 104. People just use the terms interchangably (for better or for worse).

Re:Can ARC4 be used properly at all?

[linuxmop]

Wireless encryption is (often) implemented in hardware because encryption is expensive to perform. This is especially true on embedded platforms like the DS.

However, you can apparently upgrade your DS to support WPA with a hacked firmware [geekboy.ca]. It's not clear from the page, but I am fairly sure that it only supports TKIP encryption and not AES since, like WEP, TKIP uses RC4 so does not require a hardware upgrade. It does, however, solve the initialization vector problems of WEP that another poster mentioned; as far as I know, TKIP has not been broken.

Moral? If you're still using WEP, update your drivers and firmware and you may be able to get TKIP WPA and get those pesky neighbors off of your connection.

Re:Who even still users WEP?

[Zadaz]

I live in downtown San Francisco. If I put my laptop in my kitchen window I can pick up 46 wireless networks.

2 of them are WPA-PSK (including mine)
12 of the are unsecured.
The rest are WEP.

7 of the WEP encrypted ones are the DSL router/wireless access point that AT&T hands out. As far as I can tell this piece of hardware can't be configured in any way, can't even change your WEP key.

Corporate Greed

[Lead Butthead]

My understanding is that it should be easy enough to implement WPA on older (.11a/b) hardware, but companies much rather sell end user new hardware (.11g etc.) than spending development time to upgrade old hardware (that does not generate additional revenue.) This is evident in that Apple's old AirPort (.11b) does support WPA but other venders' (that would include YOU, Linksys) old .11a/b products do not.

Re:Nice try but...

[wolrahnaes]

WPA "cracks" are all just brute force, which you could also do with WEP and any other encryption algorithm. It just takes fucking forever (assuming the user chose a key that was more than just a dictionary word). These WEP attacks are actually flaws in the design of the system which allow you to crack a key many times faster than brute force.

Rainbow tables, dictionaries, and the like are all just variations on brute force. They accelerate the process, but either way you're not actually breaking the encryption but instead using a crapload of processor power to try one key after another until you hit the right one.

Saying WPA is insecure because there is a brute force tool for it is like saying the a lock is insecure because I could go and start trying combinations. 1-1-1....1-1-2....1-1-3.........

Re:Can ARC4 be used properly at all?

[dotgain]

Ethernet max segment length is 100 metres, not feet.

Re:Can ARC4 be used properly at all?

[failedlogic]

About 5 years ago when I worked for sales at a cable company, a mid to large size home builder told me every house he was building would have Cat-5 in every room of the house with a wall jack. He didn't care if the room was the laundry, the basement, the attic (ok, attic I'm exaggerating) but he was serious about it. I think he was one of the first builders in my city to do this. I remember his story and then a few years later the larger builders ensued with similar practices. He did similar pre-wiring with the coax cable as well.

Cabling sucks if you don't have easy access to air returns or the return doesn't go to the right spot. I'm reluctant in any event to use Wi-Lan for anything.

Re:Corporate Greed

[Anti_Climax]

Prism Based 802.11b adapters (sold under Lucent, Orinoco, Conexant, 2wire, Dell, ZCom and several other names) support WPA with a proper driver. I'm not sure if it's the full AES WPA or if it's just TKIP. TKIP may be subject to a similar attack as mentioned by a previous poster. It is my understanding that unless the adapter was built with a fair amount of extra capability, WPA AES is not an option.

Re:The most obvoius solution.

[Anonymous Coward]

An easy way to do this is on your router, with OpenWRT or equivilant. You can run OpenVPN on there, and have iptables drop any packets not sent to the router's WAN jack or VPN port, or by the router itself. It's a geeky thing to do, and you have to know what you're doing, but that's how I would do it...

Re:Can ARC4 be used properly at all?

[Belial6]

The bad news is you are unlikely to find it. The only reason that my house had it, was that I did a complete renovation where I removed all of the sheetrock, AND I planned to live there. Builders don't bother, and few people will cut into every wall of their house. Of the few build it yourself homes out there, most people don't think ahead enough to worry about what cable they will need in 5 years.

The good news is that Sheetrock is easy to do. If you don't mind fairly major DIY projects, it wouldn't be that hard to tear open a wall, add conduit, and put the wall back. If you plan carefully, you will likely only need to cut into one wall for every two rooms.

Re:Corporate Greed

[poopdeville]

TKIP may be subject to a similar attack as mentioned by a previous poster.

It is in principle, but not in practice. Think of WPA TKIP as a strengthened WEP. They both even use the same encryption schemes. But the vulnerability that affects WEP isn't present in WPA TKIP because TKIP is designed to change keys every 10,000 or so packets. Since you need about two orders of magnitude as many unique IV's to crack this encryption scheme in a reasonable amount of time, you're safe.

Easily spoofed.

[codergeek42]

This will help, sure, and be quite a detriment (since hackers will then need to figure out one more detail before being able to own your wireless network); but the fact remains that thanks to things like macchanger and other utilities, a MAC address can be very easily spoofed.

Plus, once an attacker has enough packets, he or she can divulge the necessary MAC address from those packet headers, so it's not really as great an aide as many claim...

Re:Can ARC4 be used properly at all?

[kd5ujz]

That is what a stud finder is for. You can locate any kind of copper/steel ( water/gas mains included) so that you dont get a suprise when you go all out with a sawzall.

Re:Mac Filtering !

[Anonymous Coward]

From Wireless LAN security hall of shame [zdnet.com]:

"MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person's name tag and compares it to his list of names and determines whether to open the door or not. Do you see a problem here? All someone needs to do is watch an authorized person go in and forge a name tag with that person's name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain."