Why is anyone still using WEP?

May.24, 2008 in Wireless Networks

Wireless internet access is everywhere these days. Everyone from restaurants and bars to the average Joe Homeowner has some sort of wifi network set up. The problem is that they set up these networks without giving security a second thought (or even a first thought in most cases). I was at the TRISC conference last month and heard SimpleNomad say that he doesn’t pay for internet access anywhere any more because there’s always an unsecured or poorly secured wireless network wherever he goes. Lately, I’ve been testing that and he’s absolutely right. I’m the only person on my block not running either an open network or a WEP “protected” network. I was even at a local hospital the other day and their “secure” internal network was using WEP.

For those of you just catching up, WEP is an almost 10 year old wireless protocol whose intent was to encrypt your wireless transmissions. The problem is that WEP uses a user-defined key along with an “initialization vector” (IV) to generate the RC4 traffic key used to encrypt your data. If I can gather enough of these IV’s, then I can figure out what the key is and your network is now pwned. I can speed up this process by injecting my own packets and I can get your key in under 3 minutes. How’s that for security?

So, why is anyone still using WEP? It was deprecated as a wireless privacy mechanism back in 2004. It is easily cracked and provides slightly more security than running an open wireless network. All that and when you buy a new wireless router it’s most likely still pre-configured with WEP enabled. On some of these older models better encryption standards such as WPA or WPA2 aren’t even options. With much of the wireless network setup falling into the hands of novice users, some of the responsibility lies with the router manufacturers for even allowing them to use WEP. The rest, in my opinion, is on the users themselves, who put up these networks without being educated enough to do so. You wouldn’t put a door on your home without making sure the locks worked, would you? How about buying a car where everyone with that model vehicle had your same key? I think you get the picture.

Tags: encryption, equivalent, internet, privacy, wep, wireless, Wireless Networks, wpa, wpa2

3 Comments on “Why is anyone still using WEP?”

jwickett
June 10th, 2008 at 1:46 pm
I think WEP still has a place for public WiFi if you have a separated network with no other nodes and internet access only. Mostly because if they are in an untrusted zone, then you want some level of security and you don’t want to have to handle complaints because their laptop doesnt support WPA. On our network a non-trusted zone that is for visitors to the office and random devices like iPhones… We use WEP because it is slightly better that an open network and there is no support burden, it just works.

Josh
June 10th, 2008 at 2:09 pm
Sure, if you don’t care about the security of your “customers” then by all means set up a WEP access point. WEP may provide them the peace of mind of having an “encrypted” connection, but because of how easily it is cracked, you’d probably be better off providing an Open wireless network. At least then the customer doesn’t have the fascade of security and it’d “just work” even better than WEP.

The point here is that you either have a secure access point or you don’t. Because of the protocol flaws, WEP should fall into the unsecure category and should ALWAYS be treated as such. Not supporting WPA is a vendor problem and should not be an excuse for settling on WEP encryption.

jwickett
June 10th, 2008 at 5:53 pm
Well, I ain’t giving bandwidth away here, so a little deterrent is better than nothing… I disagree with having an Open access point and for us it is for short term access.

Welcome to WebAdminBlog!

This blog site is run by Josh Sokol, the Founder and CEO of SimpleRisk, a free tool for Governance, Risk Management, and Compliance. Josh is a former Web Admin and Information Security Program Owner of National Instruments.

Categories
Recent Posts
Recent Comments
devops
Links
Security
Tags
21ct agile amazon analysis application appsec attack aws browser cloud Cloud Computing code Conferences data devops ec2 firewall google hansen internet lynxeon malware Management network Operations owasp PCI performance project rsnake SaaS secure Security strategies velocity velocity08 velocityconf velocityconf08 velocityconf09 Virtualization vpn vulnerability waf web wifi
Categories
- Advertising (2)
- Application Performance Management (14)
- Automation (4)
- Browsers (4)
- Cloud Computing (9)
  - Elastic Compute Cloud (3)
- Conferences (64)
  - BSides Austin 2013 (1)
  - BSides Austin 2016 (1)
  - OWASP AppSec DC 2009 (16)
  - OWASP AppSec NYC 2008 (18)
  - OWASP LASCON 2017 (1)
  - OWASP LASCON 2018 (1)
  - TRISC 2009 (8)
  - Velocity 2008 (8)
  - Velocity 2009 (8)
- Content Management (2)
- Featured (3)
- Green Computing (1)
- High Availability (1)
- Log Management (2)
- Management (4)
- Monitoring (4)
- Networking (12)
  - Firewalls (4)
  - NetFlow (4)
- Operating Systems (2)
  - Linux (2)
  - Mac OSX (1)
  - Unix (2)
- Operations (11)
- Popular (2)
- SaaS (2)
- Sarcasm (1)
- Search (1)
  - Enterprise Search (1)
- Security (75)
  - Access Management (1)
  - Capture the Flag (4)
  - Cloud Computing (4)
  - Compliance (1)
  - Disaster Recovery (1)
  - Malware (4)
  - Metrics (2)
  - OWASP (2)
  - PCI (2)
  - Phishing (2)
  - Physical (1)
  - Risk Management (2)
  - Virtualization (3)
  - Web Application Security (32)
    - Dynamic Analysis (1)
    - Static Analysis (1)
  - Wireless Networks (5)
- Service-Oriented Architecture (1)
- Software and Tools (15)
  - Crashplan (1)
  - Drobo (1)
  - GRC (1)
- Training (2)
- Uncategorized (1)
- Virtualization (4)

Blogroll
- Agile Operations Blog
- Agile Testing
- Agile Web Operations
- Amazon Web Services Blog
- dev2ops – Web Ops at Scale
- Gilligan on Data Web Analytics pro tips
- ISSA Home The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners.
- Kitchen Soap, A WebOps Blog
- Michael Howard's Blog Software security guy at Microsoft.
- National Instruments Home The majority of the contributers here are current or past NI employees.
- OWASP Home The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
- RSnake's Blog ha.ckers.org web application security lab
- Server Fault
- Steve Souders’ Blog Google High Performance Guru
- The Madstop
- The Open Minded Enterprise
- The Simple Logic
- Transparent Uptime blog
Archives
- March 2019
- October 2017
- April 2016
- January 2016
- December 2015
- May 2015
- November 2014
- August 2014
- June 2014
- May 2014
- October 2013
- September 2013
- August 2013
- May 2013
- March 2013
- February 2013
- October 2012
- May 2011
- April 2011
- December 2010
- July 2010
- June 2010
- April 2010
- March 2010
- February 2010
- January 2010
- November 2009
- September 2009
- July 2009
- June 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
Tag Cloud
21ct agile amazon analysis application appsec attack aws browser cloud Cloud Computing code Conferences data devops ec2 firewall google hansen internet lynxeon malware Management network Operations owasp PCI performance project rsnake SaaS secure Security strategies velocity velocity08 velocityconf velocityconf08 velocityconf09 Virtualization vpn vulnerability waf web wifi

Web Admin Blog

Real Web Admins. Real World Experience.