Australian IT security managers have vowed they will never rely on the wired equivalent privacy (WEP) protocol especially after the release of new research earlier this month showing it can be cracked in as little as three seconds.
Security professionals said the bell has tolled for the WEP protocol which is used as a default intrusion prevention system for IEEE 802.11 WLAN wi-fi devices.
Last week Computerworld reported claims the Otago District Health Board was relying on WEP, using a simple ten-character numeric access code on its wireless network. Acting CIO John Tolchard said WEP was used to achieve a trade-off between security and cost-effectiveness, saying there was always a balance between security and complexity. Tolchard added that once inside the wireless network a further password was needed to access core systems.
However, the anonymous source also told Computerworld the wireless network was unencrypted, so a sniffer could be used to farm such passwords.
The troubled WEP protocol suffered its first blow in 2001, when a flaw was revealed in its RC4 key scheduling algorithm which allowed radio sniffer programs to extract and inject wireless data packets from and into the network where statistical analysers, known as WEP crackers, can recover the encryption key to unscramble the data. However, the WEP security key required about four million packets to be intercepted for it to be calculated.
Now security experts in Germany have claimed they can outfox the beleaguered protocol in three seconds, down on the previous best of about five minutes which kept up with changing security keys.
The experts say they can extract a 104-bit WEP key from intercepted data using a 1.7GHz Pentium M processor so fast that it could be performed in real time by someone walking through an office.
The Bank of Queensland’s IT security manager, Grant Slender, agrees the WEP protocol is lax and says he would not trust anything built on it.
“We don’t use wireless technology and we wouldn’t rely on any form of built-in encryption. We would treat it akin to an untrusted internet connection,” Slender says.
“We wouldn’t put the same applications over wireless as we would for a cable connection because the wireless security standards have been compromised.
“It’s simply easier for us to consider the WEP protocol untrusted.”
Arab Bank of Australia IT security manager Greig Walmsley says the WEP protocol does have a place in some small networks.
“There’s a lot of pluses for wi-fi but the security of the WEP protocol fails it on [all counts],” Walmsley says.
“It would work sufficiently [well] for a home network or for certain small businesses where confidentiality is not a big issue.
“Administering [WEP] is far too difficult and its performance is questionable.”
Installing additional security features and building a VPN over a WEP-based wi-fi network would help patch the security holes, he adds.
“A VPN tunnel over the top would help. However, the wireless client needs to be strongly authenticated and it must associate with the correct network,” according to Neal Wise, director of Assurance.com.au
He says while 802.1X authentication and other certificate-based authentication systems can be used to bolster WEP security, provided they allow the wireless client and the network to operate on a trusted basis, they demand a lot of management and planning.
Wise says the WEP research is “flogging what has been a dead horse for many years” by revealing skilful ways of “showing how bad WEP is”.
Wireless devices often run only WEP encryption because of their age or lack of memory and processing power, and often cannot be upgraded to WEP’s more advanced and secure successor protocol wi-fi protected access (WPA) or the follow-on WPA2.
“Not everything supports WPA and not everything supports it well. We have had problems with WPA handshakes between handhelds and networks because it takes longer to authenticate and it is often implemented poorly,” Wise says.
However, there are still a few options for WEP die-hards. Radio frequency sensor and security software vendor AirDefense offers a WEP cloaking module that inserts spoofing frames to conceal the real WLAN product frames, which therefore distorts the attackers’ statistical analysis.
Wise says while chaff-like defence systems work well, they still require a high level of management and planning to avoid blocking trusted traffic and interfering with neighbouring networks.
The German-based researchers who achieved the three second breach admitted their attack could be foiled by IDSs because they had to send out address resolution protocol requests in order to gather recognisable unencrypted packets.
Erik Tews, a researcher in the computer science department at Darmstadt University of Technology in Germany, has published a research paper showing their method needs far less data to find a key than previous attacks: just 40,000 packets are needed for a 50% chance of success, while 85,000 packets give a 95% chance of success.
“If your network supports WPA encryption, though, you should use that instead of WEP to protect your private data,” Tews says.
“Depending on your skills, it will cost you some minutes to some hours to switch your network to WPA.”