Our tech editors debate the security flaws -- and competitive alternatives -- to WEP, the much-derided security protocol for wireless local area networks (WLANs) defined in the 802.11b standard.
We start with this note from Sean Ginevan:
Many in the blogging community have reported about about some work researchers in Germany are doing with regard to cracking WEP. "Cracking WEP?" you might ask. "Hasn't WEP already been broken?" It's true that WEP was proven cryptographically insecure way back in 2001. In many ways WEP, as our own Dave Molta says, "was broken before it was broken." While it was cryptographically insecure, the whole model of distributing shared keys within a large just didn't scale to meet the needs of the enterprise.
So what's new about the work done at the Technische Universitat Darmstadt in Germany? The three researchers there (Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann) were able to develop some new statistical models to crack WEP much more quickly. Attacks on WEP require packets to be generated on the network, the attack they describe uses ARP requests and responses to get packets needed to crack a WEP key. The researchers claim to be able to recover a 104 bit WEP key with 50% using just 40,000 captured packets (which they claim is about a minute of capture time), only 85,000 packets were needed to achieve an accuracy of about 95%. Compared to previous WEP cracking models, which required anywhere from 500,000 to 6,000,000 packets, the work of Tews, Pychkine and Weinmann is pretty impressive.
But why does any of this matter? So WEP can be broken faster now than it could be before. So what? The fact is, while commentators can easily go "Well, gee, everyone should have been using WPA or 802.11i / WPA2 long ago," WEP hasn't gone away. A recent report from In-Stat showed that 36.4 percent of small businesses and 15.9 percent of large enterprises (1000+ employees) still use WEP. While I'd bet that some of those small business users just haven't upgraded as they don't understand the security issue, the larger issue is that a lot of legacy devices (Wi-Fi phones, embedded or lightweight devices, etc) only support WEP. So you're stuck having to deploy WEP on at least part of your network (on a separate SSID and separate VLAN, most likely) and trying to contain that segment such that, if it is breached, the damage is limited. Or, you're stuck having to buy new devices to replace the insecure ones. Neither solution is terribly appealing (Another option is to use ACLs or a firewall on a per-device or per-IP basis. That's what Aruba advocates -- Frank Bulk.)