Recently, I came across a publication by Tews, Weinmann and Pyshkin that describes an attack, called aircrack-twp, which can recover a 104-bit WEP key in less than 60 seconds. WEP (Wired Equivalent Privacy) is a protocol used for securing wireless LANs (WLANs) that use the RC4 stream cipher to encrypt transmitted packets under a common key.
The RC4 stream cipher is at the heart of the WEP protocol and is one of the most widely used stream ciphers in the world due to its simplicity and compact software implementation. Packets of information are encrypted using the following method: A 24-bit initialization vector (IV) is chosen for each packet which is concatenated with the secret 104-bit RC4 common key to form the 128-bit per packet or session key. The per-packet key is encrypted through the RC4 stream cipher to produce a pseudo-random keystream. Note that, since each packet has a different IV, the RC4 encryption will generate a unique keystream from one long-term common key. Next, a CRC-32 checksum is calculated over the plaintext to ensure integrity of the text. Finally, the plaintext followed by the checksum is exclusive-ORed with the keystream to produce the ciphertext. The unencrypted IV is sent in the header of the WEP packet.
Aircrack-twp uses the aircrack-ng toolkit, which is readily available on the Web as a key recovery tool, and takes advantage of the weaknesses between the RC4 generated keystream and the common key. This attack is not the first one on WEP, but it does improve on the other, best known attacks, such as the one by Andreas Klein in 2005, by at least one order of magnitude. Aircrack-twp requires significantly less captured packets, and consequently less time to recover the common key compared to other known attacks. Only 40,000 packets are needed for a 50% probability of success. The packets can be captured in less than a minute using active techniques such as deauth and ARP re-injection; the computation takes three seconds and 3Mb of main computer memory on a Pentium-M 1.7 GHz. For a 95% probability of success, an attacker needs 85,000 captured packets.
Despite such publicized vulnerabilities of WEP, the encryption protocol is still widely used around the world. According to RSA’s Wireless Security Surveys, only 49% of wireless access point operators in New York City have upgraded from WEP to more advanced encryption such as WPA (Wi-Fi Protected Access). With such efficient and effective attacks on WEP, why are so many people still using it as their wireless encryption protocol?
When I asked my friend, Jon, what type of security he used for his WLAN, he said that someone else had installed his wireless device and he had no clue. We checked his network and sure enough he was using WEP. To top it off, he was still using the default settings, i.e. username “admin” with no password. I was interested to see what other WLANs were within our range. It turns out that Jon was not alone, as we detected 15 other networks using WEP in his apartment complex. The worse part was that we detected three that were unsecured. (One was named “The Penthouse”; three guesses where this network is located.)
I can understand why some people think WEP provides enough security for their WLAN. Their mindset is that some encryption is better than no encryption at all. Also, networking companies tell consumers that there is nothing to be concerned about since the average person would not know how to mount attacks against WEP. On the D-Link technical support Website, they reassure customers in the FAQs that:
“At this point, it takes some serious hacking abilities to bust into a WEP enabled network so home users should not worry.”
It all comes back to being informed and following best practices. I’m not saying that everyone should subscribe to the Computer Crime Research Center’s newsfeeds (though they do have some eye-opening articles). What I am saying is that you wouldn’t leave your house key under the doormat, so why would you use a vulnerable security protocol that amounts to nothing more than a speed hump to a cracker? It is advisable to use a more advanced security protocol such as WPA or WPA2 and change your password regularly. Passwords should be a mix of letters (upper and lowercase) and numbers, and should not consist of words in the dictionary. This five-minute preventative routine could not only save you money, but time and effort in the future, and would significantly improve the safety of information on your computer.



More...