Wifi networks have been around for a number of years now. At first the WEP (wired equivalent privacy) encryption algorithm was used to protect network owners from eavesdropping and misuse of their networks by others. Due to a number of security flaws, however, WEP was superseded by WPA (Wireless Protected Access) and WPA2. Nevertheless, most Wifi networks deployed today in my experience still use the old WEP encryption. Over the years, ever more clever schemes have been devised to crack the WEP encryption. The latest combination of attacks can now break the encryption scheme in less than a minute.
WEP started to fall apart in 2001 when Scott Fluhrer, Itsik Mantin, and Adi Shamir published an attack which allowed to break the cipher by analyzing about 6.000.000 intercepted frames. The number sounds quite large at first. However, users in a highly loaded network can generate the required number of frames in a number of hours. In 2004 a hacker named KoReK devised a new attack which only required 500.000 to 2.000.000 frames.
Waiting for packets can be tiresome. Unfortunately, WEP is not secured against replay attacks. This can be exploited by inserting intercepted packets back into the network to trigger response frames with unique ciphering keys from computers attached to the network. Thus, an attacker no longer has to wait for clients to generate traffic but he can trick the attached computers to automatically create the frames for him. This additionally greatly reduces the time required for an attack.
Now, researches at the Technical University Darmstadt, Germany have refined an attack strategy by Andreas Klein, which is based on the original Fluhrer, Mantin and Shamir attack. This new attack now only requires 85.000 frames to calculate the cipher key with a success probability of 95%. Together with the key replay attack WEP can now be broken in less than a minute.
All these attacks are not only theoretical in nature. Tools are available for all of them to automate the process. As a proof of concept, the TU Darmstadt researches have extended one of these tools. More information about their work can be found here.
All of this is quite scary. So if you still operate a Wifi with WEP encryption it’s time to change to WPA. If you access point does not support it yet, it’s time to throw it away and buy a new one.
Hi,
Do you also consider WEP as unsafe if there’s a MAC filtering?
Today, can WPA be broken? How long does it take?
Thanks,
Nick
Yes, WEP with MAC filtering is just as unsafe as without. This is because if somebody knows how to use a tool to crack the encryption he is most likely also able to spoof (clone) your MAC addresses.