WEP (Wired Equivalent Privacy) security warning

 

This is a copy of email sent to the CCSP mailling list on August 22, 2001.

Executive Summary:

WEP security is now considered totally broken. If you are using wireless and think you have security via WEP, you need to check your security and probably make changes.

Full Text:

As I'm sure many of you are aware, we've delayed our campus implementation of wireless in an attempt to address security issues. The WEP (Wired Equivalent Privacy) that was part of the 802.11b standard didn't prevent users from being able to see each other's traffic, it could just prevent outside people from using the network and seeing traffic. We said this wasn't good enough to protect student passwords.

We are, however, allowing departments to deploy limited wireless for testing as long as only the staff are using it and you tell us what security measures are being put in place. A few users with the WEP key, or a daily changed WEP key has been considered "good-enough" for non-student traffic.

This has changed in the last few weeks.

Renowned cryptographers Adi Shamir and Itsik Mantin of the Computer Science Department of the Weizmann Institute (Rehovot, Israel) and Scott Fluhrer of Cisco Systems Inc. (San Jose, Calif.) presented a report at a cryptography conference August 16-17 that describes a passive attack on WEP that only takes 15 minutes to recover the WEP key -- allowing full use and traffic sniffing by any person that gets the key. That was bad enough, but on August 20th, a tool called "AirSnort" was released that implements this passive attack. It is available on the web.

With the release of this tool, it's very important to know that WEP gets you no security at all, and anyone physically close enough can access the network via your base station. It is critical that anyone using wireless even in test mode not send clear-text passwords over the wireless network. For now, user education and ssh tunnels are an answer to sniffing issues for these small test groups. There is no simple answer for the unauthenticated access to the network.

If you are not sure if your application or a web page you need to type a password into is sending the data clear-text, please be safe, and wait to use a wired connection. You can use a regular sniffer on a mini-repeater with the computer running the application and see if the password is clear text. We can provide you help with this if needed.

People that have implemented their own VPN should be safe. If you are using the Ciscp LEAP security, you need to set your WEP key change rate to 5 minutes or less to avoid being vulnerable.

CCSO has purchased a VPN endpoint for supporting wireless and expect to ask people currently using wireless to move behind it this fall. Traffic will not be allowed off the wireless net except through an encrypted session with the VPN (this encryption is not based on WEP). As we have more detailed information on how this will work, we will let you know.

For more information on what I've described above, here are some reference URLs:

The Shamir, Mantin and Fluhrer paper:

http://www.eetimes.com/story/OEG20010803S0082

http://www.zdnet.com/eweek/stories/general/0,11011,2802134,00.html

AirSnort:

http://www.wired.com/news/wireless/0,1382,46187,00.html

http://airsnort.sourceforge.net/