LAN Sharks

The Weaknesses of WEP

The most infamous security problem associated with WLAN systems stems from flaws in a user authentication and data encryption protocol known as Wireless Equivalent Privacy (WEP). WEP was designed to provide security controls for 802.11 WLAN systems, and has two primary goals: to protect the confidentiality and integrity of message transmissions across the wireless network, and to protect access to the network infrastructure by rejecting all non-WEP packets.

WEP encrypts data using a secret, symmetric key that is shared between the communication endpoints (sender and receiver). WEP can be deployed using either a 40-bit or a 128-bit key.

WEP encryption is a two-step process: First, the data frame is checksummed using the CRC-32 algorithm to produce c(M), where M is the original message. M and c(M) are concatenated to create the plaintext P=(M,c(M)). Second, P is encrypted using the RC4 algorithm. RC4 is a stream cipher that requires the use of a keystream to encrypt data. The keystream is a function of an initialization vector (IV) v and the secret, shared key k. The keystream is notated as RC4(v,k). The ciphertext is produced by XORing the plaintext with the keystream. The ciphertext and the initialization vector are transmitted over the radio to the message recipient (see the "WEP Encryption Process" diagram).

Decryption is simply this process in reverse. Because the message recipient has a copy of the same shared, secret key and the initialization vector, she can use it to generate the identical key stream. XORing the key stream with the ciphertext reveals the original plaintext of the message.

In general, stream ciphers like RC4 are vulnerable to several types of attack. If an attacker is able to flip a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper can intercept two ciphertexts encrypted with the same key stream, it's possible to obtain the XOR of the two plaintexts. Knowledge of this XOR enables statistical attacks to recover the plaintexts. Statistical attacks become easier as more ciphertexts that use the same key stream become known. Once one of the plaintexts is known, the others are recovered easily.

The weakness of WEP is the result of how the RC4 encryption algorithm is applied. WEP does have some protections against both types of attack:

• Integrity. To make certain that a packet has not been modified in transit, WEP uses an integrity check (IC) field in the packet.
• Confidentiality. To avoid encrypting two ciphertexts with the same key stream, an initialization vector (IV) is used to augment the shared secret key and to produce a different RC4 key for each packet.

However, both of these measures are implemented incorrectly in WEP, resulting in poor security.

WEP Integrity Vulnerability
WEP uses a CRC-32 checksum to calculate the integrity check field of the packet. However, because CRC-32 is linear, it's possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken. That means that flipping any particular bit in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum in the modified message. Because bit flipping carries through after the RC4 decryption, this lets an attacker alter an arbitrary number of bits in an encrypted message, and then correctly adjust the checksum so that the resulting message appears to be valid.

WEP Confidentiality Vulnerability
That an attacker would go to such lengths to corrupt the integrity of WEP messages is possible, although somewhat unlikely. However, there is a much more dangerous problem with WEP that results from improperly implemented initialization vectors. The initialization vector is used to augment the shared secret key; thereby, theoretically producing a different RC4 key for each packet. However, the initialization vector used in WEP is only 24 bits long, which almost guarantees reuse of the same key stream. For instance, a busy access point sending 1,500 byte packets at 11MBps will exhaust this space of IVs after:

That's about five hours. Once an attacker recovers two ciphertexts that are encrypted with the same key stream, he or she can perform statistical analysis to recover the plaintext. This problem is much worse when all mobile stations use the same key, because this creates even more chances of an IV collision.

A variety of tools are readily available on the Internet to crack WEP in the manner just described. WEPCrack was the first publicly available code to demonstrate this attack. WEPCrack was released to bugtraq on August 12, 2001. A more well-known and easier to use tool is AirSnort, which was released by Jeremy Bruestle and Blake Hegerle about one week after WEPCrack. AirSnort operates by passively monitoring transmissions, and computing the encryption keys when enough packets have been gathered. AirSnort usually requires about 100MB to 1GB of data to be gathered prior to calculating the encryption keys. Once enough data has been gathered, an intruder can guess encryption keys in under a second.

In December 2001, RSA Security, in collaboration with Hifn, released a patch called Fast Packet Keying (FPK) designed to repair IV collision problems in WEP. Fast Packet Keying avoids IV collision by generating a unique RC4 key for each and every data packet sent over the WLAN. A special two-phase hashing technique guarantees uniqueness. Fast Packet Keying was selected over more traditional hashing techniques because of its ability to rapidly generate secure keys with RC4.

Whether Fast Packet Keying is really a permanent fix for WEP vulnerabilities remains to be seen. However, even if you can fix all of the problems associated with WEP itself, a lot of other security concerns still remain with WLANs.

What Else Can Go Wrong?

Another serious risk is that WLAN signals are prone to being intercepted far outside the facility in which the network resides. Combined with WEP's inherent weakness, the broad reach of WLAN signals outside the enterprise's physical walls has given hackers an entirely new way to compromise corporate networks. Called war driving, hackers can now find and penetrate unprotected WLANs just by driving around with a laptop and an 802.11 Ethernet card. Although most war drivers will probably just freeload off your Internet bandwidth for a short while, the more ominous possibility of data theft, Web site defacement, or virus planting is also present.

War driving is actually a more common and serious threat than it might initially appear. Although 802.11b wireless signals have a limited transmission radius outside of which computers cannot actively participate in the LAN (300 feet for 802.11b), the signal itself can propagate considerably farther (as far as 2,000 feet for 802.11b). War driving aficionados report that they can identify the presence of a WLAN from as far away as six city blocks using a simple omnidirectional antenna alongside their wireless NIC. Once they know where to look, it's often trivial to move in close enough to join the LAN.

Moreover, war driving is a demonstration of how life is getting easier for hackers. The level of sophistication required to compromise a corporate network is still rather high, but spying techniques that once required expensive hardware and custom software now require a $79 network card and some readily available open source code.

Disabling DHCP is one way to make life harder for war drivers. DHCP is an attractive feature to have on a WLAN, especially if you want to let clients roam between access points. However, it also automatically gives hackers who compromise your network a valid IP address. If you use static IP addresses, the intruder must make the additional effort of figuring out the legal range for IP addresses on your network. To make the network even more secure, keep the range of legal IP addresses small.

If roaming between access points is essential, consider a VPN solution. Layering IPSec, SSH, or SSL on top of WLAN transmissions can go a long way toward keeping eavesdroppers off the network. Vendors like SafeNet and Ashley-Laurent make popular VPN clients that help secure laptops for remote access. The same client software can be used to tunnel IPSec over wireless to a VPN gateway located between the access point and the rest of the corporate network. Wireless VPN solutions are also available from Net Motion Wireless, Columbitech, and Ecutel. Alternatively, you could consider an access point with built-in IPSec, like those offered by Colubris Networks.

WLAN Best Security Practices

Perhaps the most frustrating aspect of WLANs is that they can be deployed not just by properly trained IT folks, but by anyone who can plug a CAT5 cable into a hub. According to a recent report by Gartner, 30 percent of all companies with some type of computer network have a WLAN, either official or rogue. The first step in securing WLAN segments is to perform a network audit that identifies all rogue access points, which can then be brought into compliance with established policy or disabled completely. Network monitoring tool vendors like Sniffer Technologies and WildPackets have products that help administrators detect rogue WLAN traffic.

One fundamental security challenge with 802.11b is that it authenticates hardware, not users. Stolen laptops or forged media access control (MAC) addresses can be used to infiltrate the network. To protect against this, apply MAC filters to restrict access to authorized cards. Track inventory to make sure it stays in the hands of authorized employees, and block MAC addresses that belong to lost or stolen cards. You should also lock down access point management interfaces, just as you would on any perimeter device like a router or firewall. Installing anti-virus and personal firewall software on the wireless clients will keep them clean and prevent back-channels from forming.

Another common security risk introduced by WLANs is related to the Service Set Identifier (SSID). The SSID acts like a network identifier for packets sent over the WLAN. Each 802.11 WLAN access point must be assigned an SSID, and WLAN clients use the SSID when they associate with the access point. Clients that don't know the SSID cannot join the WLAN. So one way to thwart hackers is to keep the SSID as "secret" as possible.

Unfortunately, this is often somewhat difficult, as most access points broadcast their SSIDs. If your access point can be configured to suppress SSID broadcasts, take advantage of it. Otherwise, it's a good practice to change the default SSID that ships with the access point, and to change it regularly. You might even consider using password-generating software to derive new SSIDs.

A standard set of industry best practices has yet to emerge for WLAN security. In the meantime, it's a good idea to carefully consider how WLANs will impact your security policy before you deploy them. Defining an effective security policy means crafting a careful balance between risk assessment, cost, and convenience. The right balance is different for every organization.

Paul is the co-founder and CTO of PrivacyRight, a San Francisco, CA—based developer of secure enterprise middleware. You can contact him at [email protected].