Please create an account to participate in the Slashdot moderation system


Forgot your password?
Encryption Security

Chair of IEEE 802.11 Responds to WEP Security Flaws 57

Jamie Walker writes "The following e-mail is routing around concerning the recent articles concerning security flaws in the 802.11 Wired Equivalent Privacy algorithm. The response comes from the committee Chair." We posted a story about WEP security flaws a while ago, but the submissions keep coming in - here's a response from the top.

Subject: WLAN/ Response of WEP Security
Importance: High

Response from the IEEE 802.11 Chair on WEP Security

Recent reports in the press have described the results of certain research efforts directed towards determining the level of security achievable with the Wired Equivalent Privacy algorithm in the IEEE 802.11 Wireless LAN standard. While much of the reporting has been accurate, there have been some misconceptions on this topic that are now spreading through the media. Befitting the importance of the issue, I am inclined to make a response from the Chair to clarify these issues with the following points:

1. Contrary to certain reports in the press, the development of WEP as an integral part of the IEEE 802.11 standard was accomplished through a completely open process. Like all IEEE 802 standards activities, participation is open to all interested parties, and indeed the IEEE 802.11 committee has had a large and active membership.

2. The acronym WEP stands for Wired Equivalent Privacy, and from the outset the goals for WEP have been clear, namely to provide an equivalent level of privacy as is ordinarily present with a wired LAN. Wired LANs such as IEEE 802.3 (Ethernet) are ordinarily protected by the physical security mechanisms within a facility (such as controlled entrances to a building), and the IEEE wired LAN standards do not incorporate encryption. Wireless LANs are not necessarily protected by physical security, and consequently to provide an equivalent level of privacy it was decided to incorporate WEP encryption into the IEEE 802.11 standard. However, recognizing that the level of privacy afforded by physical security in the wired LAN case is limited, the goals of WEP are similarly limited. WEP is not intended to be a complete security solution, but, just as with physical security in the wired LAN case, should be supplemented with additional security mechanisms such as access control, end-to-end encryption, password protections, authentication, virtual private networks, and firewalls, whenever the value of the data being protected justifies such concern.

3. Given the goals for Wired Equivalent Privacy, WEP has been, and continues to be, a very effective deterrent against the vast majority of attackers that might attempt to compromise the privacy of a wireless LAN, ranging from casual snoopers to sophisticated hackers armed with substantial money and resources.

4. The active attacks on WEP reported recently in the press are not simple to mount. They are attacks, which could conceivably be mounted given enough time and money. The attacks in fact appear to require considerable development resources and computer power. It is not clear at all whether the payoff to the attacker after marshalling the resources to mount such an attack would necessarily justify the expense of the attack, particularly given the presence of cheaper and simpler alternative attacks on the physical security of a facility. Key management systems also reduce the window of these attacks succeeding.

5. In an enterprise or other large installation, the complete set of security mechanisms typically employed in addition to WEP would make even a successful attack on WEP of marginal value to the attacker.

6. In a home environment, the likelihood of such an attack being mounted is probably negligible, given the cost of the attack versus the typical value of the stolen data.

7. IEEE 802.11 is currently working on extensions to WEP for incorporation within a future version of the standard. This work was initiated in July 1999 as Task Group E, with the specific goal of strengthening the security mechanisms so as to provide a level of security beyond the initial requirements for Wired Equivalent Privacy. The enhancements currently proposed are intended to counter extremely sophisticated attacks, including those that have been recently reported on in the press. In addition it needs to be noted that the choice of encryption algorithms by IEEE 802.11 are not purely technical decisions but they are limited by government export law restrictions as well.

8. Certain reports in the press have implied that frequency hopping wireless LAN systems would be less vulnerable to security attacks than other wireless LANs. This is not true given that in such frequency hopping systems the hopping codes and timings are unencrypted and consequently are easily available to an attacker.

9. By far the biggest threat to the security of any wireless LAN is the failure to use the protection mechanisms that are available, including WEP. Any IEEE 802.11 installation where data privacy is a concern should use WEP.

I would like to thank the following long serving members of the IEEE 802.11 Working Group, and those Wireless Ethernet Compatibility Alliance members, for their efforts in assisting me in drafting this response from the Chair to this important issue:.

  • Vic Hayes, IEEE 802.11 member & ex-IEEE 802.11 Chair
  • Al Petrick, IEEE 802.11 WG Vice-Chair
  • Harry Worstell, IEEE 802.11 WG Vice Chair
  • John Fakatselis, IEEE 802.11 Task Group E Chair & TGE QoS Sub-Group Chair
  • Dave Halasz, IEEE 802.11 TGE Security Sub-Group Chair
  • Matthew Shoemake, IEEE 802.11 Task Group G Chair
  • Phil Belanger, WECA Chairman & IEEE 802.11 member
  • Greg Ennis, WECA Technical Director & IEEE 802.11 member.
Stuart J. Kerry
Chair, IEEE 802.11 , Standards Working Group for Wireless Local Area Networks.
This discussion has been archived. No new comments can be posted.

Chair of IEEE 802.11 Responds to WEP Security Flaws

Comments Filter:
  • "In a home environment, the likelihood of such an attack being mounted is probably negligible, given the cost of the attack versus the typical value of the stolen data."

    The data on the network might not be of much value, but the access to a broadband Cable or DSL connection, possibly as launching point for a DOS attack might be worth it to somebody.

  • by Anonymous Coward on Thursday February 15, 2001 @12:23PM (#428722)
    You basically need a laptop, a 2.4GHz receiver, and an antenna.

    You forgot the most expensive resource: tons of time. In order to do anything meaningful without being attached to the wired portion of the network as well, you need to wait for the IV (salt) bits to be repeated. It will take few hours on a very busy LAN, and months on your home installation. Even after this IV collision, all you get is a XOR of two frames - not nearly enough to recover even one of them. Essentially, few hours of work yield you one bit of data (not key!). Of course, if you have enough patience to sit (literally!) for years in the close proximity (or direct line of sight with directional antenna) from the target, you may finally be able to fake few packets on the air.

    Please note, that this does not even take into the account the cost of tools, since the tools are indeed a one-time investment.

    If you have access to the wired network behind the firewall, breaking into the wireless portion becomes much easier. However, in this case the easiest thing to do would be just to use the wired connection for hacking anyway, and not even bother about wireless. That's what WEP was designed to do: make the wireless piece of the LAN to be about as hard to hack as the wired one.
  • What concerns me the most is that justifying a security flaw as minor because of the cost involved in exploiting it is completely backwards.

    If anyone can exploit a security hole, then script kiddies get the information out, flaunt it, and completely eliminate the value of the, ahem, stolen, information. If a security hole needs a lot to crack it, then it provides incentives for less than reputable groups to exploit the crack to obtain information to sell to other less than reputable groups.

    I know that a lot of people would disagree with me but I'm a lot more scared of someone who knows information and is totally unethical (think organized crime, terrorist organizations, governments) than some wannabe with no clue what they've got their hands on.

    The M$oft hack proved, IMHO, that people who know what they're doing are going to turn this into an underground industry. Spend $25K on equipment and time, steal $5M in data from private information systems, and resell on the black market for $2.5M. Earn an exponential return on your investment and retire early!!!

    WEP needs to review their security procedures. Their logic is fundamentally flawed.

  • I posted a story earlier in the week, submission number 238.

    I checked back less than 10 minutes later; it was rejected.

    You can't expect me to believe that someone read 200-odd posts, links, etc in less than 10 minutes.

    I think someone checks the story like I check my hotmail account: delete, delete, delete, delete...
  • How much data to you transfer around on your home network that some else could profit from?
    Whether or not data is important is all relivant. who would go through the effort and money just to see what your latest troll an slashdot is going to be about? Don't over estimate your value to the universe, you'll be disappointed.
  • by Meorah ( 308102 ) on Thursday February 15, 2001 @07:34PM (#428726)
    Seriously... if they try, they'll break it. If they have a signal amplifier, they can sniff their way in from the comfort of their home, not "sitting in a car outside the company gates for 24 hours" as we've been led to believe.

    Connectionless-oriented networks will ALWAYS be more susceptible to attack for this reason; POE. One point of entry from any connection-oriented LAN (router) means that hackers have only one way to touch your network, assuming a decent NAT is setup, or a correctly configured firewall... and also assuming each user on the network doesn't have a static external IP address.

    But if you're using a wireless LAN, none of those precautions matter. Once the encryption is broken, you've lost the benefits that a single POE can provide. Now they don't have to pass the NAT and get through the firewall... they can just slink in from some poweruser's account who decided "password" would be sufficient to authenticate him to the server. Hey, we shouldn't be too rough on the guy, at least he didn't leave it blank like some other users I've seen.

    Of course, if you don't know how to setup a wireless LAN and don't even bother installing encryption, and decide DHCP will make everything so much easier, then all the hacker has to do is set himself to grab an available IP off the network, and we're back to guessing any user's password.

    No, they still can't gain root access this way, but they can still do a ton of damage to company data that the user had access to.

    Any company that values their data will keep building network infrastructures and pulling drops of CAT5 through the ceilings and walls.

    I can't wait to see how Intel's internal wireless LAN works. It should be a good test.

    Protector of Capitalist views,
  • by Anonymous Coward
    >What concerns me the most is that justifying a
    >security flaw as minor because of the cost
    >involved in exploiting it is completely

    This statement shows a basic misunderstanding of what security is. All security comes down to a comparison of costs. There is no such thing as absolute security -- all various security measures do is raise the cost of intrusion to the point where the cost of an attack is greater than the value of the data. Even physical security comes down to the same equation -- there is no lock that cannot eventually be picked, a office with no employee that can be bought, or code that cannot be cracked given enough time and money. Being secure only means that when you add up the costs of overcoming all layers of security (physical, network, application) attackers decide not to bother.

    Of course, the cost is not only in terms of equipment but computational cost (i.e. time). For example, a 128-bit key is relatively secure because, given current CPU's, the computational cost of a brute force approach is so high that by the time you've cracked the key the data is worthless, or at least you've spent more money than the data is worth. In a secure installation keys have limited lifetimes during which they can be used, specifically because the 128-bit keys that are secure right now will need to be replaced by 256-bit keys in a few years once someone mass-produces quantum computers that factor prime numbers in constant time (or whatever).

    The security issue with WEP, from what I can tell is that the vulnerability occurs so rarely (once every few days to months, depending on the volume of data on the wireless segment of the network), and that needs to occur several times in order to get enough data to compromise the system, that you'd have to monitor a LAN for weeks or months, and then use a lot of CPU to crack the data. So when a security expert says that the cost of the attack is high they don't mean the cost of a transciever or a laptop, but the total cost of the attack.

    Of course, if you really care about securing an application because it's so valuable that someone would spend weeks in your parking lot monitoring the LAN, you should wrap it in things like SSL, PKI and so on, not whine about WEP. When banks transfer data they often encrypt the data at the physical level (e.g. crypto in the VPN, dedicated lines, etc.), the transport level (e.g. SSL), and the application level (e.g. PGP). Once you've for to decode a set of 40-bit, 128-bit and 1024-bit keys, you're fairly safe given current computational modes.

    And, of course, the best you can do to improve a system's security is make the aspect you care about (e.g. network security) more expensive than the next most vulnerable aspect -- after that, you're wasting money. The thing I keep in mind in these situations is that even if you spend millions to encrypt everything everywhere with 1024-bit keys with a full PKI infrastructure, physical keys for access to critical systems, and so on, the whole system can be compromised though any number of simple con's -- all of which take minimal time, at minimal risk, assuming a typically security-unaware company. You can call the NOC, tell them you're the CEO's new assistant, and that you need the phone number and password for dialing in so that he can to dial in so that he can check his email because there's an emergency and he's calling you at $10 a minute from an airplane half way to Seattle, and if you don't call him back with the information in five minutes you're fired... (and sound panicky). Or you can break a window in the middle of the night, connect to the LAN, and have full access to the network. Or you can get a temp job with the company. Or you can compromise an employee in return for money/sex/respect. Since any of these methods can more fully compromise a LAN in a matter of days, I wouldn't obsess over this WEP issue -- there's no point in holding WEP up to some extreme standard of security when you're not willing to take more basic measures first.
  • Even 1024-bit RSA encryption is a trade-off, in terms of assuming that the cost in time and computing cycles to factor the key is not worth the data being encrypted.

    So true... I know I routinely encrypt data which is worth far more than the planet's computing resources. Nope, 1024-bit RSA might be good enough for military secrets but my e-mail needs real security.

    WEP provides minimal security, hopefully equivalent to the difficulty of plugging in to a wired network (hence the name).

    The really annoying thing about the WEP weaknesses is that it didn't have to be so lousy. RC4 is a perfectly good encryption algorithm and the correct ways to use it are very well known. The WEP weaknesses weren't a result of deliberate security/performance tradeoffs, they were a result of cluelessness. Two tiny changes (using a larger IV and using a secure hash algorithm instead of CRC-32) fix all the identified problems!

    I obtained my first network experience on my college network, and let me tell you, I'd feel a lot better about 802.11 with WEP than I used to about ethernet in my residence hall!

    Although this statement is funny, it misses the point. The ethernet in your residence hall was a wide-open book... IF you could plug into it. Someone standing on the lawn with a laptop was out of luck, unlike on a WEP network.

  • by Anonymous Coward
    I think you totally ignore the nature of vulnerability. This is not a security hole like the ones in the kernel. Even if the tools are developed (big if, Berkeley guys did not even attempt to build these!), the kiddies will still have to spend long weeks in your parking lot in order to get few bits of data. The statistical nature of the issue does not reveal the key or data, it just provides a clue (close to one bit) of data every time the keys collide. Key collision is a rare event (once in many hours on a busy LAN), so many days in the parking lot will be rewarded by few randomly chosen bits of data. Low payoff? Yes - that's why kiddies are unlikely to mount such an attack.
  • The real cost of an attack is the cost of spending days to months monitoring a network, and then the time analyzing the data.

    Yes, but as the Berkeley vulnerability paper states, the 'dictionary attack' method will gather the full set of cipher possibilities in a matter of about 48 hours, recording them to a 12 gigabyte disk. from then its' simple search and replace on a packet-by-packet basis. No brainwork or months of computational power required.

    Kevin Fox
  • Does anyone know if that would work?

    I'm not sure if you meant whether or not the white noise generators would stop tempest snooping or if "The Man" can get a warrant based only on suspicion. So I'll take a stab the computer part since I'm lazy.
    The FCC says that all electronic equipment licensed for use in the home can't interfere with any other equipment. Any equipment capable of interfering electronically with anything else needs to be licensed, like your TV remote or Nomad Jukebox. My computer doesn't interfere with the TV that I own, or the cordless telephone that I don't own but my neighbor just bought. Tempest snooping works by monitoring/interpreting EM emissions from your computer. Computers output a poop load of EMR(r for radiation) and the only way to sheild it is by putting enough insulation between it and the rest of the world.
    A friend of mine was in the military and one of his biggest complaints (other then working on 386's only 2 years ago) was that they were HEAVY as hell. When I asked why he said, "They're sheilded in case of a directed EMP."
    btw, directed emp really means 'In case we get nuked."
    "Me Ted"
  • Actully you need a copper mesh and a high quality grounding source. And you need to put "other" signals into the mesh.
    If your clever, you can create an emiision source that apears to be what would be on a "typical" computer when in fact, your doing something else.
  • The concept is great, I can put in a system anywhere and for a few hundred metres or so I get a full LAN connection without loads of expensive infrastructure.

    Lets look at it again. Drive along the road in a financial centre. How far apart are the banks? They are a few metres apart, often sharing walls. In theory, if a bank was using WEP, I could sit in Frankfurt in one bank and could access the trading network of another bank. This is

    • not

    If I have a secure campus, WEP is fine, otherwise, let just forget about the security. I looked at it once for an application, but we were going to encrypt everything interesting before it went out to the WEP box. It would be effectively on its own LAN but we were still worried because the WEP box was updateable/reconfigurable over the air.

  • "Bad security is better than no security. With bad security, you *think* you're safe. With no security, you know you aren't."

    A system using 128 Bit WEP thinks its secure. A system using 0 bit WEP uses IPSec* and actually is.

    Yours Truly,

    Dan Kaminsky, CISSP
    DoxPara Research

    * Yes, IPSec is an utter horror to configure. It manages to work, which is more than I can say for WEP!
  • Nope. Keyboards and flat panels are safe. Point is that monitors use a high voltage to scan the screen, which produces mucho electromagnetic signals to pick up - quite possibly from enough distance that you don't have to be in the same building. This is at a fixed frequency which is fairly easy to pick up, and there's nothing much else of the same kind of emissions level to interfere with it.

    Keyboards and screens use 5V or less to (respectively) send data down the cable and to scan the screen. This is happening at fixed frequencies, but it's such a low voltage that you'd need an extraordinarily sensitive receiver placed pretty damn close to the equipment. Point is that signal strength is proportional to the SQUARE of the voltage. A 5V signal doesn't produce 20 times less EM noise than a 100V signal, it produces 400 times less!

    And if you did have this extraordinariny sensitive receiver, it'd be swamped by the broad-band noise generated by the processors, RAM, etc which are also giving off the same kind of emissions. Never mind the shielding which every bit of kit has to try and prevent it giving off EM emissions.

  • Y'know, it's starting to burn my butt.

    This guy spent a couple of kilobytes using valuation judgments to justify the failure to put adequate security in his network specification.

    But how the hell does he know what I'm going to be sending over the network?

    Even if I have crypto in every other layer of my stack, I would still want good security from the airlink box. But here it's not even a standardized option.

    He had a chance to do something immutable and wise, and he blew it.

  • I went to your slashduh site, expecting something interesting. Let me just say, stealing someone else's clipart is tacky and unprofessional. Unless you were sanctioned to do so, shame on you.

    Besides, if you can't even cook up your own clipart, how creative can you possibly be?

  • I thought this was a problem in IEEE 802.11b, not IEEE 802.11. I think I am missing something but I only heard about the problem in IEEE 802.11b. is b just an extention of IEEE 802.11, and if so what is IEEE 802.11?


  • by X ( 1235 ) <> on Thursday February 15, 2001 @11:20AM (#428739) Homepage Journal
    First of all, I dispute that a lot of resources are required to crack these systems. You basically need a laptop, a 2.4GHz receiver, and an antenna. The laptop (assuming it's new) should provide more than enough computing power for this job. Sure you need some software, but really, how much longer do you think it'll be before script kiddies will have access to software to do this for them?

    I also dispute that your average enterprise network provides adequate security to protect it's data even in the event that WEP is compromised. Most corporate security systems I know essentially assume that unwanted parties cannot join the network and listen in on traffic. If I break the WEP key for a network, this assumption becomes invalid. The attacker can then watch as proprietary documents get passed over the network (normally documents move unencrypted) and read them.

    As for the "wired-equivalent" aspect of this. I can't remember a wired network that I could compromise without having to get physical access to a network jack. Corporations could increase their security based on how hard they made it to get to those jacks. Indeed, in some cases there are no controls, but in most companies, there are at least some controls and companies have the option of significantly increasing the physical access security. WEP does not provide an equivalent to this (indeed, I'm not sure there's a clear standard meant by "wired-equivalent").

    Finally, after reading over the material on this, I have to say that the WEP group just went about this fundamentally the wrong way. They tried to use RC4 for authorization, which it's not particularly well suited for. They also effectively tried to use a single key for both authorization and encryption. They used 24-bits of variability to protect against RC4 compromise, even though that's significantly less than one would need. All of these are no-no's, and the WEP group should have been aware of these problems (and made some effort to address them).

    It is possible, today, to do wireless communications securely. WEP could have employed existing proven approaches, but instead they rolled their own. Guess what happens when you do this boys and girls?
  • The same time Slashdot was down last night, Yahoo on its front page mentioned MS demoing Windows XP, yet there's nothing on Slashdot mentioning it. Coincidence? I'm going to have a talk with the acronym commmittee chairs about this one.
  • The "Reply from the Chair" states several times that the prohibitive cost of an attack is a rationale for saying there is a low risk of such an attack, especially in a residential or other low-security setting. The logic used to reach this conclusion is flawed.

    One thing to be clear on here is that the efforts used by the Berkeley group to find these shortcomings, while significant, were not only not extraordinarily expensive, but they were also one-time costs. The legwork has been done, and replicating this work to sniff new networks would not be expensive, beyond using the proper software, a slightly modified Orinoco card, and a 12 gig hard drive. This is hardly beyond the means of someone even casually interested in another's data.

    Kevin Fox
  • 802.11 describes ethernet over RF at 2Mbps, freq. hopping, and DS/SS[1]. 802.11b describes ethernet over RF at 11, 5.5, and 2 Mbps over DS/SS. Freq. Hopping may have been recently added (I'm not certain), but I don't know if it was incorporated into 802.11b or if it is its own standard -- it was not, however, part of the original 802.11b.
    I (and my Netadmin and RF Engineer) are of the belief that WEP was part of 802.11b, but not 802.11. We haven't read the specs in awhile, so don't quote us.


    [1] Direct Sequence Spread Spectrum
  • I'm no infosec wizard, but I believe it's not actually that hard to "Snoop from the comfort of the house across the street".

    For quite some time the technolgy has been around to avoid a "middle of the night" break-in by Big Brother. A Dutch scientist by the name of Wim van Eck published a paper entitled "Electromagnetic Radiation from Video Display Units: An Eavesdropping risk?" which was published in the "Computers & Security" journal. In it he talks about electromagnetic emmissions from CRT's which can be intercepted, reconstructed, and viewed from a remote location.

    I understand why wireless tools increase risk, but we the people cannot forget that what we read, what we write, whatever appears on our computer monitors *can* be intercepted.

    Again, I'm no infosec wizard, and I'm still learning a lot, but I believe TEMPEST (Transient ElectroMagnetic Pulse STandard) standards(reduntant?) detailed in NACSIM 5100A (a document classified by the NSA) tell the amount of shielding necessary. But...if we knew how to protect ourselves -- we couldn't be watched.

    What I'm trying to say is -- although new standards present new troubles, don't forget about the dangers out there now.


  • thank you.
    people run around whining about how important there data is(doubtfull), but they won't learn how to use pgp. sheesh.
  • by Dr.Evil ( 47264 ) on Thursday February 15, 2001 @11:59AM (#428745) Homepage

    Every security mechanism is a trade-off of security for convenience. Even 1024-bit RSA encryption is a trade-off, in terms of assuming that the cost in time and computing cycles to factor the key is not worth the data being encrypted.

    Furthermore, one must keep in mind that this is only network-level encryption. There is nothing preventing further, more secure encryption at the transport or session layers. WEP provides minimal security, hopefully equivalent to the difficulty of plugging in to a wired network (hence the name). As always, it is the decision of the network admin/user to supplement this with further security measures. For example, if you're worried about your home wireless LAN being snooped upon, use SSL communication between your machines.

    I obtained my first network experience on my college network, and let me tell you, I'd feel a lot better about 802.11 with WEP than I used to about ethernet in my residence hall!

  • Even if a home user was moving important data over their home network (which most aren't) how would anyone know about it? THEY WOULDN'T. To a hacker you're network full of important data will look just like a home network with useless data unless he takes the time to hack in, which would not be worth his time since it would probably just be useless data. So WEP would protect you in that way. Lets say for instance that you are really worried about your data or people actually know you move important data on your network. You would have a very good insentive to set up a strong firewall and COMBINE that with WEP for a more complete security solution.

    But why should the average user go through that trouble? Why should they have to shell out the cash when WEP would be enough of a deterrent and FREE? So, WEP is good in either case and is a great advance to make security a standard.
  • by Anonymous Coward
    Once the exploit is widely avaliable the protection system will provide no protection whatsoever.

    Please read the original article. The vulnerability is statistical. Even if the tools are "widely available", you will get an equivalent of few bits of data (randomly chosen!) every few hours. Hardly "no protection".
  • Forget that, I want one of those talking chairs.
  • The Berkeley group [] presented a mathematical explanation of how WEP could be attacked, but as far as I could tell they never actually went out and did it against a real live network.

    Their description said it would require sitting there and recording all packets sent for an entire day or so. Then you still have to play cryptographic games and make guesses about what plaintext corresponds to what data. Are there downloadable kits to do this?

  • Three words for you my friend: Flat Panel Displays.
  • wow someone else has seen that shit. that is so fucking funny how are you gentlemen!!! all your base are belongs to us
  • I was searching on the web, and found a program call AiroPeek that does wireless LAN sniffing, etc.
    the beta is at eta []
    Bring on the script Kiddies!!

  • If you look at the time and date I submitted the story it was over a week ago. So it's been sitting there for a week, then this story comes along and it was rejected then. I have also had stories rejected within 10mins of me submitting them. I just thought it was odd that it was pending for so long.
  • Wait a minute. Because people won't take proper precautions to protect their own damn data, it's the Chair of this standards commities fault? He simply presented options, the same options one has with any network. I fail to see how the irresponsability of others is in anyway his fault. If you want to protect your data, do so. If you're a sysadmin and are tasked with protecting your company's data, do so. But blaming this guy for preserving the choice is crap.
  • It's the standard's committee's fault for a) stating that WEP provided security equivalent to a wired connection and b) claiming that normal enterprise security mechanisms would mitigate the threat anyway. Having WEP and not having WEP doesn't make much difference in terms of securing your data, and that's the truth.

    He stated that normal enterprise security should protect data in the event that someone crack's WEP, and that's total BS, because the potential for snooping with WEP on a normal enterprise security environment (and I don't know of many enterprises that use encrypted-network filesystems) is much larger than in a wired network (where for starters switches make it much harder to snoop out random traffic).
  • One other thing that they mentioned is that it's possible to break the encryption by spoofing packets. All you have to do is to guess the IP address of a packet and you can inject a second packet with the IP changed to one of your choice. It automatically get decrypted at the base station and sent to your choice of destination. This would then give you the basis for a known cyphertext attack, which would obviously be bad. The potential for this kind of attack is very serious.

  • You are right to be outraged at this blatant abuse of the god-like power that control of Slashdot's story queue has bestowed on the editors of this site. Fight the man! Perhaps you should get together with others who have been similarly wronged to mount a class-action suit for all your emotional suffering.
  • I think that the most important thing everyone should remember is the restrictions the 802.11 group was under when they defined WEP. US regulatory export controls would not allow anything stronger. It would have been restricted as "munitions". The 802.11 group could have defined something stronger but that would have killed its market viability. If anything, this should be a clear example of why the goverment regulatory controls over encryption can be a bad thing.

    As it is, when the US relaxed its controls, the 802.11 TGe started work on improving the security.

    Its pretty easy to sit around now and bitch about what is shipping in products but you have to look at all things to understand why 802.11 is what it currently is. Don't piddle around bitching that they did the "wrong" thing. The 802.11 working group was/is made up of some very bright individuals from all over the world.

  • Where is your proof that your Flat Panel Displays are safe from "TEMPEST" attacks?

    AFAIK TFT screens give off very similar signals as CRTs - good old raster line stuff. Your keyboard gives off stuff too.

    Basically anyone who can and wants to attack WEP could use "TEMPEST" type attacks instead. That way the info is not encrypted at all.

  • This guy spent a couple of kilobytes using valuation judgments to justify the failure to put adequate security in his network specification.

    Who defines adequate? WEP is adequate for me most of the time. I'm not worried about someone hiding in the bushes trying to hijack my plaintext /. password. You want it, take it, for that much effort. When I access my bank account I'll do it over an SSL connection though, because in that case WEP isn't adequate.

    Precisely because the 802.11 group doesn't know what kind of data will be sent over the air they leave the responsibility of real encryption to the user. Putting better security as part of the standard would make it more difficult (read more expensive) to implement. That means it would have less of a chance of catching on. Unfortunately it isn't usually the best technology that wins out, but the best price.

    Already it's pretty damn expensive when you figure $299 for an access point, and $125 per station card.

    I dunno, maybe some of the people that have black helicopters following them ought to form a company, join the 802.11 working group, submit an addendum, and make a high security 802.11 product.

    - RiBread

  • On the other hand, I have yet to discover, or see described, a mechanism for even getting the SSID of a network.

    If I have understood correctly that the SSID is the "name" of the network, it's trivial if you have a PowerBook with AirPort installed. While I haven't yet found something that will display them automatically in real time, there is a pop-up menu which will display all the ones it currently sees. Even ones using 128-bit WEP, which the AirPort card does not support.

    Just position the AirPort control panel strip thingy to the left side of the strip, hold the PowerBook sideways with the mouse button on the left and the cursor over the strip, then drive down the road clicking on the button every few seconds. In a big city, you can surprise yourself by how many you see.

    But you still can't connect if it's encrypted and you don't know the WEP key.

  • I've been asking similar questions for a while now. Many people are willing to say that it's easy to sniff wireless packets, and it's a security risk, etc., etc.

    On the other hand, I have yet to discover, or see described, a mechanism for even getting the SSID of a network. I believe that the SSID or some algorithm using the SSID is used to seed the sequencer for spread-spectrum. If I can't track the sequencer, I can't even get the packets I need to hack... Certainly there are social ways of getting that SSID, but how are you going to sniff my packets from the parking lot if you don't know it?

  • Not so easy if you have it set up the way a security conscious person would:

    firewall-- Wireless LAN
    Normal LAN

    The firewall doesn't let any thing in or out by default. You have to surf using proxies.

    No UDP going through either. So you have to be so "L337" that you can spoof a TCP connection by altering bits of an encrypted packet.

    Good luck in this scenario.

    Sure, not everyone does this. But usually those people don't even use WEP ;).

    If you're a script kiddie your target are those who don't use WEP.

    I'm not sure who would target someone who'd use WEP, but not do it securely. In any case, doing a TEMPEST attack might be more productive. e.g. use TEMPEST to get the keys to WEP. Then use WEP with the snarfed keys. Or just use TEMPEST to get the data directly if possible.

  • wlandump

    next time do some research before asking a question.
  • I guess my point is that, like every security technology, WEP is a trade-off between speed and security. Granted, it might not be as strong as some would like, but the plain fact of the matter is that it takes processor cycles to encrypt and decrypt individual packets, and using encryption of the strength that is needed for Fort Knox-like data security over a wireless protocol isn't worthwhile for most users. Once again, the point is to further protect your own sensitive data - why depend on the network layer to do it for you?

  • Of course, like all security, the more parnoid you are, the more it starts to inconvenience you. With coppermesh in the walls you would be largely unable to use any device that recieves a wireless signal from the inside. No cell phones, no rabbit ears for the extra TV that you don't have cable for, no listening to the radio inside, no HAM radio (unless you use an external antenna), no pagers... You get the picture.

  • Using your same argument having a lock on my front door is pointless because there are widely available exploits that will very quikly and easily allow any person with very little skill to compromise the lock. Yet I still take the time to lock my door.

    Second, your conslusion assumes another premise that you do not claim, "Wired LAN's have x amount of protection."

  • My point is that TFT LCDs aren't necessarily safe. Maybe you have 5V flat panel displays, but most of the popular ones I see use TFTs.

    Here's my info for TFT LCDs:

    Relevant quote: "Monitor buyers should not assume that so-called low-radiation monitors, or even LCD
    screens, provide any Tempest protection; we found that some modern TFT-LCD laptop displays give clearer reception than many cathode ray tubes."

    indicates that at least some one else doesn't think it's necessarily safe.

    AFAIK TFT LCDs run on higher voltages than 5V.

    X times less isn't trivial to pick up, but neither is cracking WEP.

    I'd like to see better evidence before I believe you.

  • I guess my point is that, like every security technology, WEP is a trade-off between speed and security. Granted, it might not be as strong as some would like, but the plain fact of the matter is that it takes processor cycles to encrypt and decrypt individual packets, and using encryption of the strength that is needed for Fort Knox-like data security over a wireless protocol isn't worthwhile for most users.

    Sorry for the very late response -- I've been traveling for the last two weeks.

    My point is, that the WEP protocol already spends all of the cycles needed for "Fort Knox-like data security", but doesn't achieve it. It does use strong encryption (and all of the corresponding processing time which, really, isn't much), but contains minor flaws that break it. Fixing the flaws would cost nothing in performance.

    To summarize, the weaknesses in WEP aren't a deliberate engineering tradeoff, which I could understand and respect, they're a result of simple incompetence.

  • 2001-02-06 12:37:59 Wireless LAN followup (articles,Privacy) (rejected)

    But it got rejected...

    Read what I posted here []

    It's not the same as above, it's a different story, but it's related.

  • by Anonymous Coward
    I wanna see this talking chair.
  • by Anonymous Coward
    He says:
    This gives me absolutely zero confidence in these guys.
    For chrissakes, they're the flipping IEEE! This isn't a couple of guys sitting around drinking beer, reading tatoos to each other off the other's back. If you can't have confidence in them--the body that defined nearly all the standards that make every electrical appliance in your home work today--who should you have confidence in?

    Damned contrarian Slashdot bastards. Get a clue.

  • Who cares about security in the Windows Entertainment Pack? I just wanted to play Mah-Jongg...
  • What concerns me about the push towards "wireless" protocols such as Bluetooth is that it increases the vulnerability of internet traffic, no matter what measures you take to keep it secure. Well, I suppose you could use narrow-beam lasers to transmit the information, but in reality there is going to be far more opportunity to listen in with no chance of such listening being detected.

    I'm sure that certain government agencies would love for people to be using this. Rather than actually having to go into peoples houses with all the Fourth Amendment difficulties that entails (or at least should; the Fourth has been gutted by successive governments in the last eighty years), they can simply snoop on you from the comfort of the house across the street if their instruments are good enough.

    How is anyone going to keep anything private if this happens? It has been shown time and time again that governments are interested in nothing more than maintaining their own power at the expense of citizens rights. And most people just don't care enough for this to be a problem.

    Hopefully our new Attorney General will hold to the Constitution better than the last one did. Because otherwise travesties like Waco will happen again, where our Constitutional rights are taken away by stormtroopers masquerading as law enforcement.

  • What is the point of proving equivilent privacy. I agree with the point that existing LANs are not particularly secure (espeically from internal actors). However creating a security system for wireless lans (which of course lack physical protection) that only offers weak protection seems pointless.

    Let's look at in the way my 8th grade logic teacher would.

    A. If the protection (encryption, procedure implementation, etc) is weak it will get broken.

    B. When it is broken the exploit will be avaliable to everyone. (not necessarily, but usually true).

    C. Once the exploit is widely avaliable the protection system will provide no protection whatsoever.

    No protection is less than some (physical) protection.

    Therefore the protection is not equivilent.

    Now of course there is one other thing. The DMCA makes it illegal to break even bad encrytion. So I guess it is just as illegal to view WEP protected data as it is to break into a building.

  • Well, if you're really paranoid, you could start by putting white-noise generators on your windows. Of course, if Big Brother notices they can't read your computer screen, they might try to convince a judge to grant a search warrant because you are clearly hiding criminal activity. Does anyone know if that would work?
  • H: Dude, what's it say on my back?
    CN: d00d! What's it say on mine???
    H: l33t! What's it say on mine, dude???
    CN: d00d! Come on, what's it say on mine!?!?!???
    H: L33T!!!

System checkpoint complete.