Wi-Fi security system is "broken"

[Balboa]

Wi-fi security system is 'broken' 

Wireless networks are springing up everywhere
More holes have been picked in the security measure designed to protect the privacy and data of wi-fi users.
The latest attack lets criminals defeat firewalls and spy on where someone goes and what they do online.

It comes after a series of other attacks that, experts say, have left the basic protection in wi-fi comprehensively "broken".

But compatibility issues mean that many will have no alternative but to use the much weakened protection system.

Lock picking

The basic security measure in the technical specification for wireless networks, 802.11, is known as Wired Equivalent Privacy.

WEP encrypts data flying back and forth between a computer and an access point to stop people spotting and stealing confidential information.

It does this using an encryption key but numerous attacks have shown how easy it is to get hold of this key and unlock access to the wi-fi network or your data.

"WEP as a security measure is so broken that your (and everyone else's) kid sister can easily circumvent it," said computer security researcher Ralf-Philipp Weinmann, co-author of the aircrack-ptw tool that can crack WEP in minutes.

Anyone caring about their privacy, said Mr Weinmann, should not use WEP to stop others using their wi-fi hotspot.

Mr Weinmann and his colleagues unveiled aircrack in early 2007 but prior to that three other research teams, in 2001, 2004 and 2005 showed how to circumvent WEP.

The latest attack, created by Vivek Ramachandran of AirTight Networks, tricks a computer into thinking it is logged on to a wi-fi network it trusts. It exploits the basic hand-shaking system in wi-fi to get hold of lots of data it can analyse to crack a key.

While the chance that someone will piggyback on your wi-fi network is low, there have been cases in the UK where this has happened.


Malicious attackers can crack WEP to get at key data
In London one man has been arrested and charged under the 2003 Communications Act for using someone else's wi-fi link without permission.

Alongside this is the risk of people using your broadband connection for potentially criminal activity.

However, said Mark West of the home tech help company Geek Squad, many people are forced into using WEP despite its shortcomings.

"WEP might be all they can run," he said.

The well-publicised problems with WEP have resulted in improved security systems for wireless networks known as Wi-fi Protected Access (WPA).

An improved version of this, called WPA-2, appeared in 2004 but is not yet widely used.

Mr West said backwards compatibility problems might mean that people cannot opt for the better protection found in WPA or WPA-2.

Using either of these requires Windows XP fitted with Service Pack 2, Vista or OS X on the Mac.

Drivers for wi-fi access cards might also need to be updated and the firmware on a hub might also need refreshing. Any other device that tries to link via wi-fi will also need updating.

For many, said Mr West, updating all these separate components could be too much to ask.

A spokesman for BT said that it used WEP on its home hub products because of the compatibility issues.

"We use WEP for a very sensible reason," said the spokesman, "there are a number of devices out there in the marketplace that do not use WPA."

When helping people install wi-fi networks Geek Squad started trying to use WPA-2 but often had to fall back on the weaker protection.

WPA-2 was only made mandatory on wi-fi access points manufactured after September 2006, which means much wireless hardware still relies on WEP.

"It's often the lowest common denominator," said Mr West, adding that it was better than nothing.

He said: "It's more of a deterrent that will prevent most people being able to access that router."

[clarshack]

they've also been saying in recent times that wi-fi poses health risks especially for children:

http://www.dailymail.co.uk/pages/live/articles/health/healthmain.html?in_article_id=449981&in_page_id=1774

[Homer]

Below is a statement from eircom on the issue (the WEP security issue not the potential health risk).
The bottom line is that it's a very small risk and users should change the default setting if they are concerned.

Statement from eircom
eircom takes all issues relating to security of its products and services very seriously and it is our absolute priority to help our customers optimise wireless security on their broadband connections.

eircom distributes Netopia wireless modems to broadband customers enabled with wireless security by default. The security standard used is called Wired Equivalent Privacy (WEP) and provides customers with a simple and easy-to-use level of security.

For ease of use a default WEP key is provided based on the serial number of each modem, although customers can change this WEP key manually. This is the same method of security provided for other international operators using Netopia routers.

eircom was recently made aware of a potential wireless access security issue with the Netopia Wireless modems. A possible vulnerability with the standard configuration or default setting of the WEP protocol was identified. This vulnerability makes it possible for a person with an advanced working knowledge of encryption and coding techniques to illegally access an eircom customer's Internet connection. However, when a customer generates their own unique WEP Key or password and does not use the default setting, this security risk is removed.

[armaghniac]

However, when a customer generates their own unique WEP Key or password and does not use the default setting, this security risk is removed.

Exactly, 99% of the problem here is people not locking the door, not the strength of the door.

[Gnevin]

they've also been saying in recent times that wi-fi poses health risks especially for children:

http://www.dailymail.co.uk/pages/live/articles/health/healthmain.html?in_article_id=449981&in_page_id=1774

Well if teachers said it  This takes the biscuit they just don't like it ,no research, no nothing just enquiry please

[clarshack]

However, when a customer generates their own unique WEP Key or password and does not use the default setting, this security risk is removed.

Exactly, 99% of the problem here is people not locking the door, not the strength of the door.

http://hacksfornewbs.blogspot.com/2005/12/how-to-hack-wep-secured-wifi.html

[armaghniac]

http://hacksfornewbs.blogspot.com/2005/12/how-to-hack-wep-secured-wifi.html

well WEP isn't entirely hacker proof, but in many cases the setup is such that there is no need to use these fancy tools. Then you could simply plug out the router when you weren't using it, which would save a small amount of electric and reduce the chances of someone else using it.

[balladmaker]

well WEP isn't entirely hacker proof, but in many cases the setup is such that there is no need to use these fancy tools. Then you could simply plug out the router when you weren't using it, which would save a small amount of electric and reduce the chances of someone else using it.

I think you're missing the point.....people using it is one thing, however, the main problem is people capturing the communication between your PC/laptop and the router i.e. passwords, credit card details etc. etc.

To stop someone else using it, enable an access list i.e. the router will only allow the MAC address of your PC to access it, this will cut out outsiders surfing on your router.  As for WEP, forget about it....WPA alll the way, just as easy to set up as WEP.

[armaghniac]

enable an access list i.e. the router will only allow the MAC address of your PC to access it, this will cut out outsiders surfing on your router.  As for WEP, forget about it....WPA alll the way, just as easy to set up as WEP.

Its a fair point Balladmaker, indeed I have setup both the MAC address and WPA with an unusual key. My point is not to argue for WEP, but simply to say that many people have don't change default passwords and so on.