WEP Dead Again

1
WEPDead Again
2
A Brief History

• WEP Wired Equivalent Privacy for 802.11
• Attacks appeared in 2001
• AirSnort
• WEPcrack
• Vendor countermeasures appeared 2002-2004

3
How WEP Works

• Each frame encrypted
• Encryption key WEP key IV
• Source, destination, IV, etc. transmitted in clear

4
The Old Attack

• Sniff traffic
• Collect frames with weak IVs
• Keep collecting for hours, days, weeks. . .
• Crack WEP key in a few seconds

5
Countermeasures

• Elimination of weak IVs
• Per-user keys
• Frequent key changes

6
The Myth

• Countermeasures work
• WEP attacks are impractical

7
The New Attack

• Sniff traffic
• Repeatedly replay single frame
• Collect frames with unique IVs
• Finish collecting in a few minutes
• Crack WEP key in a few seconds

8
More Attacks

• Deauthentication
• Encrypted frame injection
• Arbitrary frame decryption

9
Weak Keys

• Brute force attacks
• Dictionary attacks

10
Wired Equivalent Privacy
Like placing ethernet ports in your parking lot
11
Recommendations

• Never use WEP
• WPA2 or VPN preferred
• Never use WEP
• WPA generally acceptable
• Never use WEP
• Not even Dynamic WEP

12
WPA vs. WPA2

• WPA2 802.11i
• WPA is a kludge
• Pre-802.11i
• Compromises made for backward compatibility

13
WPA Weaknesses

• PSK dictionary attacks
• 802.11x authentication attacks
• TKIP's days are numbered
• Dependence on hardware
• Layer 2 is still exposed
• Often WEP compatible

14
Thank You
Michael Ossmann http//ossmann.com/mike/