WEP INSECURITIES
Two researchers
from the University of California at Berkeley and one from Zero Knowledge
Systems Inc. published a report identifying security weaknesses within the
Wired Equivalency Privacy (WEP) algorithm in 2001.1 Based on their research, WEP was found
to be insecure due to improper implementation of the RC4 encryption algorithm
and the use of a 32-bit cyclical redundancy check (CRC-32) checksum for data
integrity. These vulnerabilities create the potential for active and passive
attacks that could allow attackers to decrypt traffic or inject unauthorized
data into a network. Furthermore, the researchers hypothesized that the attacks
would not require specialized equipment but could be conducted using readily
available hardware sold at consumer electronics stores.2 (At the risk of losing reader suspense,
the prediction was very accurate indeed.) Hackers began automating the exploits
once the vulnerabilities were made public.
What is 802.11x?
Wireless LAN
standards are defined by the IEEE’s 802.11 working group. WLANs come in three
flavors, namely 802.11b, 802.11a and 802.11g.3 802.11b-networking equipment first became
available in 1999 and quickly gained popularity. 802.11b operates in the
2.4000-GHz to 2.4835-GHz frequency range and can operate at up to 11 megabits
per second, although it can also reduce throughput to 5.5 Mbps, 2 Mbps or 1
Mbps when interference degrades signal quality.4 The
802.11a standard increases throughput to a theoretical maximum of 54 Mbps and
operates in the 5.15- to 5.35-GHz through 5.725- to 5.825-GHz frequency range.
802.11a hardware first became available in late 2001. Due to operation at
different frequencies, 802.11a is not compatible with 802.11b hardware.
Finally, the 802.11g standard has not yet been approved but promises
compatibility with 802.11b hardware as it too will operate at the 2.4-GHz
frequency. The major advantage that will be offered by the 802.11g standard
will be increased bandwidth comparable to 802.11a at 54 Mbps.5
Confused? For
the purposes of this paper, keep in mind that WEP is defined in the 802.11
standard, not the individual standards for the 802.11b, 802.11a or 802.11g task
groups. As a consequence, WEP vulnerabilities have the potential to affect all
flavors of 802.11 networks; therefore, this paper frequently refers to WLANs as
802.11x networks.
When setting up a WLAN, the channel and service set identifier (SSID) must be configured in addition to traditional network settings such as an IP address and a subnet mask. The channel is a number between one and 11 (one and 13 in Europe) and designates the frequency on which the network will operate (see Figure 1: 802.11b channels). The SSID is an alphanumeric string that differentiates networks operating on the same channel. It is essentially a configurable name that identifies an individual network. These settings are important factors when identifying WLANs and sniffing traffic, which is discussed later.
