Privacy and security issues never seem to be out of the news – whether it be high profile data breaches, or our personal information being shared with organisations. Home automation being used by criminals or private CCTV footage being publicly broadcast.

Wireless in our lives has also become more prevalent over the last few years. Whether it’s used in our home, at work or simply out and about at our favourite restaurant. Wireless connectivity is, pretty much, everywhere for us to consume.

Over the years, wireless security has certainly improved and adapted with changing times. However, that being said, for those with wireless solutions that have been in place for many years it is likely that you simply haven’t changed. So, let’s start by looking at how insecure WEP (Wired Equivalent Privacy) is and why you should ensure that you are not running this on your network.

WEP has been commonly used to protect wireless networks on many routers over the years. In some cases, the wireless devices that you have configured on your network may have only supported WEP as a connection method.

Back in 2005 a group from the FBI demonstrated cracking a WEP protected network in 3 minutes. In this blog, I am going to demonstrate the same with publicaly available tools just to show how easy it is and why you should look to change if you are still using WEP.

For this, I am going to use a Raspberry PI 3 and an Alfa Network AWUS036NHA USB WiFi adapter. For around £50 you can pick up everything you need to do what I am about to do. I am going to use a real-world audit we performed recently to demonstrate this.

Step 1: Find the wireless network you plan to gain access to:

After a brief scan of networks available, we can see there is an access point running WEP. Interestingly, this network appeared to also be broadcasting an Open (but hidden) SSID – something our customer thought was completely invisible.

In order to proceed with the next step, we need some of the information being broadcast here; the BSSID and Channel (CH) – we can see that the access point we are going to be capture traffic from is running on channel 6.

Step 2: Start capturing network traffic being sent to the access point:

We have now started capturing traffic going to the network access device with a BSSID of 00:1D:AA:EF:07:30. This network appears to have several devices connected to it – which is great as the more packets we capture, the greater the chance of cracking the WEP password is going to be.

However, we are going to speed up the process with a couple of additional techniques to help fool the devices on the network to help generate the type of traffic we are looking for.

Step 3: Run the WEP cracking tool:

Whilst we are capturing packets from step 2, we can run the cracking tool at the same time to help speed up the overall process. Once we had the password cracking tool running it took, in total, 23 seconds to crack the WEP password:

We can see from the above that the key has been found. Now that we have the WEP we can safely connect to the network in question. Total time taken was less that 3 minutes.

The good news for our customer was the above helped to demonstrate this issue as part of our audit service. We then worked with the customer to help close down the doors they had open, improved security on their internal devices and set them up to follow best practice.

Hopefully this has helped you to also see why WEP is not something you should have running within your network. If you’d like us to help you understand issues within your own network and how we can help, then please get in touch.

Over the coming months I will publish more blogs on other techniques that could be used to gain access to information or cause disruption to businesses.

Not all wireless is secure

by Dean Baldwin time to read: 4 min