Monday, December 9, 2013

Hackable Home Wireless Networks - 14 years later

By Tony Lee

Happy Birthday WEP!  A little belated wish, but still an important milestone in home wireless network security.  After many years of insecurity, you would think that the lack of wireless security afforded to the average home user has been resolved, right?  Well, not exactly.  Statistically speaking, WEP is still alive and well today--14 years after its inception--10 years after it was superseded by a stronger alternative for wireless protection.  Buy why?  Let’s answer a few questions and expose some common myths about the most common protection afforded to U.S. home wireless networks.

What is WEP?
Wired Equivalent Privacy is a wireless security protocol that was ratified in September of 1999.  Happy 14th birthday!  The WEP protocol was originally designed to protect your data as it travels over the airwaves when using 802.11 wireless networks.  Unfortunately, its cryptographic implementation is plagued with substantial security flaws and was deprecated in 2004--It has been replaced with a new standard called Wi-Fi Protected Access Pre-shared Key (WPA-PSK).

How widespread is WEP usage? (Wireless Geographic Logging Engine) may be one of the best resources for wireless encryption statistics that is freely available on the web.  It utilizes wardriving data from volunteers around the globe to discover, collect, parse, and plot wireless network information for public consumption.  The tables below (as of Sept. 2013) summarize Wireless crypto data across the world as well as just within the U.S.

World-wide Stats:
Total wireless networks in database:


US Cryptographic Stats:
Total US wireless networks in database:
40,919,320 (38.400%)


Notice that the US is lagging behind the rest of the world in terms of secure wireless adoption.  The rest of the world has embraced WPA2 as the leading standard while WEP is still the most popular here in the US.  In fact, unencrypted networks (as indicated by “None” in the tables above) in the U.S. are more popular than using the WPA2 protocol.
How do I know if my home network is protected by WEP?
To see what encryption your network is using, you can click the Wireless bars icon in the system tray (typically bottom right hand corner of your screen) and hover your mouse over your home wireless network as shown in the screenshot below.  If it says “Security Type:  WEP” or worse - None / Open then this article is applicable to you.  Even if it isn’t applicable to you, it is most likely applicable to some of your friends and family--so pass it on.

Now that you know what WEP is and if you are using it, let’s cover some common myths.

WEP Myths
My home wireless network requires a password: therefore it is safe.
While requiring a password to access a wireless network is better than leaving it open to unauthenticated users, it does not prevent even a novice hacker from breaking into the network if it is WEP protected.

My Internet Service Provider (ISP) securely set up my wireless network.
This is an unfortunate myth, as many ISPs and equipment manufacturers still default to WEP protected networks.  In fact if you are using some of the largest ISPs and they performed your install or you picked up an install kit, your network is most likely using this antiquated wireless protection.

A perfect example of these bad practices is an Actiontec networking guide for their MI424WR router that condones the use of WEP by stating:

“The weaknesses of wireless security are more theoretical than practical.  Wireless networks protect their data through the Wired Equivalent Privacy (WEP) encryption standard which is enabled by default on your Verizon FIOS Router.  WEP makes wireless communications reasonably as safe as wired ones.”

In addition to equipment defaulting to WEP, the technicians either do not have a standard install process or it is not always followed.  Personal experience indicates that the encryption chosen by the installers depends on their knowledge and personal preference rather than a standard process.

Fortunately ISPs and hardware manufacturers are slowly changing.  Verizon’s latest routers are finally shipping with WPA as the default, but for those who do not have the latest routers, you may need to change your security manually.

Default Encryption
D-Link VDI-624 Wireless
Actiontec MI424WR Wireless
Verizon 9100EM or 9100VM
Verizon MI424WR
Verizon MI424WR rev G
Verizon MI424WR rev. I

These are just a couple of examples.  Hardware and ISPs vary and will need to be investigated on a case by case basis.  You will have to perform due diligence as this has been neglected for a very long time.

The hardware required to break into my wireless network is too expensive and hard to obtain.
While this may have been true 7-10 years ago, it is not true anymore.  In fact, ordinary laptops are powerful enough to easily crack WEP keys--the information needed to access the network.  A very capable USB wireless adapter that can be used for wireless hacking is available online for just $16 with free shipping.  Lastly, the operating system needed to perform this wireless attack is freely available for download from the Internet.

The time and skills required to break into my wireless network are more than an attacker would spend.
A well-versed attacker can break WEP protection in just 5-10 minutes.  Even a novice Linux user could stumble through it in less than an hour after following any of the numerous tutorials and YouTube videos available on the Internet.

No one wants to break into my wireless network. I don’t do anything important on my computer.
Attackers do not necessarily break into networks for malicious intent--sometimes it is just boredom, curiosity, or a challenge they are seeking.  However, keep in mind, the moral compass is not always functional for all individuals.  For those of you that do not believe you do anything important on your computer, you may be surprised at how much you rely on it for day-to-day activities.  Do you pay bills, check your investment accounts, your bank, or your email?  If you answered yes, you have something to lose--whether that is money, privacy, or both.

My computers are patched and the firewalls are enabled, therefore an attacker on my network cannot harm me.
Even if your computers are patched and firewalled, an attacker can still perform a man-in-the-middle attack and intercept your communication.  This attack involves tricking a victim into routing their traffic through the attacker’s computer.  In most cases, even encrypted traffic can be intercepted by the attacker for inspection.  You will most likely not even notice any strange behavior; however, this attack enables invaders not only to obtain your data but also your credentials needed to continually authenticate to your bank, email, and other password-protected systems.

I will notice if an attacker is close enough to my house to be able to get on the wireless network.
Inexpensive antennas can be purchased or easily assembled to increase the wireless gain enough to produce a usable wireless signal from blocks away.  You will not even see the attacker or the vehicle they are sitting in while they are breaking into your network.  In fact, there are numerous instances in which neighbors/strangers have used poorly protected networks in order to perform reprehensible acts such as downloading child pornography.  One such instance in January 2013 involved agents raiding the wrong home in Palm Bay, Florida for allegedly accessing child pornography only to later learn that it was the next door neighbor, Juan Gonzalez, who admitted using the neighbors wireless for such acts.

So, my home network is using WEP.  What do I do now?
You should change the settings in your wireless access point to use WPA-PSK, but keep in mind that this will also require changing the wireless settings on each device that connects to your home wireless network (Desktop, laptop, tablets, video game consoles, smart TVs, phones, and maybe even appliances) to use WPA-PSK as well.  You may be able to search your ISP's website for instructions to change the encryption to WPA-PSK or you may be able to call their help desk and have them guide you through such a process.  Either way, dedicate some time to it or go find the neighborhood or family IT guru and buy him or her lunch.

Example resources:

What are the best practice recommendations in setting up WPA-PSK?
When deciding between TKIP and AES encryption, always choose AES encryption--provided that all of your wireless devices support it.  TKIP was a stop gap measure while companies were developing more robust hardware to support the stronger AES encryption.  Additionally, the most viable attack against WPA-PSK is an off-line brute force attack so make sure the pre-shared key that you select is long and sufficiently complex.  Pro-tip:  Instead of complicated and often-abbreviated passwords, just use a passphrase.

For example, in the past we have heard that a good way to create a complex password was to use the first letter of each word in a sentence.  For example, the sentence "Please Do Not Hack My Wireless Network!” would yield a password of "PDNHMWN!".

Example password:  PDNHMWN!
Example passphrase:  “Please Do Not Hack My Wireless Network!”

The passphrase is an impressive 39 characters including the spaces, while the password is only 8 characters total.  Not only is the password hard to remember and type, but it is also susceptible to a brute force attack.  To create a very strong wireless password, the best recommendation is to use the passphrase--which can be a whole sentence.

The hope in writing this article is that it once again raises awareness and brings to light that fact that WEP (and unencrypted networks) are still so widely used--even today--especially in the U.S.  This practice can be ended through increasing user awareness and challenging all ISPs and equipment manufacturers to stop encouraging the use of WEP that has been deprecated and replaced 10 years ago.  We are making good strides (ex:  Verizon’s ActionTec MI424WR Rev 1), but we still have a long way to go.

Special Thanks To
Bill Hau
Dan Dumond
Dennis Hanzlik
Rudolph Araujo

No comments:

Post a Comment