Wireless Equivalency Protocol (WEP) has been one of the hottesttopics in Irish news over the last few days. One of the leadingproviders of DSL in Ireland has supplied users with wireless routersprotected using WEP. What made this newsworthy is that it has emergedthat the WEP keys used to encrypt the network traffic and to controlaccess to a private network were generated using the (Service SetIdentifier) SSID. The algorithm used to generate the encryption keyshas been analyzed and a tool is freely available which allows anyonewithin range of the router to trespass on a wireless network that hasbeen secured using the default settings.
The DSL provider and media reports are advising customers that ifthey change their WEP keys, they will be safe from any trespassers ormalicious attackers trying to get onto their network. While it is truechanging the default WEP settings will mitigate this particular attackit will not make your wireless network secure.
WEP is a flawed system that can be broken within minutes by anyonewith the suitable tools and the appropriate hardware. I have verifiedthis myself in the wireless lab here in Security Response Dublin. Thetools and the hardware are readily available and this is why customersshould be advised to drop WEP altogether in favor of the more secure(WiFi Protected Access) WPA encryption standard. Instead users shouldfollow the additional instructions provided by the DSL provider toswitch to WPA. The WEP issue has been highlighted countless times inblogs and articles all over the Internet and I am hoping that, in lightof this incident, people might start to listen and drop WEP altogetherif they are concerned about the security of their wireless networks.
WEP is not secure and can only be thought of as a mere obstacle thatwill only slow down a determined attacker. WPA on the other handprovides much better security for wireless networks and is the standardthat should be adopted by everyone.