Wireless Equivalency Protocol (WEP) has been one of the hottest topics in Irish news over the last few days. One of the leading providers of DSL in Ireland has supplied users with wireless routers protected using WEP. What made this newsworthy is that it has emerged that the WEP keys used to encrypt the network traffic and to control access to a private network were generated using the (Service Set Identifier) SSID. The algorithm used to generate the encryption keys has been analyzed and a tool is freely available which allows anyone within range of the router to trespass on a wireless network that has been secured using the default settings.
The DSL provider and media reports are advising customers that if they change their WEP keys, they will be safe from any trespassers or malicious attackers trying to get onto their network. While it is true changing the default WEP settings will mitigate this particular attack it will not make your wireless network secure.
WEP is a flawed system that can be broken within minutes by anyone with the suitable tools and the appropriate hardware. I have verified this myself in the wireless lab here in Security Response Dublin. The tools and the hardware are readily available and this is why customers should be advised to drop WEP altogether in favor of the more secure (WiFi Protected Access) WPA encryption standard. Instead users should follow the additional instructions provided by the DSL provider to switch to WPA. The WEP issue has been highlighted countless times in blogs and articles all over the Internet and I am hoping that, in light of this incident, people might start to listen and drop WEP altogether if they are concerned about the security of their wireless networks.
WEP is not secure and can only be thought of as a mere obstacle that will only slow down a determined attacker. WPA on the other hand provides much better security for wireless networks and is the standard that should be adopted by everyone.