Sign in with
Sign up | Sign in
Your question

WEP Security Improvements - How pervasive and how tight?

Tags:
  • Security
  • WEP
  • Wireless Networking
Last response: in Wireless Networking
Share
Anonymous
a b 8 Security
September 1, 2004 8:03:12 PM

Archived from groups: alt.internet.wireless (More info?)

I read recently that manufacturers of some wi-fi equipment have improved
their software so that WEP is more difficult to crack. Specifically, they
have reportedly quit sending type 4 packets (as I recall it is type 4) which
are apparently the key to WEP cracking.

Anyone know the straight scoop on this. Is this correct? How widespread
have these improvements been implemented? How to tell if implemented on
your equipment?



--
Bob Alston

bobalston9 AT aol DOT com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004

More about : wep security improvements pervasive tight

Anonymous
a b 8 Security
September 2, 2004 1:13:18 AM

Archived from groups: alt.internet.wireless (More info?)

> I read recently that manufacturers of some wi-fi equipment have improved
> their software so that WEP is more difficult to crack. Specifically, they
> have reportedly quit sending type 4 packets (as I recall it is type 4) which
> are apparently the key to WEP cracking.

I doubt it can fix the real problem. I.e. it might make it harder (10min
instead of 5), but who cares: use WPA and forget about it,


Stefan
September 2, 2004 1:18:37 AM

Archived from groups: alt.internet.wireless (More info?)

"Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
news:aOqZc.132114$Lj.31258@fed1read03...
> I read recently that manufacturers of some wi-fi equipment have improved
> their software so that WEP is more difficult to crack. Specifically, they
> have reportedly quit sending type 4 packets (as I recall it is type 4)
which
> are apparently the key to WEP cracking.
>
> Anyone know the straight scoop on this. Is this correct? How widespread
> have these improvements been implemented? How to tell if implemented on
> your equipment?

No. I don't know what "type 4 packets" are, but 802.11 frames have a 2-bit
type and a 4-bit subtype field. The type field values range from 0 - 3, with
3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
So-called SSID hiding is a modification to beacon frames that nearly all
vendors support. It is claimed to be a security improvement, in that your
network id is no longer broadcast 10 times a second, but the improvement is
in fact trivial. It has nothing to do with WEP or WPA.

>
>
>
> --
> Bob Alston
>
> bobalston9 AT aol DOT com
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>
>
Related resources
Anonymous
a b 8 Security
September 2, 2004 1:18:38 AM

Archived from groups: alt.internet.wireless (More info?)

"gary" <pleasenospam@sbcglobal.net> wrote in message
news:N0rZc.15840$Ka2.8846@newssvr22.news.prodigy.com...
>
> "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
> news:aOqZc.132114$Lj.31258@fed1read03...
>> I read recently that manufacturers of some wi-fi equipment have improved
>> their software so that WEP is more difficult to crack. Specifically,
>> they
>> have reportedly quit sending type 4 packets (as I recall it is type 4)
> which
>> are apparently the key to WEP cracking.
>>
>> Anyone know the straight scoop on this. Is this correct? How widespread
>> have these improvements been implemented? How to tell if implemented on
>> your equipment?
>
> No. I don't know what "type 4 packets" are, but 802.11 frames have a 2-bit
> type and a 4-bit subtype field. The type field values range from 0 - 3,
> with
> 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
> So-called SSID hiding is a modification to beacon frames that nearly all
> vendors support. It is claimed to be a security improvement, in that your
> network id is no longer broadcast 10 times a second, but the improvement
> is
> in fact trivial. It has nothing to do with WEP or WPA.
>
>>
>>
>>
>> --
>> Bob Alston
>>
>> bobalston9 AT aol DOT com
>>
>>
>> ---
>> Outgoing mail is certified Virus Free.
>> Checked by AVG anti-virus system (http://www.grisoft.com).
>> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>>
>>
>
>

The link below is an example of the reference I was recalling, and states
that "the weak IV exploit is virtually non-existent".

http://www.security-focus.com/infocus/1792

Not sure if this is but one exploit that allows WEP to be cracked.

--
Bob Alston

bobalston9 AT aol DOT com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
Anonymous
a b 8 Security
September 2, 2004 1:18:39 AM

Archived from groups: alt.internet.wireless (More info?)

"Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
news:p RsZc.132341$Lj.9128@fed1read03...
>
> "gary" <pleasenospam@sbcglobal.net> wrote in message
> news:N0rZc.15840$Ka2.8846@newssvr22.news.prodigy.com...
>>
>> "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
>> news:aOqZc.132114$Lj.31258@fed1read03...
>>> I read recently that manufacturers of some wi-fi equipment have improved
>>> their software so that WEP is more difficult to crack. Specifically,
>>> they
>>> have reportedly quit sending type 4 packets (as I recall it is type 4)
>> which
>>> are apparently the key to WEP cracking.
>>>
>>> Anyone know the straight scoop on this. Is this correct? How
>>> widespread
>>> have these improvements been implemented? How to tell if implemented on
>>> your equipment?
>>
>> No. I don't know what "type 4 packets" are, but 802.11 frames have a
>> 2-bit
>> type and a 4-bit subtype field. The type field values range from 0 - 3,
>> with
>> 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
>> So-called SSID hiding is a modification to beacon frames that nearly all
>> vendors support. It is claimed to be a security improvement, in that your
>> network id is no longer broadcast 10 times a second, but the improvement
>> is
>> in fact trivial. It has nothing to do with WEP or WPA.
>>
>>>
>>>
>>>
>>> --
>>> Bob Alston
>>>
>>> bobalston9 AT aol DOT com
>>>
>>>
>>> ---
>>> Outgoing mail is certified Virus Free.
>>> Checked by AVG anti-virus system (http://www.grisoft.com).
>>> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>>>
>>>
>>
>>
>
> The link below is an example of the reference I was recalling, and states
> that "the weak IV exploit is virtually non-existent".
>
> http://www.security-focus.com/infocus/1792
>
> Not sure if this is but one exploit that allows WEP to be cracked.
>
> --
> Bob Alston
>
> bobalston9 AT aol DOT com
>


O'Reilly's comments:

http://www.oreillynet.com/cs/user/view/cs_msg/26023

--
Bob Alston

bobalston9 AT aol DOT com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
September 2, 2004 3:53:57 AM

Archived from groups: alt.internet.wireless (More info?)

"Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
news:p RsZc.132341$Lj.9128@fed1read03...
>
> "gary" <pleasenospam@sbcglobal.net> wrote in message
> news:N0rZc.15840$Ka2.8846@newssvr22.news.prodigy.com...
> >
> > "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
> > news:aOqZc.132114$Lj.31258@fed1read03...
> >> I read recently that manufacturers of some wi-fi equipment have
improved
> >> their software so that WEP is more difficult to crack. Specifically,
> >> they
> >> have reportedly quit sending type 4 packets (as I recall it is type 4)
> > which
> >> are apparently the key to WEP cracking.
> >>
> >> Anyone know the straight scoop on this. Is this correct? How
widespread
> >> have these improvements been implemented? How to tell if implemented
on
> >> your equipment?
> >
> > No. I don't know what "type 4 packets" are, but 802.11 frames have a
2-bit
> > type and a 4-bit subtype field. The type field values range from 0 - 3,
> > with
> > 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
> > So-called SSID hiding is a modification to beacon frames that nearly all
> > vendors support. It is claimed to be a security improvement, in that
your
> > network id is no longer broadcast 10 times a second, but the
improvement
> > is
> > in fact trivial. It has nothing to do with WEP or WPA.
> >
> >>
> >>
> >>
> >> --
> >> Bob Alston
> >>
> >> bobalston9 AT aol DOT com
> >>
> >>
> >> ---
> >> Outgoing mail is certified Virus Free.
> >> Checked by AVG anti-virus system (http://www.grisoft.com).
> >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
> >>
> >>
> >
> >
>
> The link below is an example of the reference I was recalling, and states
> that "the weak IV exploit is virtually non-existent".
>
> http://www.security-focus.com/infocus/1792
>
> Not sure if this is but one exploit that allows WEP to be cracked.

The article was a survey of security issues. It looked reasonably accurate
and complete to me. I see no reference to "type 4 packets" or even SSID
hiding. It does mention that WEP is an incorrect implementation of RC4, a
common stream cypher algorithm. The defects of the WEP implementation are
not completely curable, but there is a problem called "weak IVs" which has
been eliminated in newer chipsets. You'll probably get weak IV suppression
with recent 802.11g chipsets, and maybe also as a firmware upgrade to some
older 802.11b devices.

If I were you, I'd follow the bullet list under "Basic Steps to Fix WEP
Problems" and not worry too much about weak IVs. Use 128-bit keys or better
if you have them (40/64 can be cracked by brute force). Change keys
reasonably often ("reasonable" depends on how much traffic you generate, and
how important security is to you). Use a wifi firewall in addition to a
regular one. For anything that *really* needs security, use independent
encryption (secure HTTP, PGP, VPN, whatever). And if you really need good
security, buy WPA-capable equipment that can be upgraded to WPA2 with AES
(that is, equipment that can do AES in the wifi chipset).

>
> --
> Bob Alston
>
> bobalston9 AT aol DOT com
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>
>
Anonymous
a b 8 Security
September 2, 2004 3:53:58 AM

Archived from groups: alt.internet.wireless (More info?)

"gary" <pleasenospam@sbcglobal.net> wrote in message
news:p itZc.15870$TZ2.4723@newssvr22.news.prodigy.com...
>
> "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
> news:p RsZc.132341$Lj.9128@fed1read03...
>>
>> "gary" <pleasenospam@sbcglobal.net> wrote in message
>> news:N0rZc.15840$Ka2.8846@newssvr22.news.prodigy.com...
>> >
>> > "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
>> > news:aOqZc.132114$Lj.31258@fed1read03...
>> >> I read recently that manufacturers of some wi-fi equipment have
> improved
>> >> their software so that WEP is more difficult to crack. Specifically,
>> >> they
>> >> have reportedly quit sending type 4 packets (as I recall it is type 4)
>> > which
>> >> are apparently the key to WEP cracking.
>> >>
>> >> Anyone know the straight scoop on this. Is this correct? How
> widespread
>> >> have these improvements been implemented? How to tell if implemented
> on
>> >> your equipment?
>> >
>> > No. I don't know what "type 4 packets" are, but 802.11 frames have a
> 2-bit
>> > type and a 4-bit subtype field. The type field values range from 0 - 3,
>> > with
>> > 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
>> > So-called SSID hiding is a modification to beacon frames that nearly
>> > all
>> > vendors support. It is claimed to be a security improvement, in that
> your
>> > network id is no longer broadcast 10 times a second, but the
> improvement
>> > is
>> > in fact trivial. It has nothing to do with WEP or WPA.
>> >
>> >>
>> >>
>> >>
>> >> --
>> >> Bob Alston
>> >>
>> >> bobalston9 AT aol DOT com
>> >>
>> >>
>> >> ---
>> >> Outgoing mail is certified Virus Free.
>> >> Checked by AVG anti-virus system (http://www.grisoft.com).
>> >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>> >>
>> >>
>> >
>> >
>>
>> The link below is an example of the reference I was recalling, and states
>> that "the weak IV exploit is virtually non-existent".
>>
>> http://www.security-focus.com/infocus/1792
>>
>> Not sure if this is but one exploit that allows WEP to be cracked.
>
> The article was a survey of security issues. It looked reasonably accurate
> and complete to me. I see no reference to "type 4 packets" or even SSID
> hiding. It does mention that WEP is an incorrect implementation of RC4, a
> common stream cypher algorithm. The defects of the WEP implementation are
> not completely curable, but there is a problem called "weak IVs" which has
> been eliminated in newer chipsets. You'll probably get weak IV suppression
> with recent 802.11g chipsets, and maybe also as a firmware upgrade to some
> older 802.11b devices.
>
> If I were you, I'd follow the bullet list under "Basic Steps to Fix WEP
> Problems" and not worry too much about weak IVs. Use 128-bit keys or
> better
> if you have them (40/64 can be cracked by brute force). Change keys
> reasonably often ("reasonable" depends on how much traffic you generate,
> and
> how important security is to you). Use a wifi firewall in addition to a
> regular one. For anything that *really* needs security, use independent
> encryption (secure HTTP, PGP, VPN, whatever). And if you really need good
> security, buy WPA-capable equipment that can be upgraded to WPA2 with AES
> (that is, equipment that can do AES in the wifi chipset).
>
>>
>> --
>> Bob Alston
>>
>> bobalston9 AT aol DOT com
>>
>>
>> ---
>> Outgoing mail is certified Virus Free.
>> Checked by AVG anti-virus system (http://www.grisoft.com).
>> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>>
>>
>
>

The portion of the article I was intending to refer to was the following:

"...the weak IV exploit is virtually non-existent. The manufacturers have
eliminated that issue, at least as far as I have been able to tell. I have
only been able to crack it once in the past several years and that was
because an old wireless adaptor with outdated firmware was on the system."

--
Bob Alston

bobalston9 AT aol DOT com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
September 2, 2004 4:23:56 AM

Archived from groups: alt.internet.wireless (More info?)

"Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
news:%xtZc.132398$Lj.62506@fed1read03...
>
>
>
> "gary" <pleasenospam@sbcglobal.net> wrote in message
> news:p itZc.15870$TZ2.4723@newssvr22.news.prodigy.com...
> >
> > "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
> > news:p RsZc.132341$Lj.9128@fed1read03...
> >>
> >> "gary" <pleasenospam@sbcglobal.net> wrote in message
> >> news:N0rZc.15840$Ka2.8846@newssvr22.news.prodigy.com...
> >> >
> >> > "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
> >> > news:aOqZc.132114$Lj.31258@fed1read03...
> >> >> I read recently that manufacturers of some wi-fi equipment have
> > improved
> >> >> their software so that WEP is more difficult to crack.
Specifically,
> >> >> they
> >> >> have reportedly quit sending type 4 packets (as I recall it is type
4)
> >> > which
> >> >> are apparently the key to WEP cracking.
> >> >>
> >> >> Anyone know the straight scoop on this. Is this correct? How
> > widespread
> >> >> have these improvements been implemented? How to tell if
implemented
> > on
> >> >> your equipment?
> >> >
> >> > No. I don't know what "type 4 packets" are, but 802.11 frames have a
> > 2-bit
> >> > type and a 4-bit subtype field. The type field values range from 0 -
3,
> >> > with
> >> > 3 unused. Type 0 (management) frames have a subtype 4, which is
beacon.
> >> > So-called SSID hiding is a modification to beacon frames that nearly
> >> > all
> >> > vendors support. It is claimed to be a security improvement, in that
> > your
> >> > network id is no longer broadcast 10 times a second, but the
> > improvement
> >> > is
> >> > in fact trivial. It has nothing to do with WEP or WPA.
> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Bob Alston
> >> >>
> >> >> bobalston9 AT aol DOT com
> >> >>
> >> >>
> >> >> ---
> >> >> Outgoing mail is certified Virus Free.
> >> >> Checked by AVG anti-virus system (http://www.grisoft.com).
> >> >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
> >> >>
> >> >>
> >> >
> >> >
> >>
> >> The link below is an example of the reference I was recalling, and
states
> >> that "the weak IV exploit is virtually non-existent".
> >>
> >> http://www.security-focus.com/infocus/1792
> >>
> >> Not sure if this is but one exploit that allows WEP to be cracked.
> >
> > The article was a survey of security issues. It looked reasonably
accurate
> > and complete to me. I see no reference to "type 4 packets" or even SSID
> > hiding. It does mention that WEP is an incorrect implementation of RC4,
a
> > common stream cypher algorithm. The defects of the WEP implementation
are
> > not completely curable, but there is a problem called "weak IVs" which
has
> > been eliminated in newer chipsets. You'll probably get weak IV
suppression
> > with recent 802.11g chipsets, and maybe also as a firmware upgrade to
some
> > older 802.11b devices.
> >
> > If I were you, I'd follow the bullet list under "Basic Steps to Fix WEP
> > Problems" and not worry too much about weak IVs. Use 128-bit keys or
> > better
> > if you have them (40/64 can be cracked by brute force). Change keys
> > reasonably often ("reasonable" depends on how much traffic you generate,
> > and
> > how important security is to you). Use a wifi firewall in addition to a
> > regular one. For anything that *really* needs security, use independent
> > encryption (secure HTTP, PGP, VPN, whatever). And if you really need
good
> > security, buy WPA-capable equipment that can be upgraded to WPA2 with
AES
> > (that is, equipment that can do AES in the wifi chipset).
> >
> >>
> >> --
> >> Bob Alston
> >>
> >> bobalston9 AT aol DOT com
> >>
> >>
> >> ---
> >> Outgoing mail is certified Virus Free.
> >> Checked by AVG anti-virus system (http://www.grisoft.com).
> >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
> >>
> >>
> >
> >
>
> The portion of the article I was intending to refer to was the following:
>
> "...the weak IV exploit is virtually non-existent. The manufacturers have
> eliminated that issue, at least as far as I have been able to tell. I have
> only been able to crack it once in the past several years and that was
> because an old wireless adaptor with outdated firmware was on the system."

The comment you cited from the O'Reilly site says about as much as can be
said about who fixed weak IVs and by what date. Fixing weak IVs does not
eliminate all the weaknesses of WEP. The fundamental problem is that the
fixed portion of the key never changes, and the changeable part - the
Initialization Vector, or IV - is 24 bits long. After *at most* 2^24 frames,
the IV has to repeat, and therefore the keystream to encrypt the frame
repeats. Not to mention that crackers can inject known data into your
network to build a partial dictionary of IV/keystream pairs ... there are
lots of possible attacks. WPA/WPA2 are much stronger than WEP ever will be.
But WEP is perfectly useful for ordinary people who are not likely to be
targets of sustained attacks. Just use long, random hex keys and change them
fairly often.

>
> --
> Bob Alston
>
> bobalston9 AT aol DOT com
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
>
>
Anonymous
a b 8 Security
September 2, 2004 8:31:01 AM

Archived from groups: alt.internet.wireless (More info?)

On Wed, 01 Sep 2004 21:18:37 GMT, "gary" <pleasenospam@sbcglobal.net>
wrote:

>
>"Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
>news:aOqZc.132114$Lj.31258@fed1read03...
>> I read recently that manufacturers of some wi-fi equipment have improved
>> their software so that WEP is more difficult to crack. Specifically, they
>> have reportedly quit sending type 4 packets (as I recall it is type 4)
>which
>> are apparently the key to WEP cracking.
>>
>> Anyone know the straight scoop on this. Is this correct? How widespread
>> have these improvements been implemented? How to tell if implemented on
>> your equipment?

>No. I don't know what "type 4 packets" are, but 802.11 frames have a 2-bit
>type and a 4-bit subtype field. The type field values range from 0 - 3, with
>3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
>So-called SSID hiding is a modification to beacon frames that nearly all
>vendors support. It is claimed to be a security improvement, in that your
>network id is no longer broadcast 10 times a second, but the improvement is
>in fact trivial. It has nothing to do with WEP or WPA.

Agreed. A bit more detail plagerized from:
802.11 7.1.3.1

Table 1—Valid type and subtype combinations
Type value Type Subtype value Subtype description
b3 b2 description b7 b6 b5 b4



00 Management 0000 Association request
00 Management 0001 Association response
00 Management 0010 Reassociation request
00 Management 0011 Reassociation response
00 Management 0100 Probe request
00 Management 0101 Probe response
00 Management 0110–0111 Reserved
00 Management 1000 Beacon
00 Management 1001 Announcement traffic indication message
(ATIM)
00 Management 1010 Disassociation
00 Management 1011 Authentication
00 Management 1100 Deauthentication
00 Management 1101–1111 Reserved
01 Control 0000–1001 Reserved
01 Control 1010 Power Save (PS)-Poll
01 Control 1011 Request To Send (RTS)
01 Control 1100 Clear To Send (CTS)
01 Control 1101 Acknowledgment (ACK)
01 Control 1110 Contention-Free (CF)-End
01 Control 1111 CF-End + CF-Ack
10 Data 0000 Data
10 Data 0001 Data + CF-Ack
10 Data 0010 Data + CF-Poll
10 Data 0011 Data + CF-Ack + CF-Poll
10 Data 0100 Null function (no data)
10 Data 0101 CF-Ack (no data)
10 Data 0110 CF-Poll (no data)
10 Data 0111 CF-Ack + CF-Poll (no data)
10 Data 1000–1111 Reserved
11 Reserved 0000–1111 Reserved

Notice that there's no such thing as a WEP frame or "Type 4" packet.

That's because *EVERY* management and data frame is preceeded by a WEP
key frame. It's described in excruciating detail in 802.11 8.1. I
don't see anything that can be deleted to make it more difficult to
crack. Basically, AirSnort, WEPCrack, and other collect the WEP 24
bit initialization vectors looking for a pattern.

Oh, I see the confusion. Initialization Vector is often acronymified
as "IV" which is Roman numberal 4. Maybe that's where the type 4
stuff came from?


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# jeffl@comix.santa-cruz.ca.us
# 831.421.6491 digital_pager jeffl@cruzio.com AE6KS
Anonymous
a b 8 Security
September 2, 2004 8:36:39 AM

Archived from groups: alt.internet.wireless (More info?)

On Wed, 1 Sep 2004 18:23:12 -0500, "Bob Alston"
<bobalston9NOSPAM@aol.com> wrote:


>The link below is an example of the reference I was recalling, and states
>that "the weak IV exploit is virtually non-existent".
>
>http://www.security-focus.com/infocus/1792
>
>Not sure if this is but one exploit that allows WEP to be cracked.

Here's a good article on how WEP works:
http://www.wi-fiplanet.com/tutorials/article.php/210628...

The problem is that the IV (initialization vector) tends to get
re-used. One of the fixes in WPA is TKIP, which increases the size of
the initialization vector from 24 to 48bits, and make sure it doesn't
get re-used.
http://www.wi-fiplanet.com/tutorials/article.php/214872...

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# jeffl@comix.santa-cruz.ca.us
# 831.421.6491 digital_pager jeffl@cruzio.com AE6KS
Anonymous
a b 8 Security
September 2, 2004 11:13:49 AM

Archived from groups: alt.internet.wireless (More info?)

>I doubt it can fix the real problem. I.e. it might make it harder (10min
>instead of 5), but who cares: use WPA and forget about it,

A lot of people use 802.11b-equipment which only offer WEP-support.
Completely changing all hardware on a WLAN might not be the first
option for everyone. We are not about to shell out around $1700 for 15
new NIC's and two AP's.

/Jan
Anonymous
a b 8 Security
September 2, 2004 2:28:45 PM

Archived from groups: alt.internet.wireless (More info?)

First of all is WEP vulnerable yes. The real question is how
vulnerable.

For the average how use enviroment implementing WEP is more than
sufficient to protect a netowork as long as firmware has been kept up
to date. The manufactures have made the IV (intercept vector)
vulnerability almost obsolete. Two years ago with Cisco access points
I tried to crack a WEP key using the airsnort program and in 16 hours
of testing with an access point sending and receiving packets at a
rate of 300 per second we caught less than 100 weak packets. The
estimate is that 3000 to 9000 weak packets are needed to crack a
single WEP key.

In my opinion the only reason that anyone is still harping about WEP
being weak is that they are usually trying to sell you a very
expensive solution to a problem that doesn't exist.

Bigger threat to most any netowrk is going to be the wired connection.
A wireless connection requires the hacker be within range to capture
traffic or to connect to a network. A wired connection can be hacked
from anywhere in the world.



"Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message news:<aOqZc.132114$Lj.31258@fed1read03>...
> I read recently that manufacturers of some wi-fi equipment have improved
> their software so that WEP is more difficult to crack. Specifically, they
> have reportedly quit sending type 4 packets (as I recall it is type 4) which
> are apparently the key to WEP cracking.
>
> Anyone know the straight scoop on this. Is this correct? How widespread
> have these improvements been implemented? How to tell if implemented on
> your equipment?
>
>
>
> --
> Bob Alston
>
> bobalston9 AT aol DOT com
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
Anonymous
a b 8 Security
September 2, 2004 6:14:40 PM

Archived from groups: alt.internet.wireless (More info?)

Taking a moment's reflection, Jan Bachman mused:
|
| We are not about to shell out around $1700 for 15
| new NIC's and two AP's.

So, how much is your data worth?
September 2, 2004 9:27:49 PM

Archived from groups: alt.internet.wireless (More info?)

"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
news:tg7dj0pet49d503lev6v24sep23lee0rd2@4ax.com...
> On Wed, 01 Sep 2004 21:18:37 GMT, "gary" <pleasenospam@sbcglobal.net>
> wrote:
>
> >
> >"Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
> >news:aOqZc.132114$Lj.31258@fed1read03...
> >> I read recently that manufacturers of some wi-fi equipment have
improved
> >> their software so that WEP is more difficult to crack. Specifically,
they
> >> have reportedly quit sending type 4 packets (as I recall it is type 4)
> >which
> >> are apparently the key to WEP cracking.
> >>
> >> Anyone know the straight scoop on this. Is this correct? How
widespread
> >> have these improvements been implemented? How to tell if implemented
on
> >> your equipment?
>
> >No. I don't know what "type 4 packets" are, but 802.11 frames have a
2-bit
> >type and a 4-bit subtype field. The type field values range from 0 - 3,
with
> >3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
> >So-called SSID hiding is a modification to beacon frames that nearly all
> >vendors support. It is claimed to be a security improvement, in that your
> >network id is no longer broadcast 10 times a second, but the improvement
is
> >in fact trivial. It has nothing to do with WEP or WPA.
>
> Agreed. A bit more detail plagerized from:
> 802.11 7.1.3.1
>
> Table 1-Valid type and subtype combinations
> Type value Type Subtype value Subtype description
> b3 b2 description b7 b6 b5 b4
>
>
>
> 00 Management 0000 Association request
> 00 Management 0001 Association response
> 00 Management 0010 Reassociation request
> 00 Management 0011 Reassociation response
> 00 Management 0100 Probe request
> 00 Management 0101 Probe response
> 00 Management 0110-0111 Reserved
> 00 Management 1000 Beacon
> 00 Management 1001 Announcement traffic indication message
> (ATIM)
> 00 Management 1010 Disassociation
> 00 Management 1011 Authentication
> 00 Management 1100 Deauthentication
> 00 Management 1101-1111 Reserved
> 01 Control 0000-1001 Reserved
> 01 Control 1010 Power Save (PS)-Poll
> 01 Control 1011 Request To Send (RTS)
> 01 Control 1100 Clear To Send (CTS)
> 01 Control 1101 Acknowledgment (ACK)
> 01 Control 1110 Contention-Free (CF)-End
> 01 Control 1111 CF-End + CF-Ack
> 10 Data 0000 Data
> 10 Data 0001 Data + CF-Ack
> 10 Data 0010 Data + CF-Poll
> 10 Data 0011 Data + CF-Ack + CF-Poll
> 10 Data 0100 Null function (no data)
> 10 Data 0101 CF-Ack (no data)
> 10 Data 0110 CF-Poll (no data)
> 10 Data 0111 CF-Ack + CF-Poll (no data)
> 10 Data 1000-1111 Reserved
> 11 Reserved 0000-1111 Reserved
>
> Notice that there's no such thing as a WEP frame or "Type 4" packet.
>
> That's because *EVERY* management and data frame is preceeded by a WEP
> key frame. It's described in excruciating detail in 802.11 8.1. I
> don't see anything that can be deleted to make it more difficult to
> crack. Basically, AirSnort, WEPCrack, and other collect the WEP 24
> bit initialization vectors looking for a pattern.
>
> Oh, I see the confusion. Initialization Vector is often acronymified
> as "IV" which is Roman numberal 4. Maybe that's where the type 4
> stuff came from?

Yes, I think you're right. Don't know why I didn't see it. Also, the Beacon
frame is subtype 8, and the Probe is subtype 4, so my suggeston about the
Beacon was based on a misreading anyway. Probes of course have to have the
SSID in them.

>
>
> --
> # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
> # 831.336.2558 voice http://www.LearnByDestroying.com
> # jeffl@comix.santa-cruz.ca.us
> # 831.421.6491 digital_pager jeffl@cruzio.com AE6KS
Anonymous
a b 8 Security
September 3, 2004 12:00:30 AM

Archived from groups: alt.internet.wireless (More info?)

> So, how much is your data worth?

It's a shared internet connection between appartments.
We have no shared data or server.
Security is defined as the user's problem.

/Jan
Anonymous
a b 8 Security
September 3, 2004 7:51:02 AM

Archived from groups: alt.internet.wireless (More info?)

Taking a moment's reflection, Jan Bachman mused:
|
| It's a shared internet connection between appartments.
| We have no shared data or server.
| Security is defined as the user's problem.

So, how does the user secure himself when the infrastructure is weak?
Anonymous
a b 8 Security
September 3, 2004 12:18:00 PM

Archived from groups: alt.internet.wireless (More info?)

>| It's a shared internet connection between appartments.
>| We have no shared data or server.
>| Security is defined as the user's problem.
>
> So, how does the user secure himself when the infrastructure is weak?
>
Personal firewall, antivirus and anti-spyware.

There is of course a danger, if the network has been compromised, and
the users are sending passwords to whatever in plain-text across the
network.

I change the WEP-key monthly. So far I have seen no suspicious traffic
on the network, besides some eDonkey activtity which was dealt with,
as filesharing is against our policy.

/Jan
Anonymous
a b 8 Security
September 3, 2004 1:52:07 PM

Archived from groups: alt.internet.wireless (More info?)

On Thu, 02 Sep 2004 00:23:56 GMT, "gary" <pleasenospam@sbcglobal.net>
wrote:

>But WEP is perfectly useful for ordinary people who are not likely to be
>targets of sustained attacks. Just use long, random hex keys and change them
>fairly often.

Speaking as a home user without anything of vast importance to protect
(but nevertheless not wishing to be an easy target) I currently use
128bits WEP. However the key I use is generated by a passphrase from
which the native GUI creates the key. Does this strengthen, weaken or
make no difference to my overall security? The resulting key is
certainly gibberish to the human eye but might a hacker have the
ability to reverse engineer whatever process the GUI used to create
the key in the first place?

Also, presumably different manufacturer's have different methods of
generating the key from passphrases? When I first got my wireless
equipment my neighbour gave me the passphrase to his own network to
share some files. However nothing I did allowed a successful
connection between my laptop and his network. At the time as a
complete newbie I had no real ideas and nor did he, but since
connecting to my own network was not a problem we never really
investigated properly. Looking back I think different WEP keys
(because his passphrase generated a different key on my Netgear
equipment than on his US Robotics equipment) were one of two possible
problems.

Anyone know how much more of a processing overhead exists with WPA?
Anonymous
a b 8 Security
September 4, 2004 9:50:31 AM

Archived from groups: alt.internet.wireless (More info?)

Taking a moment's reflection, Jan Bachman mused:
|
| I change the WEP-key monthly. So far I have seen no suspicious traffic
| on the network, besides some eDonkey activtity which was dealt with,
| as filesharing is against our policy.

You are aware that someone doesn't have to be connected to your network
directly in order to compromise user security, right? Firewall, antivirus,
and anti-spyware won't keep someone from sniffing packets. If you have
several users on the network, the key likely can be broken by someone within
a week ... let alone a month.
Anonymous
a b 8 Security
September 4, 2004 6:33:28 PM

Archived from groups: alt.internet.wireless (More info?)

>You are aware that someone doesn't have to be connected to your network
>directly in order to compromise user security, right?

Yes.

>Firewall, antivirus, and anti-spyware won't keep someone from sniffing packets.

True.

>If you have several users on the network, the key likely can be broken by someone within
>a week ... let alone a month.

That is the situation. I would welcome moving to WPA, but that is
sadly not an option right now for economic reasons.

We choose to gamble that noone in the vicinity are persistent enough
to cause us problems. Surely a kid with Airsnort will break the WEP.
He will play around, tell his friends, download some porn, look for
shared files and find none, and then leave. Staying around in the back
unnoticed sniffing every packet searching for something really useful
with regard to theft or fraud takes someone with bad intent indeed.
That someone is hopefully not living next to us. I have seen no people
with laptops in the bushes either :-)

I just hope we're not being too naive about this.

/Jan
Anonymous
a b 8 Security
September 4, 2004 7:11:33 PM

Archived from groups: alt.internet.wireless (More info?)

>> Firewall, antivirus, and anti-spyware won't keep someone from sniffing
>> packets

MHI:

A switch will block unicasts, which severely reduces the value of packet
sniffing
Anonymous
a b 8 Security
September 5, 2004 2:14:10 AM

Archived from groups: alt.internet.wireless (More info?)

Taking a moment's reflection, CZ mused:
|
| A switch will block unicasts, which severely reduces the value of packet
| sniffing

Save that, within a confined area (say a building complex), all the
wireless packets are floating around available for capture anyway.
Anonymous
a b 8 Security
September 5, 2004 2:17:17 AM

Archived from groups: alt.internet.wireless (More info?)

Taking a moment's reflection, Jan Bachman mused:
|
| I just hope we're not being too naive about this.

I guess that's the crux. People think they aren't big targets because
they don't have anything worth while on their systems. But, many people use
online banking, or e-commerce. All it takes is the right combination of
packets sent to an unsecured merchant site, and a casual packet sniffer, who
has broken your WEP key, potentially has the user's bank information/credit
card data. Also consider that, from your description, everyone using the
network uses the same WEP key ... so there's no real protection from someone
on the network sniffing others.
Anonymous
a b 8 Security
September 5, 2004 2:17:18 AM

Archived from groups: alt.internet.wireless (More info?)

"mhicaoidh" <®êmõvé_mhic_aoidh@hotÑîXmailSPäM.com> wrote in message
news:N9r_c.35666$_g7.25040@attbi_s52...
> Taking a moment's reflection, Jan Bachman mused:
> |
> | I just hope we're not being too naive about this.
>
> I guess that's the crux. People think they aren't big targets because
> they don't have anything worth while on their systems. But, many people
> use
> online banking, or e-commerce. All it takes is the right combination of
> packets sent to an unsecured merchant site, and a casual packet sniffer,
> who
> has broken your WEP key, potentially has the user's bank
> information/credit
> card data. Also consider that, from your description, everyone using the
> network uses the same WEP key ... so there's no real protection from
> someone
> on the network sniffing others.
>
>
Having started this thread I thought I would add in a "closer". My point is
that with the software improvements in AP and clients of the past two years,
people using up to date hardware and firmware with WEP should have virtually
no exposure to cracking due to elimination of the "weak IV" packets. It
appears that is a key to the cracking approach I have read about. Beyond
that I read that brute force takes a lot of time with a 128 bit key.

And as several have said, probably not very much focus on cracking a home
network.

One final note, while such cracking even with weak IV packets can be done
fairly easily, it takes Linux, a laptop and some time. That certainly rules
out a lot of people who don't have or won't bother.

Would be interesting to hear about people who have a home WAP with WEP and
who HAVE been hacked. So if this has happened to you, please report in.

--
Bob Alston

bobalston9 AT aol DOT com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.749 / Virus Database: 501 - Release Date: 9/1/2004
Anonymous
a b 8 Security
September 5, 2004 3:13:52 PM

Archived from groups: alt.internet.wireless (More info?)

Bob Alston <bobalston9NOSPAM@aol.com> wrote:

> Having started this thread I thought I would add in a "closer". My point is
> that with the software improvements in AP and clients of the past two years,
> people using up to date hardware and firmware with WEP should have virtually
> no exposure to cracking due to elimination of the "weak IV" packets.

IIRC, vendors started shipping wireless equipments that included "weppplus"
(weak IVs filtering) in late 2001; nowadays all wep implementations I know of
have this countermeasure built-in, and thus make the so-called "standard FMS"
attack (used by AirSnort) useless.

However, there are other attacks on WEP not described in the FMS paper that
are quite successful even when there are 0 weak IVs amongst the N millions
IVs you've collected - search Google for korek+attacks.

> One final note, while such cracking even with weak IV packets can be done
> fairly easily, it takes Linux, a laptop and some time. That certainly rules
> out a lot of people who don't have or won't bother.

Indeed, wep cracking is not an instant process - it usually takes hours to
gather enough packets.
Anonymous
a b 8 Security
September 5, 2004 3:13:53 PM

Archived from groups: alt.internet.wireless (More info?)

"Christophe Devine" <devine@iie.cnam.fr> wrote in message
news:chesdf$2uff$1@biggoron.nerim.net...
> Bob Alston <bobalston9NOSPAM@aol.com> wrote:
>
>> Having started this thread I thought I would add in a "closer". My point
>> is
>> that with the software improvements in AP and clients of the past two
>> years,
>> people using up to date hardware and firmware with WEP should have
>> virtually
>> no exposure to cracking due to elimination of the "weak IV" packets.
>
> IIRC, vendors started shipping wireless equipments that included
> "weppplus"
> (weak IVs filtering) in late 2001; nowadays all wep implementations I know
> of
> have this countermeasure built-in, and thus make the so-called "standard
> FMS"
> attack (used by AirSnort) useless.
>
> However, there are other attacks on WEP not described in the FMS paper
> that
> are quite successful even when there are 0 weak IVs amongst the N millions
> IVs you've collected - search Google for korek+attacks.
>
>> One final note, while such cracking even with weak IV packets can be done
>> fairly easily, it takes Linux, a laptop and some time. That certainly
>> rules
>> out a lot of people who don't have or won't bother.
>
> Indeed, wep cracking is not an instant process - it usually takes hours to
> gather enough packets.
>
Thanks for the reference to Korek. Interesting stuff. I had not seen
anything on it previously.

--
Bob Alston

bobalston9 AT aol DOT com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.749 / Virus Database: 501 - Release Date: 9/2/2004
Anonymous
a b 8 Security
September 6, 2004 1:39:56 AM

Archived from groups: alt.internet.wireless (More info?)

Taking a moment's reflection, Christophe Devine mused:
|
| Indeed, wep cracking is not an instant process - it usually takes hours to
| gather enough packets.

Indeed. Though consider that due to the range of APs, someone doesn't
necessarily have to sit in their car on the street for hours collecting
packets. They can do it from their office, their living room, or their
garage. It takes no intervention from the user to sniff packets ... just
set up the software, leave the computer running, and come back and check it
periodically.

Sure it takes Linux, for now, but you can easily download it ... and
anyone interested can do it. Perhaps the mere site of 3 or 4 other wireless
networks in a person's immediate area is enough of a prompt to get them to
"check into it." Certainly one might be more tempted if they knew that
everyone else in their building was on the same wireless network using the
same WEP key.
!