Cracking WEP encryption
For a while on my home network, ever since I had my wireless router, I had been using WEP, or Wired Equivalent Privacy. Basically, you enter into the router a password, and you enter that key for every computer that is going to use the WEP-enabled router. I cranked the encryption up to 128-bit, and entered in a 26-character series of numbers as the key.
Now, I had thought that this would be sufficently secure, but today, I decided to see if I could hack into my own wireless connection...
The way WEP works is that it encrypts transmissions with pseudo-random numbers. The random number is essentially based on the key that you provide. Encryted messages are sent along with a 24-bit initilization vector which is sent in the clear. The clients use the initilization vector in union with the WEP key that you entered in order to decrypt the rest of the message. The trouble is that, due to the design of WEP, every once in a while, a weak initilization vector will be used, and part of the original key can be determined from the vector. Since the IVs are sent in the clear, if you gather enough of them, you can determine the entire WEP key.
Now, the odds of having a packet with a weak IV, weak enough to determine one bit of the original key are about 1:1000. So if you collect enough packets, you can determine the key being used for WEP. For 128-bit WEP, this means collecting about 128,000 packets (in a perfect world.) Realistically, it can take a lot more.
Before I go into how I was able to crack WEP, I would like to emphasize that I carried this experiment out in a controlled simulation, and that I simulated an attack on my own wireless router for the purposes of security research.
I downloaded an OS X app called KisMAC (named after the Linux tool Kismet, used for the same purpose.) What it does is it takes your wireless card, and puts it in listening mode, recording every packet that goes by in the airwaves, without sending anything at all.
So I installed KisMac on my iBook, and put it into listening mode. Within
ten minutes, it picked up about 29393 packets, or about 23MB of data...not enough to reverse engineer a 128-bit WEP key. So I did a few things to generate some additional traffic. First, I sent an authentication flood. This simulates a lot of computers trying to access the router, by randomly generating spoof MAC addresses, in an attempt to get the router to respond with some packets. Another method is to reinject packets. This resends packets that were already sent by another machine to get the router to respond even more. Within another ten minutes, I had 130123 packets, or about 107MB of data.
Now, I could continue at this rate, injecting packets and spoofing clients...and within an hour, I could easily have enough to rebuild the WEP key. But I decided to speed up the process a bit. I went over to my PC, and sent a 700MB video (Life is Beautiful, 1997) over to my file server over wireless. Within a few minutes, I had more than enough packets captured. About 457434 of them had unique initialization vectors, and I was ready to extract the key.
I executed a weak scheduling attack against the data I had captured, and in a few seconds, to my surprise, I had the WEP key!
Seeing the 128-bit key that I thought was keeping me safe in my dialog box was quite a surprise. A neighbor, or even someone sitting in a car 100 feet or so from my house running the same program could, within an hour, passively listen in on the traffic and use that to discover what my WEP key was. They could even generate more wireless traffic (like I did with the movie file) by simply going to my website, because my server is wireless. It really is shocking how easily WEP is cracked. (And I was using a 128-bit key. Imagine how easy it would have been if I was using a 64-bit key!)
I have since moved to WPA, or Wi-Fi Protected Access. It was designed to replace the failure of WEP, and it has proven to be an effective means of securing a wireless network. As long as you use a strong passphrase, you're safe from the dictionary and brute-force attacks that can be used against WPA.
»
Tags:
- Mark's blog
- Add new comment
- Printer-friendly version
- 3245 reads
Wow
I knew that 64-bit WEP wasn't all too secure, but I didn't realize that 128-bit encryption was so insecure!
i dont understand ANY of
i dont understand ANY of this, but would someone really sit in a car across the street for an hour trying to hack your signal just for a connection? maybe a neighbor would tho.
Yes they would.
"would someone really sit in a car across the street for an hour trying to hack your signal just for a connection?"
It's called "wardriving". They might not necessarily just sit across the street - most likely they'll build a better antenna to go somewhere further away from the house where they can't be seen.
And also, you might wanna re-read the article. It says it might take an hour to crack the password - BUT in Mark's case it took less than a minute.
It might surprise you that someone would do this, but just look at what's going through your network! Not only do you have your credit card info going through there when you buy stuff online, but you might also have banking and billing info, and if you have a file server in your home (which Mark says he does, and now I do too) you might have Quicken files on there, maybe your SS#, and all kinds of other stuff you don't want outsiders to see/know.
directional antennas
"They might not necessarily just sit across the street - most likely they'll build a better antenna to go somewhere further away from the house where they can't be seen."
In fact, they have directional antennas that you can use to pick up WiFi signals from a mile away or more. So if someone really wanted to, they could passively listen in on your wireless, decrypt it, and see all of your traffic...from quite a far distance away.
http://www.hyperlinktech.com/web/antennas_2400_out_directional.php
http://www.radiolabs.com/Articles/wifi-antenna.html
http://www.oreillynet.com/cs/weblog/view/wlg/448
Wireless "Sniper"
i remember hearing about a home-built "sniper" some security company built. It was actually for bluetooth, but it could read a bluetooth signal from over a mile away. Not bad considering usually bluetooth devices need to be pretty close to transmit/receive data.
I'm sure you can get much more distance from a wifi connection, if you really tried.