The weakness of WEP
In the past, on my home network, I had been using WEP, or Wired Equivalent Privacy for encryption of wireless traffic. When I read about the security flaws in WEP, I immediately switched to WPA encryption. But today, I decided to set it back to WEP and see just how flawed it is...
I downloaded an OS X app called KisMAC (derived from the Linux tool Kismet, used for the same purpose.) What it does is it takes your wireless card, and puts it in listening-only mode, recording every packet that goes by in the airwaves, without sending anything at all.
So I installed KisMac on my iBook, and put it into listening mode. Within ten minutes, it picked up about 29393 packets, or about 23MB of data – not enough to deterimine a 128-bit WEP key. So I did a few things to generate some additional traffic. First, I sent an authentication flood. This simulates a lot of computers trying to access the router, by randomly generating MAC addresses, in an attempt to get the router to respond with some packets. Another method is to reinject packets. This resends packets that were already sent by another machine to get the router to respond even more. Within another ten minutes, I had 130123 packets, or about 107MB of data.
Now, I could continue at this rate, injecting packets and spoofing clients, and within an hour, I could easily have enough to rebuild the WEP key. But I decided to speed up the process a bit. I went over to my PC, and sent a 700MB video over to my file server via wireless. Within minutes, I had more than enough packets captured. About 457434 of them had unique IVs (initialization vectors), and I was ready to extract the key.
I executed a weak scheduling attack against the data I had captured, and in seconds, to my surprise, I had the WEP key!
Seeing the very key that I thought was keeping me safe in my dialog box was quite a surprise.
A neighbor, or even someone sitting in a car a few hundred from my house running a similar program could, in less than an hour, discover what my WEP key was. Pretty scary.
Printer-friendly version
I knew that 64-bit WEP wasn't all too secure, but I didn't realize that 128-bit encryption was so insecure!
i dont understand ANY of this, but would someone really sit in a car across the street for an hour trying to hack your signal just for a connection? maybe a neighbor would tho.
"would someone really sit in a car across the street for an hour trying to hack your signal just for a connection?"
It's called "wardriving". They might not necessarily just sit across the street - most likely they'll build a better antenna to go somewhere further away from the house where they can't be seen.
And also, you might wanna re-read the article. It says it might take an hour to crack the password - BUT in Mark's case it took less than a minute.
It might surprise you that someone would do this, but just look at what's going through your network! Not only do you have your credit card info going through there when you buy stuff online, but you might also have banking and billing info, and if you have a file server in your home (which Mark says he does, and now I do too) you might have Quicken files on there, maybe your SS#, and all kinds of other stuff you don't want outsiders to see/know.
"They might not necessarily just sit across the street - most likely they'll build a better antenna to go somewhere further away from the house where they can't be seen."
In fact, they have directional antennas that you can use to pick up WiFi signals from a mile away or more. So if someone really wanted to, they could passively listen in on your wireless, decrypt it, and see all of your traffic...from quite a far distance away.
http://www.hyperlinktech.com/web/antennas_2400_out_directional.php
http://www.radiolabs.com/Articles/wifi-antenna.html
http://www.oreillynet.com/cs/weblog/view/wlg/448
i remember hearing about a home-built "sniper" some security company built. It was actually for bluetooth, but it could read a bluetooth signal from over a mile away. Not bad considering usually bluetooth devices need to be pretty close to transmit/receive data.
I'm sure you can get much more distance from a wifi connection, if you really tried.