Wired Equivalent Privacy (WEP)

Whilst wholly legacy now. No discussion of Wireless security would be complete without mentioning Wired Equivalent Privacy (WEP). Introduced in 1997, WEP was the original security standard for wireless networks. Initial WEP implementations comprised of a 64-bit derivative, also referred to as 40-bit (as it utilised a 24 bit Initialisation Vector (IV)) and a 128-bit derivative (also referred to as 104-bit because of the 24-bit IV). Although other implementations e.g. 256-bit, which sometimes varied depending on the hardware vendor, were also utilised.

WEP Security Flaws

An initial attack vector against WEP was detailed in a paper released in 2001 by Scott Fluhrer, ItsikMantin, and Adi Shamir titled: Weaknesses in the Key Scheduling Algorithm of RC4. The associated attack which became known as the FMS (derived from the authors surnames) attack was leveraged by identifying repetitions when enough of the 24-bit plaintext IVs were collected to allow the WEP encryption key to be recovered.

One of the first attack tools to leverage the FMS attack was Airsnort, which could reliably recover a WEP network’s encryption key assuming enough IVs could be collected:

“AirSnort required approximately 5-10 million encrypted packets to be gathered. Once enough packets had been gathered, AirSnort could guess the encryption password in under a second.”

In one of our historical tests, operating against a saturated 802.11b network AirSnort required 273659 unique packets and 8 minutes to crack a 128 bit WEP key.

Subsequently more refined attacks have been discovered in relation to WEP, reducing the timeframe required to compromise a network’s WEP key in even shorter timeframes. Further cementing the fact that WEP should never be used to secure any wireless network.

WPA standards that succeeded WEP are discussed here: WPA, WPA2 and WPA3 (Plus WEP, TKIP and CCMP)