The Wired Equivalency Protocol (WEP) has never been known for strong security. However, a new attack method has been
released that reduces the attack time from hours to seconds. Knowing that WEP is no more secure than a plastic luggage lock, many people are
questioning whether WEP is even useful at all.
While I certainly do
not recommend WEP for high security (or even moderate risk) environments, you need to remember: security is a measurement of risk. If the threat is low enough, then WEP should be fine.
WEP actually has three things going in its favor:
- Availability: While there are many alternatives to WEP, such as WPA and LEAP, only WEP is widely available. Hotels and coffee shops that only cater to WPA or LEAP will not support many of their customers. However, if you support WEP then everyone should be able to access the network.
- Better than nothing: There's a saying in Colorado: I don't have to run faster than the bear, I just have to run faster than you. If a casual war driver or WiFi-parasite has the option to use your WEP system or your neighbor's open system, they will always choose your neighbor. Having WEP makes you less desirable than an open WiFi because there is no effort needed to use the network. If you happen to live next to a coffee shop or library that offers free WiFi, then the casual wireless user who just wants Internet access will always choose free over the hassle of cracking WEP. While WEP does not block a determined attacker who wants your network, it will stop opportunistic network users.
- Intent: This is a biggie. If someone trespassed on your private network through an open wireless access point, then proving digital trespassing can be very difficult. However, if the user must bypass your minimalist WEP security, then they clearly show intent to trespass.
Consider WEP like a low fence around a swimming pool. Without the fence, you are in trouble if a neighborhood kid drowns in the pool. It's an "attractive nuisance". However, with the fence, you should be covered if a kid climbs the fence and drowns. It's still bad, but you have a standing to refute blamed since you put up a barrier, even if the barrier was minimal.
As far as WEP goes, it may not be very secure, but it is better than the open-network alternative. If you have the option to use a stronger security algorithm, then definitely do that. However, if you have no other option, then WEP is better than nothing.
Your three WEP points of favor are interesting discussion points.
#1 - Availability.
That's an excellent point and one we should start pushing to change.
WEP is the primary "hotel" wireless protocol. Hotel users usually have
the choices of "Open" "WEP" or "Bring Your Own". It needs to be
stressed to the Hiltons and Marriotts of the world that using WEP is a
huge disservice to their customers, which means we need to
"bullet-proof" some of the other methods.
I'm going through this one at work right now myself. My team convinced
me that we should use "WPA2" with TKIP for our new wireless service.
Guess what? Most Windows-controlled wireless laptops don't have an
option to select WPA2 as their authentication protocol! My team says
"No problem, we can just have them download a more recent version of
their driver and use the software that comes with their wireless card to
manage their wireless instead of the windows client."
ARRRGH! NOT a valid answer!
---------------
#2 - Better than nothing.
Actually, the point of the Weeping for WEP story is that its no longer
any harder to break WEP than it is to connect to an open network.
Demonstrated "time-to-connect" according to the German's paper? 60
seconds. Now, if I needed 45 minutes to get on to your network, I'd
likely keep driving. But if it truly only takes 60 seconds? Its easier
to get on your network than to drive to the next signal? (Unless your
in my office, where from my 10th floor window I can see 51 Wireless
networks, 30 "open" and 21 "WEP" without an external antenna from my
Dell laptop).
The infoworld article:
http://www.infoworld.com/article/07/04/04/HNdontusewep_1.html
and the actual paper:
http://eprint.iacr.org/2007/120.pdf
make it clear that 50 seconds of gathering and 3 seconds of cracking
open a 104-bit WEP key.
----------------
#3 - Intent of Trespass.
Well, its true that you could say "He intentionally broke in", but how
many wireless intrusion cases were there in the entire US last year?
Three? Four? I'd rather just spend 5 minutes to update my security
and be secure rather than knowing that I could "prove" the guy who stole
my bandwidth (and identity?) did so "on purpose".
Thanks for sharing your thoughts!
-
gar