Scribd
Upload
61 views30 pages

WEP Security Flaws in Wireless Networks

- 802.11 wireless networking was growing rapidly but had major security issues as wireless communications could be easily eavesdropped and traffic injected. The standard security protocol, WEP, was shown to have serious vulnerabilities through attacks like keystream reuse and reaction attacks that allowed decrypting traffic and injecting spoofed packets without the encryption key. While intended to provide confidentiality, integrity and access control, in reality WEP achieved none of these goals. A number of subsequent attacks and studies demonstrated these issues were serious in practice and left most wireless networks insecure.

Uploaded by

Devi Septy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
61 views30 pages

WEP Security Flaws in Wireless Networks

- 802.11 wireless networking was growing rapidly but had major security issues as wireless communications could be easily eavesdropped and traffic injected. The standard security protocol, WEP, was shown to have serious vulnerabilities through attacks like keystream reuse and reaction attacks that allowed decrypting traffic and injecting spoofed packets without the encryption key. While intended to provide confidentiality, integrity and access control, in reality WEP achieved none of these goals. A number of subsequent attacks and studies demonstrated these issues were serious in practice and left most wireless networks insecure.

Uploaded by

Devi Septy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 30

Wireless Security

Why Swiss-Cheese Security Isnt


Enough
David Wagner
University of California at Berkeley

Wireless Networking is Here

Internet

802.11 wireless networking is on the rise

installed base: ~ 15 million users


currently a $1 billion/year industry

The Problem: Security

Wireless networking is just radio communications

Hence anyone with a radio can eavesdrop, inject traffic

The Security Risk: RF


Leakage

The Risk of Attack From


Afar

Why You Should Care

More Motivation

Overview of the Talk

In this talk:

The history: WEP, and its (in)security


Where we stand today
Future directions

WEP
(encrypted traffic)

The industrys solution: WEP

(Wired Equivalent

Privacy)

Share a single cryptographic key among all devices


Encrypt all packets sent over the air, using the shared
key

Early History of WEP


1997

Mar 2000

802.11 WEP standard released

Simon, Aboba, Moore: some weaknesses


Walker: Unsafe at any key size

Oct 2000
Jan 30, 2001
Feb 5, 2001

NY Times, WSJ break the story

Borisov, Goldberg, Wagner:


7 serious attacks on WEP

WEP - A Little More Detail

IV,

P RC4(K, IV)

WEP uses the RC4 stream cipher to encrypt a


TCP/IP
packet (P) by xor-ing it with keystream (RC4(K,
IV))

A Property of RC4

Keystream leaks, under known-plaintext


attack

Suppose we intercept a ciphertext C, and


suppose we can guess the corresponding
plaintext P
Let Z = RC4(K, IV) be the RC4 keystream
Since C = P Z, we can derive the RC4
keystream Z by P C = P (P Z) = Z

This is not a problem ... unless keystream


is reused!

A Risk of Keystream Reuse

IV,

P RC4(K, IV)

IV,

P RC4(K, IV)

If IVs repeat, confidentiality is at risk

If we send two ciphertexts (C, C) using the same IV, then the
xor of plaintexts leaks (P P = C C), which might reveal
both plaintexts

Lesson: If RC4 isnt used carefully, it becomes insecure

Attack #1: Keystream


Reuse

WEP didnt use RC4 carefully


The problem: IVs frequently repeat

The IV is often a counter that starts at zero


Hence, rebooting causes IV reuse
Also, there are only 16 million possible IVs, so
after intercepting enough packets, there are
sure to be repeats

Attackers can eavesdrop on 802.11 traffic

An eavesdropper can decrypt intercepted


ciphertexts even without knowing the key

WEP -- Even More Detail

IV

original unencrypted packet

key
IV

RC4

encrypted packet

checksum

Attack #2: Spoofed Packets

Attackers can inject forged 802.11 traffic

Learn RC4(K, IV) using previous attack


Since the checksum is unkeyed, you can then
create valid ciphertexts that will be accepted by
the receiver

Attackers can bypass 802.11 access control

All computers attached to wireless net are


exposed

Attack #3: Reaction Attacks

P RC4(K)

P RC4(K) 0x0101
ACK

TCP ACKnowledgement appears


TCP checksum on received (modified) packet is valid
P & 0x0101 has exactly 1 bit set
Attacker can recover plaintext (P) without breaking RC4

Summary So Far

None of WEPs goals are achieved

Confidentiality, integrity, access control:


all insecure

Subsequent Events
Jan 2001
Mar 2001

May 2001
Jun 2001
Aug 2001

Borisov, Goldberg, Wagner


Arbaugh: Your 802.11 network
has no clothes

Arbaugh: more attacks

Newsham: dictionary attacks on WEP keys


Fluhrer, Mantin, Shamir: efficient attack on way WEP uses RC4
Arbaugh, Mishra: still more attacks

Feb 2002

War Driving

To find wireless nets:

Load laptop, 802.11


card, and GPS in car
Drive

While you drive:

Attack software listens


and builds map of all
802.11 networks found

War Driving: Chapel Hill

Driving from LA to San


Diego

Wireless Networks in LA

Silicon Valley

San Francisco

Toys for Hackers

A Dual-Use Product

Problems With 802.11 WEP

WEP cannot be trusted for security

Attacks are serious in practice

Attackers can eavesdrop, spoof wireless traffic


Also can break the key with a few minutes of traffic
Attack tools are available for download on the Net

And: WEP is often not used anyway

High administrative costs (WEP punts on key mgmt)


WEP is turned off by default

History Repeats Itself


cellphones

wireless security: not just 802.11

1980 analog cellphones: AMPS

analog cloning, scanners


fraud pervasive & costly

digital: TDMA, GSM

wireless networks
1999 802.11, WEP

1990
TDMA eavesdropping [Bar]

more TDMA flaws [WSK]


GSM cloneable [BGW]
GSM eavesdropping
[BSW,BGW]

2000
Future: 3rd gen.: 3GPP,

sensor networks

2000
2001
2002

WEP broken [BGW]


WEP badly broken [FMS]
attacks pervasive

2003 WPA
Future: 802.11i

Berkeley motes

2002
TinyOS 1.0, TinySec
2003
Future: ???

Conclusions

The bad news:


802.11 is insecure, both in theory & in practice

802.11 encryption is readily breakable, and 50-70%


of networks never even turn on encryption
Hackers are exploiting these weaknesses in the
field

The good news:


Fixes (WPA, 802.11i) are on the way!

You might also like