This year, faster WEP crackers and flawed anti-cracking strategies have shown that relying on WEP is still a bad idea. But according to the 2007 WLAN State of the Market survey, just 38 percent of WLANs have upgraded to WPA. Between compliance pressures and breach headlines, why do so many WLANs continue using WEP?
According to Sri Sundaralingam, Director of Product Management at AirTight Networks, the culprit is not lack of WPA-capable WLAN infrastructure. Rather, “Many are still using hundreds if not thousands of client devices that can only do WEP. It is going to take some time to transition that investment to WPA2. We want to help protect those legacy installments by adding a layer of security on top of what AP vendors can provide.”
Managing WEP risk
Several new WIPS features, packaged as WEPGuard, will be found in AirTight’s SpectraGuard Enterprise 5.5 release this fall.
- WEPGuard generates scheduled or on-demand reports to estimate a WLAN’s risk exposure. “Based on current traffic, we will estimate the time required to crack [each AP’s] WEP key,” said Sundaralingam. “If you have a way of periodically rotating your keys, this can help you decide how often to do it.”
- WEPGuard flags resolvable conditions that increase risk of WEP cracking. “We tell you if APs are sending weak IVs, so that you can upgrade their firmware,” said Sundaralingam. “We tell you if you have PSPF enabled, so that you can turn client-to-client forwarding off to stop active cracking attacks.”
- WEPGuard uses RF fingerprinting to differentiate between an attacker using a spoofed MAC address and cracked key to access a WLAN, and the device that really owns that MAC address – even when just the attacker is active. “This is new,” said Sundaralingham. “Today, if the victim is not also active, nobody cannot protect against MAC spoofing.”
- Having accurately identified an active cracker or spoofing intruder in this fashion, WEPGuard uses SpectraGuard locationing and blocking to quarantine the AP under attack, insulating the network while you physically find and remove (e.g., arrest or scare away) the intruder.
Building a better band-aid
Passive cracking risk analysis and active cracking alerts are intended to help companies that still use WEP better understand and reduce the associated risk.
According to Sundaralingham, passive cracking takes from hours to days, but the risk exposure is typically estimated to be a few days. “In this case, rotating keys monthly is not a good idea. But if you’re rotating daily, that’s within your risk window,” he explained.
WEPGuard alerts enable practical risk mitigation steps, like upgrading vulnerable AP firmware and configurations to impede newer active WEP cracking tools that use packet injection to guess keys within minutes.
But WEPGuard does not fix WEP. “We do not make any claims about the ability to stop passive WEP cracking,” said Sundaralingam. “It’s been proven that you cannot stop passive WEP cracking – it’s a matter of time and traffic exposure.”
To this end, AirTight demonstrated anti-WEP cracking techniques and counter-attacks at DEFCON. “While some suggest that injecting chaff into the data stream is an effective way to confuse hackers, it is a passive approach which continuously eats up bandwidth and merely masks the problem,” said AirTight CTO Pravin Bhagwat.
Strengthening active defenses
The ability to fingerprint, locate, and block devices that use spoofed MACs can be useful against active WEP crackers and those using cracked keys to penetrate a WLAN. However, these improvements have potential benefit far beyond WEP.
MAC spoofing plays a role in numerous attacks – including those launched against WLANs that use WPA2 and/or VPNs. Spoofed APs are commonly used during Denial of Service and Evil Twin attacks, while spoofed stations are often used to hack a network or corporate data that lies therein.
Spoofed APs have always been easier to spot, since the legitimate AP is usually still active. However, some WIPS do not notice if a valid AP MAC from the NY office is used in an attack on the LA office. And spoofed stations present much bigger challenges – starting with maintaining a complete, current list of valid MACs.
If a WIPS cannot reliably identify and locate intruders, it cannot effectively remediate them. Using RF fingerprinting to detect and respond to spoofed APs and stations with greater accuracy should be welcome in any WLAN – including those still struggling to retire WEP.
