LZS' Homepage Zit Seng's Homepage

Parts of this document is still being written. Please come back at a late date to read the completed version.

Comments on WEP Security

Wired Equivalent Privacy (WEP) is a 802.11 feature for wireless LAN that provides, as the name implies, privacy/security equivalent to a wired network. Marketing literature repeatedly use the words "encryption" and "security", but fail to elaborate on technical details.

I have been led to believe WEP provides these features:

A secure wireless network where no one can eavesdrop on someone else's traffic (in the same way as a wired switched network), and where only authorized users can gain access to a network (like wired network points in a private office).

If you're like me, you'll be hugely disappointed. WEP is not doing what I had envisioned it would do. Perhaps the WEP designers never thought about the issues in a real-world deployment site, or perhaps they don't care to address the real-world problems. The result is that WEP is almost useless and provides no advantage (over non-WEP) in my wireless network environment. The bottom-line is:

WEP encryption does not prevent unauthorized users from accessing your network (not any better than non-WEP). The WEP keys are supposed to help protect access and manufacturers claim these keys are impractical to crack, but the keys are in fact trivial to copy.
Users can still snoop the network. Although WEP is supposed to encrypt network traffic so one user cannot eavesdrop on traffic meant for another user, it turns out that if you have a victim in mind, it is still possible to snoop traffic sent to that user.

Now, what is the use of WEP?

Security of WEP Keys

There is no security. The key is in the user's computer; The user can do anything they want with it. If you wanted to control access to your network using these WEP keys, you can forget about it.

As you can tell from my notes on Using WEP with Linux, any Linux user would know the key. Manufacturers claim that this is not the case with Windows because the keys are stored in an "encrypted" form in the Windows registry. They claim it is practically impossible to obtain the WEP keys.

But think about it: The WEP key is in the computer. It is a shared secret. If the software driver is going to be able to use the key, it must be able to undo the encryption. Since there is no external source of any secret material, then the entire secret is inside the computer. Then, there must be a way for the user to get the WEP keys.

As it turns out, it's even easier. You can simply copy the encrypted string from the Windows registry and use it in another computer. This is as good as knowing the WEP keys and installing it in another computer. A user could thus publish this secret encrypted string and the equivalent of your WEP key is known to everyone. As a network administrator, you don't have control over this!

Snooping

With WEP, snooping doesn't work the same way as on a wired shared ethernet hub. If you run a packet sniffer, the only traffic you see are those addressed to your own computer or are broadcast traffic.

Now, I don't know if the WEP encryption partially depends on the MAC address, or perhaps it is a card feature to only pass on packets sent to its MAC (sort of like refusing to work in promiscuous mode).

Nevertheless, suppose you have a particular victim in mind and you know his MAC address, it is trivial to set your MAC address to his and thus be able to receive his traffic! You can hear all the traffic the base station sends to that user (I've not figured out how you can hear traffic sent by that user to the base station). It is also a trivial matter to find out your victim's MAC address: if you are in the same IP subnet, ping him first then check your ARP table.

In other words, if you have a victim in mind, you can capture the traffic that is sent to him.

But there is a little catch about setting MAC addresses. See the next section.

Setting MAC Address in Linux

The WaveLAN/IEEE driver for Linux allows users to specify the MAC address for the wireless card. This is done through the module parameters given in the PCMCIA card services configuration file /etc/pcmcia/config.opts. For example:

module "wavelan2_cs" opts "network_name=ANY address=0x00,0x60,0x6d,0x92,0x15,0x6f

will tell the WaveLAN/IEEE driver to set the card MAC address to 00:60:6d:92:15:6f. There is, however, a small catch. The Linux driver actually mangles a few bits in the first octet so you cannot really specify any imaginable MAC address you so wish to. For example, the actual MAC address that gets set with the above parameter is in fact 02:60:6d:92:15:6f.

This problem can be easily solved by modifying the driver source code. In version 4.00 of the WaveLAN/IEEE PCMCIA device driver for Linux, delete lines 1527 through 1531 from the file in clients/wavelan2_cs.c. Recompile and restart your PCMCIA card services. With this fix, you can set your WaveLAN card's MAC address to anything you want to.

This document is still being worked on... (7 Feb 2000)