Saturday, March 31, 2007

WiFi Security

WEP: Unsafe With Any Key

Recently did a "Site Survey" which looked for all the WiFi access points within range of my own WiFi access points. I do this periodically to find out what channels they're using so I can set my system for the least interference from other WiFi systems by using the least populated channel. To my great dismay I found a number of WiFi networks still using WEP authentication and encryption, instead of its replacements, WPA or WPA2. New WiFi access points are designed to prevent this, or worse yet, an access point with no authentication or encryption. WEP, which stands for Wireless Equivalent Privacy, was the original client (user) authentication and encryption system created for WiFi Access Points (wireless routers, aka APs) when IEEE 802.11, the international standard for WiFi and its operating protocols was originally written and released. The cryptography community shuddered with horror when they learned what had been approved by the IEEE 802.11 Working Group and Committee. It was known at the outset to be weak, and "crackable" without too much difficulty. Originally it took a little skill and patience, capturing encrypted data being transmitted between a client and the AP, but now that isn't even required. A 10 year-old or "Grandma" can crack a WEP "secured" AP in 5-10 minutes, sometimes in only 3 minutes. Within a few months, practical methods were devised to "crack" the WEP encryption for any AP using it without taking too much time. The weaknesses of WEP weren't just theoretical any more, they were very real.

The TJ Maxx debacle, with the compromise of millions of credit card numbers, was traced to WiFi APs used inside TJ Maxx stores that carried Point-of-Sale data to (ultimately) parent corporation servers. The original intrusion into their network was made from the parking lot of a TJ Maxx store through the store's WiFi system that was "secured" (a dubious characterization) using WEP. From there, they mapped the corporation's network, eventually working their way to the credit card database, and then installed a "Back Door" to access it using normal wired network means so they could quit using the WiFi for access.

WEP has been "deprecated" (entirely obsoleted and removed) in the current IEEE 802.11, replaced now by WPA and WPA2, which are infinitely stronger authentication and encryption methods. WPA/WPA2 strength in Pre-Shared Key systems rests entirely on the strength of the pass-phrase; one that isn't susceptible to a "Dictionary Attack" that guesses the pass-phrase using a large dictionary of commonly used pass-phrases. You'd be surprised at how many people use simple, common passwords. The encryption algorithm isn't breakable by statistical analysis methods; in other words, there's no "short cut" as there is with WEP. Sadly, in my opinion rising to just short of criminal culpability, WEP had been deprecated in 802.11 for a couple of years when the TJ Maxx incident occurred, but they made a decision to accept the risk because it would "cost too much" to replace their store WiFi APs with WPA or WPA2 capability. I only wonder in hindsight if TJ Maxx's parent corporation still thinks their "too costly" decision was the correct one.

The key - pun intended - to WiFi security:
  • Using WPA or WPA2 authentication and encryption.
  • Using a long, esoteric and obscure passphrase that cannot be guessed using a dictionary attack.
I'll give you a few clues:
  • password
  • drowssap
  • 123456
  • 654321
  • abcdef
  • uvwxyz
  • qwerty
  • zxcvbnm
  • ~!@#$%
  • qwerty
  • BR-549
  • NCC-1701, and
  • THX-1138
  • Shazam!
  • Open Sesame (or OpenSesame)
  • Xyzzy
  • Zzyzx
. . . or any of their backwards variants, are exceptionally weak passwords. They're quite early on in the common dictionaries used in a dictionary attack, which list well over 100,000 commonly used passwords in not only English, but German, French and Spanish. If you've thought of one of these, or anything similar taken from a movie, TV show, or computer game, millions of others have also. Your next door neighbor's 12 year old might not guess beyond the simplistic few forward and backward sequences, or keyboard letters, but all of these are within the first part of a commonly and readily available password dictionary. Using your name, or even with numbers substituted for letters, such as J0hn 5m1th is also worthless. We're all savvy to the number for letter substitutions and an automated system can perform them in a few nanoseconds. Someone who knows your name will try that before going to a common dictionary.

In a previous life a few decades ago, I was doing contract work on the side helping to maintain a digital, radio-telecommunications system for passing emergency written messages. It was mostly related to logistics, to get that text intensive traffic off the tactical voice channels. Needed to update staff computers with a software revision over a weekend. The agency communications director and I went in on Saturday morning and found password protected PCs (hooray for security - almost, but not quite). There wasn't a single one of over a dozen I couldn't get into withing five minutes using common passwords, looking at the pictures and refrigerator art from the kids at their desks using stuff the kids wrote on them, or lifting up writing pads and other stuff on the desktop, or looking under the middle desk drawer to find stuffed taped there. Esoteric and obscure means truly esoteric and obscure. It's gobbledy-gook gibberish nobody could guess without doing a brute force attack using all possible permutations and combinations of numbers and letters.

Welcome to

Dedicated to the Practice of Polymathy Polymathy: The possession of learning in many fields. Your host is John Lind. Here you wi...