What Is WEP Wi-Fi Encryption & Why Is It Really Insecure?

wep sucks why   What Is WEP Wi Fi Encryption & Why Is It Really Insecure?If you’ve set up a wireless network before, you’ve probably read or been told to use WPA2 instead of WEP, because WEP is bad. Why is that? And what is WEP anyway?

Good questions. WEP was the first standardized way of securing wireless networks. It encrypts your data – which is good – but doesn’t do so well enough to stop people from eavesdropping – which is bad. The main problem with WEP is that it’s been solved, meaning anyone can break into a WEP network using freely available tools.

Imagine if a particular kind of lock for a door could be opened using only a credit card – just slide the card beneath the latch, pull up and you’re in. That’s a problem, right? Anyone who knows about this weakness could open any door using this lock.

Now imagine if most people knew that this particular kind of door could be easily opened. You wouldn’t use that door to protect your house – it’s a little better than not locking your door at all, but not much because that lock has a weakness, and everyone knows what that weakness is, that lock is effectively no longer useful.

WEP has a weakness, and everyone knows what that weakness is. WEP is a little better than not securing your wireless network at all, but not much. If you use WEP anyone can crack your code in minutes and start using your WiFi – and monitoring everything you do online. This could mean kids using your wireless to download TV episodes, or it could mean criminals stealing your identity. Either way, it’s not worth it.

Cracking WEP keys isn’t quite as simple as sliding a credit card to open a a door, but it’s pretty close. Don’t believe me? Check out James’ tutorial for cracking a WEP network using Backtrack Linux. You’ll be amazed how simple the process is. There’s a reason the credit card industry banned processing payments over a WEP network - it’s fundamentally insecure.

What Is WEP?

WEP stands for Wired Equivalent Privacy. It’s hard to think of something more secure than a direct, wired transfer of information – unless someone has access to the wire they can’t do anything to intercept the signal. So WEP’s name outlines the reason it exists – to bring the security of a wired connection to the world of wireless communication.

routers   What Is WEP Wi Fi Encryption & Why Is It Really Insecure?

If there’s no security on your wireless router, that’s a problem. Unless individual sites offer security, everything you do online can be seen by anyone close to your network curious enough to snoop on you. They don’t even need to connect to your network: you’re literally broadcasting it. Every password, every search, every naughty image downloaded – unless the sites you browse all use SSL to encrypt traffic (ie, you see “https://” in the address bar) you’re vulnerable.

WEP was designed to stop such snooping by encrypting your traffic. And it worked, for a while. WEP became a standard in 1999, but by 2001 it was completely solved – anyone could crack a WEP network and watch what happens on it, quickly. This also allows unauthorized people to connect to your network, giving them access to any shared files and more, depending on their skill.

Why Does WEP Suck?

This 2001 paper, by Nikita Borisov, Ian Goldberg, and David Wagner of UC Berkeley, outlines the failings of WEP nicely. Read it if you want a full explanation of WEP’s shortcomings.

wpa bad jump   What Is WEP Wi Fi Encryption & Why Is It Really Insecure?

It’s a hard flaw to boil down without jargon, but I’m going to try. A standard network encrypted by WEP uses two keys to encrypt every bit of information sent. The first is your password, which is set up on the router and typed by users like you who’d like to connect to the network. The second key used to encrypt all information is a randomly generated one, called an IV.

Again, I’m simplifying here. If you can explain better, please do so in the comments below.

Assuming every IV key is completely different than every other IV key there is no problem. But you can’t assume that, because WEP uses such short IV keys there are only around 16 million possible ones. IV keys are so short that there isn’t enough of them to go around. Because of the sheer volume of information transferred it’s inevitable that there will eventually be a repeat. And once a repeat happens its easy to figure out what the message being transferred is – and from there to figure out what every bit of information being transferred is, regardless of IV key. You have the password, giving you full access.

key found   What Is WEP Wi Fi Encryption & Why Is It Really Insecure?

There are many different ways to hack a WEP network at this point, but most of them boil down to this in some way. Again, read this paper if you want more specifics.

What To Use Instead?

When it became obvious WEP was fundamentally flawed another protocol was created to replace it – WPA. But even that was intended to be temporary, and is also vulnerable in some ways. That’s why it’s recommended that you secure your network using WPA2 today. It’s not foolproof, but with a secure password your Internet traffic over WPA2 is as secure as possible.

Curious just how secure you are? Read James’ piece on how easy it is to crack a WiFi network, which outlines flaws in WPA2 and provides tips for further security.

If your router doesn’t support WPA2 it’s seriously time to replace it. If that’s not an option right now, Christian outlined how to secure your wireless network in the short term by assigning it an aggressive name. It’s not a long-term solution but it’s better than nothing.

Do you have any other security tips? Share them in the comments below, because I always value a conversation.

Image Credit: via Shutterstock

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

10 Comments -

0 votes

Florin Ardelian

I’m sorry, but the idea of attempting to name your wireless to prevent hackers is just plain silly. It’s the same as using the door with the lock which can be opened by credit cards (and everyone recognizes the lock by just looking at your door), while taping a paper with “Police station” written in Comic Sans on said door.

That kind of advice is very dangerous, because there will always be those who will take it seriously and they will gain a false sense of security. Whoever has enough knowledge to use a WEP cracking tool is not fooled by a network named “IWillHackU” and no matter how clearly you explain it to people, there will always be some who will just not get it.

0 votes

Justin Pot

Like I said: it’s seriously time to replace your router. Do that.

0 votes

Rigoberto Garcia

Great article Justin. Thanks…

0 votes

Bilal

I use WPA2 with 15 characters, is it safe or should I use more characters?

0 votes

Alberto Lerma

As long as your password isn’t a word or something like: “AAAAAAAAAAAAAAA” I think you’re ok but you’ll never be 100% secure, for example: Most routers contain something called WPS (sometimes there’s a button on the front). WPS makes life easier by allowing you to connect devices without the lenghty password. But it create a big security hole as WPS is hackable with some tools like Reaver in 4 hours.

So, if your router let you, deactivate it (it might require some advance knowledge and in many routers it can’t be done) ASAP.

5 votes

Mihovil Pletikos

or better install open-wrt or something similar….

0 votes

Alberto Lerma

Yes good point, totally forgot about it. 1 like for you.

0 votes

Prajjwal Rao

thanks now i understand everything… the hassle i went through before was bad…. now its clear… thanks really!

0 votes

Keith Swartz

Great article! It is definitely about a subject, SECURITY, we should all be concerned about. Thank-you for shining a light upon it.

0 votes

Ron Lister

Security is good, I see Muo has a some other articles on the subject I’ll be readingthose as well. Thanks for the article Justin. Even now that card companies are more strict on security you still here about the crooks sucking up creditcard data even from places like parkinggarages. I just think no mater what secure means we come up there is a crook who will find a way to beat it. wish there was a way to detect the intrusion.