What Is WEP Wi-Fi Encryption & Why Is It Really Insecure?

Ads by Google

what is wep keyIf you’ve set up a wireless network before, you’ve probably read or been told to use WPA2 instead of WEP, because WEP is bad. Why is that? And what is WEP anyway?

Good questions. WEP was the first standardized way of securing wireless networks. It encrypts your data – which is good – but doesn’t do so well enough to stop people from eavesdropping – which is bad. The main problem with WEP is that it’s been solved, meaning anyone can break into a WEP network using freely available tools.

Imagine if a particular kind of lock for a door could be opened using only a credit card – just slide the card beneath the latch, pull up and you’re in. That’s a problem, right? Anyone who knows about this weakness could open any door using this lock.

Now imagine if most people knew that this particular kind of door could be easily opened. You wouldn’t use that door to protect your house – it’s a little better than not locking your door at all, but not much because that lock has a weakness, and everyone knows what that weakness is, that lock is effectively no longer useful.

WEP has a weakness, and everyone knows what that weakness is. WEP is a little better than not securing your wireless network at all, but not much. If you use WEP anyone can crack your code in minutes and start using your WiFi – and monitoring everything you do online. This could mean kids using your wireless to download TV episodes, or it could mean criminals stealing your identity. Either way, it’s not worth it.

Cracking WEP keys isn’t quite as simple as sliding a credit card to open a a door, but it’s pretty close. Don’t believe me? Check out James’ tutorial for cracking a WEP network using Backtrack Linux. You’ll be amazed how simple the process is. There’s a reason the credit card industry banned processing payments over a WEP network – it’s fundamentally insecure.

What Is WEP?

WEP stands for Wired Equivalent Privacy. It’s hard to think of something more secure than a direct, wired transfer of information – unless someone has access to the wire they can’t do anything to intercept the signal. So WEP’s name outlines the reason it exists – to bring the security of a wired connection to the world of wireless communication.

Ads by Google

what is wep key

If there’s no security on your wireless router, that’s a problem. Unless individual sites offer security, everything you do online can be seen by anyone close to your network curious enough to snoop on you. They don’t even need to connect to your network: you’re literally broadcasting it. Every password, every search, every naughty image downloaded – unless the sites you browse all use SSL to encrypt traffic (ie, you see “https://” in the address bar) you’re vulnerable.

WEP was designed to stop such snooping by encrypting your traffic. And it worked, for a while. WEP became a standard in 1999, but by 2001 it was completely solved – anyone could crack a WEP network and watch what happens on it, quickly. This also allows unauthorized people to connect to your network, giving them access to any shared files and more, depending on their skill.

Why Does WEP Suck?

This 2001 paper, by Nikita Borisov, Ian Goldberg, and David Wagner of UC Berkeley, outlines the failings of WEP nicely. Read it if you want a full explanation of WEP’s shortcomings.

what is wep security

It’s a hard flaw to boil down without jargon, but I’m going to try. A standard network encrypted by WEP uses two keys to encrypt every bit of information sent. The first is your password, which is set up on the router and typed by users like you who’d like to connect to the network. The second key used to encrypt all information is a randomly generated one, called an IV.

Again, I’m simplifying here. If you can explain better, please do so in the comments below.

Assuming every IV key is completely different than every other IV key there is no problem. But you can’t assume that, because WEP uses such short IV keys there are only around 16 million possible ones. IV keys are so short that there isn’t enough of them to go around. Because of the sheer volume of information transferred it’s inevitable that there will eventually be a repeat. And once a repeat happens its easy to figure out what the message being transferred is – and from there to figure out what every bit of information being transferred is, regardless of IV key. You have the password, giving you full access.

what is wep key

There are many different ways to hack a WEP network at this point, but most of them boil down to this in some way. Again, read this paper if you want more specifics.

What To Use Instead?

When it became obvious WEP was fundamentally flawed another protocol was created to replace it – WPA. But even that was intended to be temporary, and is also vulnerable in some ways. That’s why it’s recommended that you secure your network using WPA2 today. It’s not foolproof, but with a secure password your Internet traffic over WPA2 is as secure as possible.

Curious just how secure you are? Read James’ piece on how easy it is to crack a WiFi network, which outlines flaws in WPA2 and provides tips for further security.

If your router doesn’t support WPA2 it’s seriously time to replace it. If that’s not an option right now, Christian outlined how to secure your wireless network in the short term by assigning it an aggressive name. It’s not a long-term solution but it’s better than nothing.

Do you have any other security tips? Share them in the comments below, because I always value a conversation.

Image Credit: via Shutterstock

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Technology Explained
Technology Explained
38 Members
Ads by Google
Comments (11)
  • anonymous

    WEP is so stupid. I went to my cousins house they have WEP and i came with my 4 year old mini laptop with kali linux and i cracked their key ( it’s very long) in under 2 minutes. i was able to connect with the key i cracked. btw i’m just 12 years old

  • Ron Lister

    Security is good, I see Muo has a some other articles on the subject I’ll be readingthose as well. Thanks for the article Justin. Even now that card companies are more strict on security you still here about the crooks sucking up creditcard data even from places like parkinggarages. I just think no mater what secure means we come up there is a crook who will find a way to beat it. wish there was a way to detect the intrusion.

  • Keith Swartz

    Great article! It is definitely about a subject, SECURITY, we should all be concerned about. Thank-you for shining a light upon it.

  • Prajjwal Rao

    thanks now i understand everything… the hassle i went through before was bad…. now its clear… thanks really!

  • Bilal

    I use WPA2 with 15 characters, is it safe or should I use more characters?

    • Alberto Lerma

      As long as your password isn’t a word or something like: “AAAAAAAAAAAAAAA” I think you’re ok but you’ll never be 100% secure, for example: Most routers contain something called WPS (sometimes there’s a button on the front). WPS makes life easier by allowing you to connect devices without the lenghty password. But it create a big security hole as WPS is hackable with some tools like Reaver in 4 hours.

      So, if your router let you, deactivate it (it might require some advance knowledge and in many routers it can’t be done) ASAP.

    • Mihovil Pletikos

      or better install open-wrt or something similar….

    • Alberto Lerma

      Yes good point, totally forgot about it. 1 like for you.

Load 10 more
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.