18

I was studying the Wi-Fi security section for a pentesting certification the other day and there is an extensive part about cracking WEP. Is going in-depth on WEP cracking worth it anymore?

According to this statistic: https://wigle.net/stats# about 7% of Wi-Fi networks still use WEP for encryption today. It's not a lot, but at the same time it is a lot considering that WEP was deprecated in 2004.

Thoughts?

Tudor
  • 309
  • 2
  • 8

3 Answers3

32

Unfortunately, WEP is still present in the world. There are legacy systems and devices in certain environments that can only do WEP, plus a number of networks that have no one interested and/or knowledgeable enough to update. Like many advances in technology, phasing out the older technology takes time. Look at IPv4 vs. IPv6 after 20ish years and tell me which is still predominant.

That being said, WEP is no longer viable in modern 802.11 networking. Not only is WEP not viable in modern 802.11 networking, neither is TKIP (was initially used as part of WPA certification). Since the release of the 802.11n amendment to the standard, the use of either requires that devices disable the use of HT or VHT data rates.

In other words, the use of WEP or TKIP causes a modern 802.11 network (i.e. 802.11n or newer) to function little better than an 802.11a/g network. While you do pick up some of the advantages of newer standards, the performance (which is the typical driving force for people to upgrade) is negated.

But all that aside, I have to point out that Wigle's stats are a bit "flawed" unless you actually understand what it is you are really viewing. Wigle is a large, user collected database of information. However, as far as I know, they do not age out old data for a number of reasons (for instance, just because someone hasn't recorded updated information on a network doesn't mean it isn't still present).

So what you have is a large number of networks present in their data that are not present in the real world. If you check many of the WEP entries, they will not have been updated in 5 or more years. Many of these are likely gone or replaced.

In the graph on the Wigle statistics page, they are simply showing the percentage of their database entries that are using the respective technologies. They are not showing the actual technologies deployed in the real world at present. The shown decline of WEP is largely due to new networks being added to the database that are not using WEP, rather than WEP networks being removed from the database. Pulling from the Wigle.net API, these stats may present a more accurate picture of the decline of WEP:

All Entries
-------------------
464,429,878 (Total)
 31,800,699 (WEP)
---WEP: 6.85%---

Updated since 2014
-------------------
343,970,477 (Total)
  8,550,789 (WEP)
---WEP: 2.49%---

Updated since 2016
-------------------
233,996,263 (Total)
  4,374,629 (WEP)
---WEP: 1.87%---

Updated since 2017
-------------------
158,548,717 (Total)
  2,707,548 (WEP)
---WEP: 1.71%---

As you can see, while WEP is still certainly present, the real world statistics of WEP being in the wild is much lower than the 6-7% number to which you were referring.

YLearn
  • 3,967
  • 1
  • 17
  • 34
  • 1
    old wii consoles can only connect to WEP security routers – Tschallacka Aug 07 '18 at 15:13
  • @Tschallacka, I have a US first gen Wii that connects just fine to WPA or WPA2-AES with a PSK. Only issue I am aware of with early Wii consoles is that they need the low data rates enabled (1 and/or 2 Mbps) or they will not be able to connect, even though they are 802.11g devices. Even if there are some models that only support WEP, many users of Nintendo consoles replaced their Wii with a Wii U, as it can still run most of the Wii games (clear exceptions would be games with accessories that utilized the GameCube ports). – YLearn Aug 07 '18 at 18:02
  • 7
    I saw a recent discussion about presenting WEP as unsecured and connecting to it without ever prompting because it could be cracked faster than the password keyed in. – Joshua Aug 07 '18 at 18:32
  • @Joshua Now *that*'s a nice idea, and it might even persuade some more people to see it be completely ignored. – Deduplicator Aug 07 '18 at 20:53
  • 1
    Once I worked at a retailer of portable handheld scanners, and some models only work with WEP. – Azteca Aug 08 '18 at 22:32
  • "I saw a recent discussion about presenting WEP as unsecured and connecting to it without ever prompting because it could be cracked faster than the password keyed in." That sounds like a recipie for getting yourself and/or your users into legal trouble. – Peter Green Sep 12 '18 at 17:20
6

I have been studying WEP as a project in school (great examples of what should not do in crypto !). When I took a look at usage stats, it was 8% (if you think about the 45% back in 2010). Even if it seems low, I think it took way to long and I still see some Wi-Fi set to WEP (in France).

In my opinion, it shouldn't be an option anymore, even for backward compatibility. I took way to long to deprecated it, given the fact the first automated attack was published in 2001.

Faulst
  • 368
  • 2
  • 5
  • 5
    Network-level protocols take a long time to deprecate because hardware moves slow. It takes a long time to move through the lifecycle of physical network devices - especially consumer hardware. Some businesses still use PPTP for VPN, and that's been broken for ages as well. Protocols don't suddenly stop working when the security is broken, and user don't care that much about security until they're hit by a high-impact event. – nbering Aug 06 '18 at 18:18
  • 2
    @nbering, consumer hardware in many cases changes faster than business hardware. People tend to like buying the best/latest/fastest product on the market. I find industrial/environmental/systems control types of machines/hardware/tools tend to be more locked into time. If a business pays X million for that machine (series) or control system, they aren't likely to rip it out and replace it because it only supports WEP. They are more likely to support WEP for the next 20 years until the manufacturing line is next replaced. – YLearn Aug 07 '18 at 00:49
3

WEP has been broken for a long time, but upgrading from WEP to WPA2 implies delivering new hardware for each Access Point, client device, repeaters, etc. It's a huge investment to do at once, so compatible devices are available (Actually they're still being made, every smart phone I know is capable to connect to WEP networks), and that's a cycle: There is no need to migrate from WEP to WPA2 right now cause compatible devices exist and there is no need to change all the devices cause compatibility is still there.

Given that, while the impact of exploiting WEP may be high and the attack is pretty simple and known, the likelihood of the attack is not as much as it seems. An attacker needs to be physically in the same place as the vulnerable AP and close enough to actually be able to send packets in a reliable way. And sadly this kind of risk tends to be ignored

Mr. E
  • 1,954
  • 9
  • 18
  • WPA is 14 years old, and as of Aug 2018, cracking WEP is now 17 years old. I think this might have been a good answer 10 years ago, but today there's no excuse for running 14 year old hardware that doesn't support WPA. – Steve Sether Aug 23 '18 at 19:59
  • @SteveSether If you have a better answer that explains why WEP is still used I'd be glad to read it, but just saying that my answer is not good just cause WEP "is old" is not a good point – Mr. E Aug 25 '18 at 03:42