Is there a way to make a WEP-secured AP uncrackable?

Question

For some days, I was feeling that my Internet bill was booming. Then, I recently found out that a boy near my house was accessing my router to use the Internet. Then, I read some articles how to crack WEP security and found that it is way too easy to crack WEP.

So I was looking for some ways to increase the security of an AP using the WEP protocol. But I didn't find anything. My router does not support WPA/WPA2. So how can I make my router more secure, I mean uncrackable?

Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/30411/discussion-on-question-by-snake-eyes-is-there-a-way-to-make-a-wep-secured-ap-unc). — Rory Alsop, Oct 18 '15 at 17:16

Vilican · Answer 1 · 2015-07-05T16:07:56.920

82

There is no method to make WEP uncrackable, or at least secure. So I suggest buying a new router that suports WPA2.

edited Jul 05 '15 at 16:07

answered Jul 05 '15 at 12:47

Vilican

2,703
8
21
35

28

@Shivam sorry to tell you, but it is the correct answer... It is not possible to make WEP secure. I recommend you upgrade to a device that can support a secure protocol. – AviD Jul 05 '15 at 13:03
3

Indeed. Anyone that can see a WEP signal can crack it a few minutes (I know this for a fact, as I'm a White Hat Hacker). – Jul 05 '15 at 16:54
7

@danielAzuelos No serious AP manufacturer would even *think* about using the term "802.11i" in response to a question from a consumer. WPA2 is a standard term, and encompasses more than 802.11i (specifically, it means that a device was tested and certified to implement 802.11i's requirements in a way which is compatible with other devices). Furthermore, when discussing the various generations of security protocols, talking about WEP, 802.11i draft, and 802.11i final is not really something people do; in contrast, WEP, WPA, and WPA2 are a nicely parallel set of terms. – cpast Jul 06 '15 at 01:04
2

@daniel Also, so far as I know, WPA-AES (which isn't required on WPA gear, but which is allowed) is actually reasonably secure. If you have sources that say otherwise, I'd be interested in seeing them -- the attacks I've seen were all attacks on TKIP, but didn't apply to WPA-AES. – cpast Jul 06 '15 at 01:09
3

@danielAzuelos Wi-Fi is a commercial term, I should expect wireless access point builders to speak of 802.11a/b/g/n, which are the IEEE standard for networking over radio. – Aron Jul 06 '15 at 02:28
→ cpast: WEP, WPA & WPA2 are "a nicely parallel set of terms" right: commercial ones. Unfortunatly ase you noticed they are a hidding multiple security tuning a normal user and many network admins don't fully understand. And here "multiple" is just a polite term. I should say they hide opposite approachs in terms of security. – dan Jul 06 '15 at 06:16
3

@danielAzuelos Do you really expect the asker, who just discovered that WEP is insecure and who doesn't have a router that supports WPA2, to understand what you said? This answer is worded appropriately for the asker's knowledge level. Calling it "WPA2" is sufficient for helping the asker understand what they need to do. An answer that can be understood (even if a little incompletely) is by *far* superior to one full of so much jargon it answers nothing. – jpmc26 Jul 07 '15 at 01:00

score 40 · Accepted Answer · edited Jul 07 '15 at 17:30

There is really only one solution to your problem. I do note however that you're not interested in upgrading your router, so I will talk a little about that.

Remember that by not upgrading your router, you are only delaying the inevitable.

What will work long enough for you to get a new router:

PULL THE PLUG

This is honestly the best solution until you get a new router.

Or TURN OFF THE WI-FI

You can probably do this from the administration panel of your router, if not, remove the antennas from the physical device and go Ethernet-only. If that is not possible, unplug.

Or CHANGE YOUR WEP PASSWORD and TURN ON MAC ADDRESS FILTERING

If your router supports it, you can define a MAC address filter to either whitelist or blacklist devices accessing the accesspoint. To do this, you will have to log into the administration panel of your router and enable MAC address filtering. (Check your manual on how to do this). What kind of filter you can enable depends on your router. If it's a whitelist, you will have to find the MAC addresses of all your devices, and add them to the list. This way only the devices added to the list will be able to connect to the Internet. If it's a blacklist, you will have to find the MAC address of your neighbour, and add that to the blacklist. This way, all other MAC addresses are allowed access, but not the addresses in the blacklist.

Why this won't work in the long run:

MAC address filtering is fairly simple for someone to who's a bit tech savvy to avoid. There are multiple tutorials on the subject, and it's really as simple as running a few terminal commands. Since your neigbour has already cracked your WEP key, chance is, he has enough skills to google how to spoof a MAC address.

This way, the neighbour can "pretend" to be you, by authenticating with the router using your computers MAC address.

Changing the password won't last for long, because of how WEP works. An attacker only need to listen to your network for a short period of time, to be able to extract your password. You can read more about it on Wikipedia.

And at last, since you've been breached, anything you have connected to your access point could in theory be infected now. Not only could the hacker have changed your DNS settings, started logging network activity, etc., he could also now be in the possession of all your files, pictures, passwords, credit-card information, etc. To be honest, all of your devices (if not already hacked) are in great danger of getting breached any second.

What you have to do:

Get a new router. Seriously. WEP was deprecated in 2004 and has been deemed insecure for a long long time. As you noted yourself, there are a lot of information on how to crack WEP keys online, and it's (almost) as simple as running a terminal command. Anyone can do it. Remember that in most countries, you are liable for what passes through your network. So if an adversary downloads torrents, children pornography or bomb schematics, you will be held liable. Is prison better than spending US$20 on a new router?

MAC address filters are snake oil and at the very best security by obscurity. You point this out, still I wouldn't suggest it. — user10008, Jul 05 '15 at 16:55
It will stop a casual attacker, i think you should use whitelist only. So the attacker must first find a MAC that is allowed to connect to spoof it. And this would make the real device disconnect from internet, so you would know — Freedo, Jul 05 '15 at 22:57
@Freedom It will not stop an attacker who knows how to crack WEP passwords, so is effectively useless. — Xander, Jul 05 '15 at 23:10
You don't understand. The attacker can crack the passwords, but their connection will be refused because their MAC is not in the allowed list. And i doubt that finding a MAC that will be accepted to spoof is fast. — Freedo, Jul 05 '15 at 23:19
@Freedom chances are the person doesn't need to find a MAC address: they already have them - they were connected to this person's network, and could find plenty of valid MAC addresses during this time - and changing the MAC address of all the devices may not even be possible depending on the device. — user2813274, Jul 05 '15 at 23:38
@Freedom Obtaining a whitelisted mac address is trivial, see: http://blog.techorganic.com/2010/12/21/bypassing-mac-filters-on-wifi-networks/ (Note the date of the article.) — Phizes, Jul 06 '15 at 02:02
Switching to WPA2 is the correct answer, as many have already pointed out. However, there are cases where old but still perfectly functional hardware (i.e., LaserJet EIO Wifi adapters and some older scanners) only support WEP, and in this case I think using MAC address filtering is perfectly acceptable; however, I would recommend putting the WEP devices in a DMZ. — Parker, Jul 06 '15 at 23:04
MAC address filtering or hidden SSIDs won't do anything because anyone savvy enough to crack your WEP password can continue using the wifi with your MAC but more importantly still see all *your* traffic. It worries me that this answer has been accepted because suggesting that there is any alternative to upgrading/replacing the router to use WPA2 has given the OP a false sense of security. — JamesRyan, Jul 07 '15 at 10:45
@vallismortis thats fine if you don't mind anyone in the vicinity being able to read all your documents. Concentrating on access to the network, it is easy to forget the identity theft potential of simply watching your existing traffic. — JamesRyan, Jul 07 '15 at 10:46
@JamesRyan I will try to rephrase my answer to better suggest that a new router is the only real option. — Mrtn, Jul 07 '15 at 10:49
I wonder how this question got so many up votes. It is ineffective and a dangerous choice. — , Aug 01 '15 at 22:35

KDEx · Answer 3 · 2015-07-05T15:40:52.710

No. You cannot make WEP uncrackable, but there are some things you may be able to do to help the problem until you get a new router.

Modify the signal strength. Take off one (or more) antennas from your router (if you have a small apartment). Move your router to the center of your home. These steps may make it more difficult for a neighbor to get a decent signal strength from their location, and give up.

Use a captive portal. Adding another step of authentication to the process with a more secure password may help. However, if the attacker is savvy enough they can likely bypass this. There are some resources for this.

Get a new router. The only real solution here is to buy a new router. Not only is your internet bill high as a result of this, but the attacker can view everything you do when you are on the internet, and plant malware on your network. They have the ability to do some really nasty things. WEP only takes seconds to minutes to crack. You should just eat the cost and upgrade to a new router.

There is an extra option: force the use of a VPN. Only practical if you already run one and all your devices have a client for it of course. For a time I had my AP entirely open but on a separate leg and set my router to allow nothing but OpenVPN to/from a specific local address via that interface, and my laptop & androids connected to my LAN via OpenVPN just like they did when off-site. No I have a Widnows Phone device this no longer works (no OpenVPN client) so I've changed things. — David Spillett, Jul 07 '15 at 15:32

score 9 · Answer 4 · answered Jul 05 '15 at 16:17

9

WEP has fundamental design flaws preventing it from ever being secure. This means that in order to get a secure network you either have to replace WEP with something secure (WPA2) or enforce security at a higher level in the protocol stack.

Security at a higher level in the protocol stack means you don't allow your AP to get access to the internet. Instead you allow your AP to connect to a server on your LAN and use a secure protocol between WiFi clients and that server. That secure protocol could be a VPN protocol or SSH with port forwarding (the builtin socks proxy work quite nicely).

Of those two approaches upgrading to WPA2 is clearly the simplest to implement. WPA2 is not flawless either, but you can get decent security if you use a unique SSID and a strong password.

answered Jul 05 '15 at 16:17

kasperd

5,402
1
19
38

Setting up security on OSI level 7 arguably will cost more than buying a WPA2 capable router. – Aron Jul 06 '15 at 02:49
1

@Aron: On the flip side, connecting to the Internet through even a 100% unbreakable wireless link would only guard information until the point where it gets handed off to the ISP. Using socket-level security could protect information all the way to the destination. – supercat Jul 06 '15 at 15:28
@Aron I don't even know if OSI protocols can run over WiFi. I only use IP. – kasperd Jul 06 '15 at 16:46
OSI Level 7 includes Http. TCP/IP is OSI Level 4. Wifi is OSI Level 1. – Aron Jul 06 '15 at 17:09
@Aron No, those are not [OSI protocols](https://en.wikipedia.org/wiki/OSI_protocols). Besides your numbering doesn't make sense because HTTP operates directly on top of TCP, there is no layer between them. Moreover there is no layer called TCP/IP because TCP and IP are two separate layers. – kasperd Jul 06 '15 at 17:17
@kasperd I never used the term OSI Protocol. I was referring to the OSI model. WPA would operate on the Data Link (OSI level 2). A captive portal would/proxy/vpn would be on the Application level (or OSI level 7), which (consumer level) routers typically do not participate in. – Aron Jul 06 '15 at 17:21
@Aron IP doesn't follow the OSI model. – kasperd Jul 06 '15 at 17:24
@kasperd sigh. The OSI model isn't something you follow. Its a nice way to describe the various stacks of technology typically used in a data link/network. In this case we would have Ether/WiFi/IP/TCP/HTTP. – Aron Jul 06 '15 at 17:26
@Aron OSI is an actual set of protocols that never became widely used. It is not a nice way to describe the IP protocols because the protocol layers in IP and OSI are too different. They don't even have the same number of layers. Layers in the IP stack have names not numbers, which makes a lot more sense when some of the layers are optional and some of the layers can be used more than once in the stack. – kasperd Jul 06 '15 at 17:34
@kasperd Look up the OSI MODEL and not the protocols. – Aron Jul 06 '15 at 17:38
@Aron So? Somebody have shoehorned IP protocol names into a model describing an entirely different protocol suite. It is not an accurate description of how IP protocols work. Using the **names** you can describe what is actually going on, which might very well be HTTP over TCP over IP over IPsec over UDP over IP over PPP over Ethernet. If you describe that with OSI numbering it becomes what? Layer 7 over Layer 4 over Layer 3 over Layer 6 over Layer 4 over Layer 3 over Layer 2 over Layer 2? – kasperd Jul 06 '15 at 17:54
@kasperd that somebody was ISO – Aron Jul 06 '15 at 17:57
@kasperd Even though I see your point (that the protocol stack we use is best described with TCP/IP model) and I agree with it, I feel the need to inform you the OSI model *also* has named layers. – milleniumbug Jul 06 '15 at 18:14

Adam Davis · Answer 5 · 2015-07-08T12:07:48.267

2

If you can automate the changing of the WEP password across your network and do so with a new password every 5 minutes, your network will be fairly well protected against casual attackers. It will not be uncrackable though.

If you change your network password every 3 seconds, though, it will be uncrackable, as the fastest crackers still require several thousand packets of data collection, and then several seconds on a modern processor to extract the key from the data.

You can make your WEP network uncrackable.

Is this easier than switching to WPA? Probably not. In fact, most of the reasons to stay with WEP (such as supporting older devices) also preclude frequent password changes. If that's the reason to stay with WEP, then you should reconsider your network configuration - but that's a different question.

edited Jul 08 '15 at 12:07

answered Jul 07 '15 at 18:51

Adam Davis

1,071
7
11

Here's some of the latest data on WEP cracking speed: http://www.techworld.com/news/security/researchers-crack-wep-wifi-security-in-record-time-8456/ it also goes into a few solutions which make WEP more difficult to crack, but ultimately one should migrate from WEP rather than adding bandaids. – Adam Davis Jul 07 '15 at 19:28
The PTW attack only requires thousands to tens of thousands of packets, except for the occasional "hard key" that requires hundreds of thousands. – Mark Jul 07 '15 at 22:31

pri · Answer 6 · 2015-07-06T04:24:48.543

0

First of all, nothing is uncrackable. You can certainly make your passwords more difficult to crack, use better algorithms, but nothing would be uncrackable.
You can upgrade your router which supports WPA/WPA2.
If your router firmware supports, you can also track the MAC-ID being used by the boy, and add it to black list. But again, it is easy to change the MAC-ID of a device, so you might want to keep an eye on the MAC-IDs being used.
Even better, you can make a note of MAC-IDs of your devices and add it to your white list, so that only those MAC-IDs are allowed on your router.
Also, try checking for router's firmware updates.

edited Jul 06 '15 at 04:24

answered Jul 05 '15 at 12:48

pri

4,438
24
31

1

I have read somewhere that the MAC address can be changed easily, then what good would blacklisting do? – Snake Eyes Jul 05 '15 at 12:50
1

It can slow down the kid (on average 30 seconds :) – Vilican Jul 05 '15 at 12:51
I know, and I mentioned it in my answer. It'll just provide an additional layer of security. Anyway, edited my answer, have a look. – pri Jul 05 '15 at 12:52
3

I expected that answer "to make a white-list" but as mentioned earlier it is very easy to spoof MAC address! – Snake Eyes Jul 05 '15 at 12:53
5

If you're that much concerned, you'll have to get a new router which supports WPA/WPA2, and remember to set a long password, preferably not including dictionary words. All the 'password-rules' apply here as well. :) – pri Jul 05 '15 at 12:55
2

I expected a cheaper method. Buying a router is the last resort. – Snake Eyes Jul 05 '15 at 13:00
6

Check for router's firmware updates. – pri Jul 05 '15 at 13:01
1

"In your case, you can try setting a longer password, so that it becomes more difficult to crack." That will not help - the attacks are so easy that even a password with full strenght (104 bit) can be cracked in minutes. – sleske Jul 05 '15 at 17:33
The flaws in WEP mean that password length is irrelevant. – Mark Jul 06 '15 at 03:27
A nice list of what not to do. MAC filtering is easily spoof providing no effective security. There is no increasing the password length. WEP uses fixed length passwords either 5 or 13 chars. The problem is WEP is fundamentally broken. Even with a totally random 13 char (128 bit) key it can be brute forced in <2 minutes by a script kiddie using aircrack-ng. WEP can't be secured. Sometimes the correct answer is just "you need to purchase a secure router". – Gerald Davis Jul 06 '15 at 04:25

Konrad Gajewski · Answer 7 · 2018-11-05T17:01:37.750

-1

Provided, you want to stick with the router you have, you can:

Since it takes time to actually crack WEP since one has to collect enough IV packets, it makes sense to change the password on a regular basis. You can also automate the process.
Go for MAC filtering. This will make things a little bit more complicated for the attacker.
Go for the longest WEP key possible (64 bit is way too little).
Set up PPPoE, and enable connection to the Internet through this method only. This would solve the problem, but I doubt if you have the necessary means to implement it. Then again, I might be wrong.
This is a bit crazy, but one might start sending false IVs to confuse the cracking software used by the attacker. I have no idea how to do it, so this is just a thought.

Also: WPA is really only implemented over old hardware - maybe firmware update is available enabling WPA-TKIP?

edited Nov 05 '18 at 17:01

answered Jul 05 '15 at 15:15

Konrad Gajewski

593
5
16

Would it be possible to change the password every couple of seconds? Distributing the new password via TLS over the WEP wifi AP to the machines that are allowed to have it. Perhaps rotate MAC addresses and MAC whitelist as well. Administration becomes a burden, your legitimate machine require special software to connect via the AP, and the AP's throughput and latency might also be negatively affected. – Kasper van den Berg Jul 05 '15 at 19:06
2

@Kasper, isn't such automatic password change already called "WPA-TKIP"? – user1686 Jul 05 '15 at 22:09
@grawity Yup. But its also considered insecure. WEP is so insecure its laughable, you might as well use an Enigma machine. – Aron Jul 06 '15 at 02:34
1

The question is about improving WEP. EVERYBODY knows WPA is better. @KaspervandenBerg each change would require an association, so it is not practical. – Konrad Gajewski Jul 06 '15 at 15:55

score -5 · Answer 8 · edited Jul 07 '15 at 17:28

-5

Just restrict the MAC address access to the router and then hide the network SSID so that a casual attacker doesn't know it is there in the first place.

And, obviously, as soon as you can, replace your router.

edited Jul 07 '15 at 17:28

Peter Mortensen

877
5
10

answered Jul 06 '15 at 11:07

Anthony B. Earles

1

6

Against an attacker with the ability to break WEP, neither MAC filtering nor SSID hiding provides any protection. – Mark Jul 06 '15 at 21:34