2Wire's Weakened WEP

  • By Brad Conte, July 25, 2007
  • Post Categories: Security
It's a well established fact by now that the security a 64-bit WEP encryption offers a WiFi network is small, in the same sense that the Pacific Ocean is big. This is especially true as of late as recent months have unveiled multiple attacks against WEP that, figuratively, kicked it while it was down, making the popular personal network encryption scheme even more trivially broken by hackers. Various network configurations, network protocol flaws, and mathematical breakthroughs have chipped away at the effectiveness of WEP encryption to the point where it can reasonably be broken within 20 minutes by a skilled attacker.

However, while everyone is out looking for ways to use replay attacks and better mathematical algorithms to break WEP faster, I happened to note that router manufacturer 2WIRE is making on its own odd effort at rendering WEP less effective.

It's becoming a more standard practice these days for ISPs to enable WEP by default when they install a wireless router for a new Internet customer. And what with the popularity of wardriving and P2P file-sharing lawsuits you can't blame them. WEP isn't the most secure wireless encryption solution but it's the easiest one and it makes the ISPs look like they're doing something. But for as insecure as WEP is by nature, 2WIRE does something that compromises the effectiveness of WEP on their wireless routers in a new way.

When the SBC Yahoo! ISP hooks up a customer's Internet service the customer is provided with a 2WIRE wireless router with 64-bit WEP turned on by default and an SSID that starts with "2WIRE". On the outside of the physical router there's a white label with the router's default WEP key printed on it for the convenience of the customer (and tech support). However, 2WIRE makes a crucial flaw with both the default WEP keys and all WEP keys generated by the router. If you're used to dealing with WEP keys, one quick look at just a couple of default WEP keys for 2WIRE routers should tell you there's something wrong.

The keys have no letters. Just numbers. All 2WIRE WEP keys are composed purely of numbers.

This means that every character in the WEP key uses just 10 of its potential 16 values. If you aren't convinced of how significant that is, then let's see how large the actual keyspace (namely, the effective strength) of a 64-bit WEP key is if you exclude the "letter range" from the hexadecimal key. We're only going to examine the brute-force aspects of this.

(Note: The following will assume familiarity with binary and hexadecimal.)

Start with the full 64 bits of the WEP key (as 2WIRE uses 64-bit, rather than 128-bit, WEP by default). The first 24 bits of the key are merely the IV, which is not an effective part of the key. This was originally done in accordance with the US government's cryptography export regulations which at the time prohibited the export of encryption technology stronger than 40 bits, so this isn't 2WIRE's fault. Thus, by definition, 64-bit WEP only has 40 bits of actual effective keyspace. (Hence the reason 64-bit WEP is often referred to as 40-bit WEP.)

If the entire 40 bit range of keyspace were used, the key would still be relatively small. 40 bits is nothing by todays standards -- no one uses anything less than 128 bits if they're serious about the security of their encrypted data. But 2Wire chips away at even those 40 bits.

The remaining 40 bits are the equivalent of 5 bytes. Each byte is represented by two hexadecimal characters (each hexadecimal character representing four bits of the byte). These 10 hexadecimal characters will compose the final human-readable WEP key. Each hexadecimal character has a range of 16 values (because it is 4 bits in length). However, by restricting a WEP key to be composed of only numbers, each character only has a range of 10 possible values. It only takes log_2 (10) = 3.322 bits to have 10 possible values in binary, thus we only have 3.322 effective bits of key.

Now instead of having 10 * 4 = 40 bits of keyspace, we are left with 10 * 3.322 = 33.22 bits of keyspace. This 17.5% reduction of effective keyspace may not seem that critical, but remember that each bit of keyspace doubles the strength of the key. This is because the strength of the key is expressed as the number of combinations that would be required to successfully guess the key based on its length and value restrictions.

With forty bits of keyspace, we have 2^40 = 1,099,511,627,776 possible combinations. This isn't large in the world of cryptography, but it's annoying enough that likely no one would want to spend a couple weeks breaking it on their computer -- not if the payoff was simply access to a personal network. However, contrast that number of combination with the number of combinations we get from just 33.22 bits of keyspace, namely, 2^33.22 = 10,004,985,324 possible combinations.

Yes, those are both big numbers, but count the commas in them and note that the first is over 100 times larger than the second. Now, assume that a hypothetical attacker wants to launch a brute force attack against a key of 40 bits and a key of 33.22 bits. Further assume that his computer can make 500,000 attempts per second, which is not unreasonable for a home computer. (Remember, if if the attacker has a weak laptop on site he may still have a powerful desktop he can use remotely to do his hard work.) So the hypothetical attacker captures a few encrypted packets from your network then goes to work brute forcing them.

With his assumed computing speed, it would take 25.5 days to brute force the 40 bit key, but only 5.6 hours to brute force the 33.22 bit key. And those are the worst-case scenarios, note that we are assuming that the correct key is the very last one the attacker guesses. Statistically the attacker has a 50% chance of guessing correctly half way through.

Now is that 40 - 33.22 = 6.78 bits of difference in keyspace looking more important? An attacker started needing to devote nearly a full uninterrupted month of computer processing time to the attack and has downgraded to just needing to leave his computer working while he goes out to a movie.

In summary:
  • 2WIRE made a decision to only use numerals in their customers' default 64-bit WEP network setup.
  • In doing so, the necessary time for launching a brute force attack against such a network is decreased from about 3.6 weeks to about 5.5 hours.
  • These networks are easily identifiable via a default SSID that starts with "2WIRE".
  • Despite the advantages this compromise of keyspace gives the attacker, there are still many faster (but more complicated) ways to break a WEP network.
In conclusion, allow me to compare this new ways we now have of attacking a 2WIRE WEP network with the traditional way that works against all WEP networks.

The traditional way:
  • is faster (20 minutes possible break times)
  • requires active attack (attacker must collect packets for a long time)
  • requires more specific hardware/firmware (requires injection mode)
  • is more complicated / less reliable
The 2WIRE-specific brute force way:
  • is longer
  • does not require active attacks, a few packets can be saved and attacked later
  • requires less specific hardware/firmware (only monitor mode required, this is very standard)
There's no question about it, 2WIRE WEP is significantly worse than standard WEP.

However, I would speculate that it's unlikely that this weakness will turn out to be of much, if any, consequence. The thing is, for as bad as 2WIRE WEP is, WEP's inherent weaknesses are worse. Serious attackers will have better ways to get into encrypted networks, so they're unlikely to care about this. The people that would be best off using this tool would be the less-serious attackers, but there exist no automated tools (yet) for launching this specific attack -- and odds are probably decent that there never will exist them. This flaw is too specific and overshadowed by too many greater flaws to receive much attention. Writing the tool, though, would be trivial -- the aircrack-ng suite already contains all the necessary functionality.

This kind of security bungle would make any security engineer cringe. Such a poor configuration would never fly (I hope) at the U.S. DoD or the NSA, but I don't think it impacts Joe Schmoe that much.

SBC Yahoo!/2WIRE got off easy with this poor decision because the serious weakness they introduced was none weaker than weaknesses that already existed. They definitely dodged the bullet on this one. However, had WEP not been so critically broken before 2WIRE's mistake came on the scene, I guarantee that much more attention would've been focused on their flaw.

Finally, 2WIRE's decision to only use numbers in WEP keys itself is somewhat puzzling. I don't know if all 2WIRE routers are this way or if SBC Yahoo! made a deal with 2WIRE for this functionality in order to ease up on tech support calls. Regardless, my guess is that it was a tech support problem having to do with letters being in the keys. Average consumers probably naturally associated security codes with numbers and were getting confused to find letters amist their WEP keys.

And in the end, that's the heart of security, tradeoffs. Some are good, some are bad. Depending on the resources SBC Yahoo!/2WIRE saves because of the decision, it may even be worth it. I just know they got lucky.

Another interesting factoid for the archives of 802.11 wireless security.