Australian IT security managers today vowed they would never rely on the Wired Equivalent Privacy (WEP) protocol especially after the release of new research this week showing it can be cracked in as little as three seconds.
Security professionals said the bell has tolled for the WEP protocol which is used as a default intrusion prevention system for IEEE 802.11 WLAN Wi-Fi devices.
The troubled protocol suffered its first blow in 2001, when a flaw was revealed in the WEP protocol's RC4 key scheduling algorithm which allowed radio sniffer programs to extract and inject wireless data packets from and into the network where statistical analysers, known as WEP crackers, can recover the encryption key to unscramble the data.
However, the WEP security key required about 4 million packets to be intercepted for it to be calculated. Now security experts in Germany have claimed they can outfox the beleaguered protocol in three seconds, down on the previous best of about five minutes which kept up with changing security keys.
The experts say they can extract a 104-bit WEP key from intercepted data using a 1.7GHz Pentium M processor so much faster that it could be performed in real time by someone walking through an office
Bank of Queensland IT security manager, Grant Slender, agreed the WEP protocol is lax, and said he would not trust anything built on it.
"We don't use wireless technology and we wouldn't rely on any form of built-in encryption; we would treat it akin to an un-trusted Internet connection," Slender said.
"We wouldn't put the same applications over wireless as we would for a cable connection because the wireless security standards have been compromised.
"It's simply easier for us to consider the WEP protocol un-trusted."
Arab Bank of Australia IT security manager, Greig Walmsley, said the WEP protocol does have a place in some small networks.
"There's a lot of pluses for WiFi but the security of the WEP protocol fails it on [all counts]," Walmsley said.
"It would work sufficiently for a home network or for certain small businesses where confidentiality is not a big issue.
"Administering [WEP] is far too difficult and its performance is questionable."
Installing additional security features and building a VPN over a WEP-based WiFi network would help patch the security holes, he added.
"A VPN tunnel over the top would help, however the wireless client needs to be strongly authenticated and it must associate with the correct network," acccording to Neal Wise, director of Assurance.com.au
He said while 802.1X authentication and other certificate-based authentication systems can be used to bolster WEP security, provided they allow the wireless client and the network to operate on a trusted basis, they demand a lot of management and planning.
Wise said the WEP research is "flogging what has been a dead horse for many years" by revealing skilful ways of "showing how bad WEP is".
Wireless devices often run only WEP encryption because of their age or lack of memory and processing power, and often cannot be upgraded to WEP's more advanced and secure successor protocol WiFi Protected Access (WPA) or the follow-on WPA2.