A recent survey said nearly one out of four enterprise Wi-Fi networks not only supports the insecure WPA protocol, but also still supports the even more insecure WEP protocol. Why is this? And what's the easiest way for us to determine if these protocols are still in use in our organization?
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
It's not surprising that many enterprises still use insecure encryption protocols on their WLAN. Over the past 5 to 10 years, as wireless has really taken a grip on both personal and corporate networks, the need for wireless security education and upgrades has increased drastically.
I would argue that the main reason people and organizations still run the WPA (Wi-Fi Protected Access) protocol or even WEP protocol is because of ignorance. If people knew how easy it was to crack WEP, they wouldn't use it. In less than five minutes, virtually any knowledgeable attacker can crack a WEP network and crawl around its systems. If businesses or home users knew that they were at such risk, I would hope that they'd change over to a more secure protocol.
This leads me to my second point. If we have to explain to someone that WEP is an insecure protocol, it's even less likely that they'll have the ability to upgrade to a secure one. The combination of not knowing that a network is insecure and being incapable of upgrading it are major factors in why the WEP and WPA protocols are still in use.
Another reason companies still use them is because they're still being offered as an option on access points. I ran a wireless scan while driving down a major intersection near my home and found numerous access points running the WEP protocol. I was surprised to find so many and was curious to find out more. After some research, I discovered that Verizon had, and might still have, the WEP protocol running on the majority of the home routers that it distributes to customers. So instead of enforcing a secure wireless encryption protocol and eliminating the ability to run WEP on its hardware, Verizon is offering it as a default.
Running periodic wireless penetration tests to determine the security of your network is an important step in determining if you're still running these types of insecure encryption algorithms in your network. Also, auditing the controllers to determine what they're running and "war driving" around your building are easy ways to determine which networks are being seen in your network and if they're using WEP. If you have an internal WLAN using WEP with a system like AirSnort or inSSIDer, you can then start creating plans to secure them.
One of the most common problems within the industry is that many companies just don't think they'll be targets. With a mindset like this, it's only a matter of time before this attitude comes back to bite many unsuspecting victims.
This was first published in January 2013