MAC Filtering + WEP - How unsecure is it?

[shihchiun]

The reason I ask is because I recently got a Nintendo DS... which apparently only supports WEP encryption. I'd rather not buy a second router just to use it, but I'm a little concerned about how unsecure WEP is.

[Brandon Live Veteran]

It's not going to do anything to stop someone who knows what they're doing and wants to forcibly join your network. Once they've done that, it becomes a matter of how secure your network itself is (ie. the passwords on your machines, shares accessible by anonymous users, patches up-to-date, etc).

That said, it's probably fine. If someone really wanted to target you they'll probably break into your house or something. If they're just leeching free WiFi, they aren't going to bother with secured networks. If they're just looking for random people to attack, they'll also most likely be looking for unsecured networks.

I guess it all depends on how paranoid you are, where you live, if you have enemies or government agencies after you, etc.

Also, if the DS doesn't support WPA, that is incredibly lame.

[metallithrax]

Tut, tut, come on now Brandon. An employee of Microsoft dissing another companies product. You know you will probably get slammed for that. :laugh:

[Guest jgrodri]

One needs to make an actual effort to break wep encryption (with data analysis and all), so you'd need to be actually targeted.. its not gonna happen by pure chance.

MAC adress filtering works incredibly well... i'm no security expert but i'm confident that the only way to bypass it is for someone to clone your mac address other than router hacks.

So a combination of them both is waaaaaaayyyyyy more than what any non-prominent individual could possibly ever need.

[Brandon Live Veteran]

  jgrodri said:

One needs to make an actual effort to break wep encryption (with data analysis and all), so you'd need to be actually targeted.. its not gonna happen by pure chance.

MAC adress filtering works incredibly well... i'm no security expert but i'm confident that the only way to bypass it is for someone to clone your mac address other than router hacks.

So a combination of them both is waaaaaaayyyyyy more than what any non-prominent individual could possibly ever need.

MAC filtering doesn't really do anything. All the attacker has to do is change their MAC address to one that's allowed... and I think there are ways of detecting the MAC addresses of other wireless devices without being joined to the same network.

I wouldn't count on it being any sort of viable security barrier. Yes it's an extra step an attacker will have to deal with, but not a significant one. Also, if I recall correctly, most access points let you connect even if your MAC address isn't on the allow list. They just don't issue you an IP address.

  metallithrax said:

Tut, tut, come on now Brandon. An employee of Microsoft dissing another companies product. You know you will probably get slammed for that. :laugh:

I didn't really see it that way. I like the DS. I just think it's unfortunate that it doesn't support WPA as that's kind of the standard nowadays (and significantly harder to break than WEP).

[The_Decryptor Veteran]

  metallithrax said:

Tut, tut, come on now Brandon. An employee of Microsoft dissing another companies product. You know you will probably get slammed for that. :laugh:

He's right through.

Supporting WEP only when WPA is pretty much the standard is just silly. If you want backwards compatibility, then just support both.

I've got my network as WEP only with MAC filtering just for my DS, But I don't care much if somebody does break it (All my machines are kept up to date and use passwords, which annoys my step-father greatly)

[deadite66]

WEP and MAC filtering is very weak, i tried cracking my own network and even on a pda (zaurus c3200) i broke it in a few minutes.

[xortex]

how would someone figure out what mac addresses you allow with out being able to connect to your network to trace the inside computers?

i guess you could automate it to go through strings of macs until it matches but that would be really slow and unless you have some kind of sensitive data no one would waste their time on it

[The_Decryptor Veteran]

  xortex said:

how would someone figure out what mac addresses you allow with out being able to connect to your network to trace the inside computers?

i guess you could automate it to go through strings of macs until it matches but that would be really slow and unless you have some kind of sensitive data no one would waste their time on it

Sniff the packets.

Spoofing the mac address is the easy part. WEP cracking is the "hard" part (hard as in, it takes the FBI 3 minutes to crack it, and they're using open source tools)

[david]

  The_Decryptor said:

Sniff the packets.

Spoofing the mac address is the easy part. WEP cracking is the "hard" part (hard as in, it takes the FBI 3 minutes to crack it, and they're using open source tools)

Just curious, how do you know what the FBI uses?

[The_Decryptor Veteran]

They demonstrated it at a security conference.

It's nothing really special (i.e. secret, they tools they use are open source), just capture packets then flood the network with fake requests, network starts responding and you soon have enough data to start cracking the WEP key.

[+BudMan MVC]

As already stated -- MAC filtering and WEP are pretty much useless as security methods.

This has been gone over and over here on any thread that brings up wireless security.. Someone normally likes to chime in that you should use mac filtering, and then they always throw in that you should disable SSID broadcast as well..

I have to say I am pleasantly surprised to see the responses here!!

MAC filtering is a method of control that you could use on your network to say not let the kids machine surf after 10pm. But as a method of blocking access to your network - no its useless. WEP is better than just plain OPEN mind you, but as stated it can be cracked in a few minutes by anyone looking to do so. There are guides all over the net on cracking WEP. And yes before someone brings it up -- yes their are guides for brute forcing wpa-psk as well..

BUT!!! If you use a SECURE PASSWORD those methods are useless, even if they had the computer power of a small country.. But sure something like "P@55w0rd!" makes wpa-psk pretty much useless as a form of security as well.

I have to agree -- I have no idea what the makers of a wireless device where thinking to only support WEP?

EDIT: Depending on your router and what firmware it might be running -- it is possible to run more than 1 type of security method by creating virtual wireless interfaces.. You could have one that is only WEP, but only allows access to the internet -- not your network, etc.

[deadite66]

yes making WEP only equipment still is a disgrace, wpa was made to not take much more cpu to decode than wep so their is no excuse.

it annoys me that i have to use wep on my network for only a few devices that can't do wpa.

[shihchiun]

  BudMan said:

EDIT: Depending on your router and what firmware it might be running -- it is possible to run more than 1 type of security method by creating virtual wireless interfaces.. You could have one that is only WEP, but only allows access to the internet -- not your network, etc.

I was hoping something like that was possible... I'm running a Linksys WRT54GL with Tomato, which doesn't seem to support that. Do you know which firmware does?

[+BudMan MVC]

dd-wrt v24 RC support virtual wireless adapters.

Here is guide of someone setting it up -- this is for a FON network.. But its about the same thing your looking to do.. Have a private wireless network, and then a different one that can access the internet.

http://www.geek-pages.com/articles/latest/...te_network.html

[The_Decryptor Veteran]

  BudMan said:

...

EDIT: Depending on your router and what firmware it might be running -- it is possible to run more than 1 type of security method by creating virtual wireless interfaces.. You could have one that is only WEP, but only allows access to the internet -- not your network, etc.

I've been thinking of doing this for a while, separate off B as WEP only (or not even bother with encryption at all) and have G as PSK, But It doesn't look like I can do that on my OpenWRT (WRT54GL) router.

It's quite possible to segment the network into 2 separate access points though, one encrypted (and bridged with the lan) and one unencrypted (and with a different IP range and special firewall rules blocking it off from the internal network), Which I suppose is a better option anyway (My original plans screw over G users)

[shihchiun]

Yeah, I was thinking of that as well... but I don't want to spend money :p

  BudMan said:

dd-wrt v24 RC support virtual wireless adapters.

Here is guide of someone setting it up -- this is for a FON network.. But its about the same thing your looking to do.. Have a private wireless network, and then a different one that can access the internet.

http://www.geek-pages.com/articles/latest/...te_network.html

Thanks!

[+BudMan MVC]

  The_Decryptor said:

I've been thinking of doing this for a while, separate off B as WEP only (or not even bother with encryption at all) and have G as PSK, But It doesn't look like I can do that on my OpenWRT (WRT54GL) router.

And what version of the firmware are you running? The virtual wireless interfaces has been around since I think the beginning of the v24 betas for dd-wrt RC 7 just came out the other day.

As you can see you can run more than 1 wireless interface. And change the security on them.

Have not actually tested this in this latest RC yet, just updated too it a few minutes ago ;)

Since dd-wrt is based off of OpenWRT.. I would have to assume you could do the same thing on them?? What version of OpenWRT are you running? I am pretty sure that Kamikaze supports multiple virtual wireless!

edit: A quick google does verify that openwrt supports virtual

https://dev.openwrt.org/ticket/1239

Ability to create multiple wireless interfaces. (with unique SSID,Hdrw MAC,Encription, Client/Ap Mode and possible antenna directions (rx/tx))

01/22/07 23:26:54 changed by mbm ?

* status changed from new to closed.

*resolution set to invalid.>

Please clarify your request -kamikaze already supports this>

Edited April 27, 2008 by BudMan

[The_Decryptor Veteran]

I'm running White Russian (upgrading to Kamikaze as I type this)

Last time I checked, I thought Kamikaze didn't support the wireless chipset in the WRT54GL, Which was wrong since it's supported it since about September 07 (I think I got confused with the 2.4 and 2.6 versions).

And I was thinking of separating based on the protocol (B vs. G), I don't know if I can do that, but I know I can make it present multiple (differently configured) access points (up to 4 I think, but I'll just be using 2)

http://hardy.dropbear.id.au/blog/2008/02/h...orks-on-openwrt

Was going by that, I'll be double checking some of the commands though (they look wrong to me, but I'm betting I'm wrong)

[+BudMan MVC]

I am not sure if you can run only the virtual on say B only while the physical is G only, etc. But if run on mixed.. then you should be able to set a virtual to WEP and the real to WPA2-PSK.. which no B device would be able to connect to ;)

[The_Decryptor Veteran]

Well I just upgraded to Kamikaze (and installed Webif2), So far I'm liking it.

First time I tried it I managed to somehow disable the LAN ports (had to re-install via TFTP), second time went better, net wasn't working (turns out dnsmasq comes pre-configured, and also configured not to read those settings), Just fixed that.

I'll make the new access points tomorrow, I'll have one WEP for my DS, and I'll put the other one as WPA2-PSK.

[funkymunky]

As already stated

WEP is extremely weak, I can crack a WEP key in roughly one minute with open source software.

For WPA use a password not in a dictionary, and preferably a mixture as long as you can remember.

WPA "cracking" can be done away from the target network after the "four way handshake" has been captured, so the hacker has all the time they need to crack the password, therefore make it harder for them

[The_Decryptor Veteran]

https://www.grc.com/passwords.htm

That should generate secure enough passwords, they might expose bugs in cards handling of WPA though (I used one of these for my technologically impaired friend, using it managed to lock-up his router)

[+BudMan MVC]

  funkymunky said:

so the hacker has all the time they need to crack the password, therefore make it harder for them

If you use a SECURE password!!! lets say something like 20 characters! Sorry they are just not going to have enough time.. Do the Math yourself!

Or here;

http://lastbit.com/pswcalc.asp

Lets see, 20 characters in length.. Even if they had 1 million machines, all that could check 1 million passwords second.. Your looking at 779503646902420500 years

Now they surely do not need to be able to check the whole key space, lets say they get REAL lucky and an only have to check say something like only .0000001 percent of the key space to find yours. your still looking at 77,950,364,690 YEARS!!! How old is the universe again?? ;)

So what are the odds that billy down the street is going to get into your wpa-psk network with a machine or 2 that say at best can check around 1,000 passwords a second??

WPA-PSK with a SECURE password is more than secure enough for the HOME network! ;)

[funkymunky]

  BudMan said:

If you use a SECURE password!!! lets say something like 20 characters! Sorry they are just not going to have enough time.. Do the Math yourself!

Or here;

http://lastbit.com/pswcalc.asp

Lets see, 20 characters in length.. Even if they had 1 million machines, all that could check 1 million passwords second.. Your looking at 779503646902420500 years

Now they surely do not need to be able to check the whole key space, lets say they get REAL lucky and an only have to check say something like only .0000001 percent of the key space to find yours. your still looking at 77,950,364,690 YEARS!!! How old is the universe again?? ;)

So what are the odds that billy down the street is going to get into your wpa-psk network with a machine or 2 that say at best can check around 1,000 passwords a second??

WPA-PSK with a SECURE password is more than secure enough for the HOME network! ;)

lol, that's my point mate :)