Attacks Against WEP and Bump Keys

Any security professional should know that Wired Equivalent Privacy is broken. However, thanks to Alan Saqui's blog I learned of another attack method that completely devastates WEP.

At almost the same time Brandon Greenwood sent me a link to this YouTube video about bump keys. This is an attack against physical locks that succeeds with minimal effort against most locks on the market. It was publicized in the United States at Hope 6 last month by Barry Wels of The Open Organization of Lockpickers (TOOOL) and Marc Tobias. MSNBC and Slashdot ran stories, and this week a NBC affiliate reported on the problem as well. This week Marc Tobias is blogging on the subject, and I've learned that locks by Abloy and Medeco are resistant to bump keys. Finally, the blogosphere has some commentary on the problem.

It seems to me that attacks against WEP and bump keys are examples of the same problem. In either case, a determined intruder with sufficient tools and expertise is going to overcome your preventative security measures and compromise you. In my books I call this fact prevention eventually fails. Eventual compromise is the reason I recommend detection and response, as well as insurance.

However, relying solely on WEP while the front door to your data center is propped open is no better than installing a vulnerable door lock on a shoddy frame. In those cases, addressing the popular flaw (vulnerable WEP, vulnerable door lock) still leaves many other avenues of attack open. Most opportunistic wireless intruders will pass a WEP-encrypted network for one that is wide open. Most opportunistic physical intruders will pass a locked door for one that is wide open.

In both cases, fighting the battle to address vulnerabilities is a losing cause. Removing threats by prosecuting criminals is the most effective way to reduce risk.

I feel better knowing I have a big dog in my house, though.

Comments

Anonymous said…
Actually, the bump key attack is pretty old, and an article about it was published in Die Datenschleuder #86 (the hacker magazine published by the Chaos Computer Club) in 2005.
ak, I know it's old... but it just became publicized in the US.
Ish said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics