I'm responsible for our company's WLAN security. Do I still need to worry about WEP cracking, or is that no longer an issue?
Do you have a question for our experts?
Submit your question directly to our editors at firstname.lastname@example.org.
First-generation Wi-Fi products were plagued by vulnerabilities in Wireless Equivalent Privacy (WEP) that made it easy to crack keys used to encrypt wireless LAN (WLAN) traffic. Over the years, WEP-cracking tools have been refined to speed cracking, to the point that WEP should be considered little more than a "keep out" warning sign that deters casual freeloading but won't stop serious intruders.
Read more of Lisa's expert advice
Is 802.1X authentication good enough for WLAN access control?
How the 802.11ac standard impacts security
WPS attack precautions help avoid unauthorized WLAN access
Unfortunately, statistics show that WEP is still widely used today, well over a decade after the first WEP cracking issues. In Information Week's 2012 Mobile Security Survey of 322 business technology professionals, 24% admitted their corporate WLANs still support WEP. And cloud-sourced "war driver" reports gathered by Wireless Geographic Logging Engine (WiGLE) put worldwide SSID security use at 30% for WPA2, 11% for WPA and 25% for WEP at the end of 2012. So, yes, WEP is still alive and kicking and something you should consider.
That said, you may not need to worry about WEP cracking if you don't permit WEP use on your own company WLAN. As long as you require WPA2 (or WPA) for secure connections to your own WLAN, WEP crackers have no relevance one way or the other on the security posture of your network. But you should still monitor your office airspace to make sure that employees have not created their own little unauthorized WLAN using a rogue access point secured with WEP. Of course if you do permit WEP on your company WLAN, my advice is simple: Stop.
This was first published in January 2013