The cure for WEP insecurity is pretty simple: Switch to WPA. It’s been around for about four years now, so if your wireless router is that recent, it probably supports WPA. Here’s how to switch.
by Joseph Moran
Last weekend, 60 Minutes did a story on the theft of customer data from TJX Companies, the parent company of such well-known stores as TJMaxx, Marshalls and HomeGoods. That company made big news early this year when it reported that its computer systems had been penetrated, resulting in the theft of credit card numbers and other personal data on a reported 40 million or more customers.
In the piece, 60 Minutes cited an Canadian government investigation that determined that ground zero for the data theft was a pair of Miami-area stores and that it took place through wireless networks that were using WEP encryption (Wired Equivalent Privacy — a misnomer to say the least).
Even more interesting was when a security consultant hired by CBS went wardriving in an typical shopping center and found countless WEP-encrypted networks operated by major retailers, just hanging in the air like ripe fruit ready to be picked.
Although we’ve highlighted the dangers of WEP before, these revelations seem like a good opportunity to remind folks that if you’re using WEP to secure (if you can call it that) your own wireless network, then you’re not getting the protection you think you are.
Without delving into the gory technical details regarding WEP’s weaknesses, suffice it to say that with ordinary PC, free software, and a little bit of patience, you can find your way into a WEP-encrypted network in short order — often in just a few minutes.
The cure for WEP insecurity is pretty simple — switch to WPA, which when properly configured is a far superior way to safeguard a wireless network. WPA isn’t exactly new technology — it’s been around for about four years now, so if your wireless router — or at least the firmware it’s running — is that recent, it probably supports WPA.
Here’s How to Do It
To configure your router for WPA, start by logging into it with your browser, preferably from a computer with a wired connection so your link won’t be disrupted as you make changes. (If you’re not sure of your router’s IP address, run IPCONFIG from a command prompt and use the address listed next to Default Gateway). Configuration interfaces differ by device manufacturer, but you should find the relevant options under the heading Wireless Settings, Security or something similar.
When you select WPA as your security type (you may also see it listed as WPA-PSK or WPA-Personal), you’ll see a place to create a passphrase. Unlike a WEP key, a WPA passphrase doesn’t have to be a fixed length — it can contain anything between 8 and 63 characters. However, you shouldn’t use a passphrase that’s short and easy-to-remember because with WPA, a longer passphrase is definitely a stronger passphrase. As is the case with all passwords, you also shouldn’t use proper names or any word that can be found in a dictionary. If you want some help coming up with a strong passphrase, check out www.yellowpipe.com/yis/tools/WPA_key/generator.php, which can automatically generate one of various lengths for you.
Your router may also give you the option to choose an encryption type — either TKIP or AES. The latter provides better security, but it also requires more CPU horsepower on both the router and the devices that connect to it, and it’s not supported by some non-PC devices. As long as you use a use a lengthy passphrase, TKIP is more than sufficient and should provide better compatibility.
After saving your changes (which will probably cause your router to automatically reboot itself) it’s time to turn your attention to your wireless clients. You can simplify the configuration of PCs by copying your WPA passphrase to a text file on a USB key. This will let you cut and paste it instead of typing it in, eliminating the possibility of typos. If your system running Windows XP Service Pack 2 or Vista was previously configured for WEP it will detect the new encryption type, but you’ll still need to change the settings before you can connect.
In XP, from the Choose a Wireless Network dialog box, click Change the order of preferred networks, select the network from the list and click Properties. Then for Network Authentication choose WPA-PSK, and for Data encryption, choose TKIP. It’s slightly different in Vista — right-click the network you’re trying to connect to and choose Properties, then choose WPA-Personal Security type and TKIP for Encryption type. Consult the documentation on how to use WPA with non-PC wireless devices like Wi-Fi phones, game consoles or AV gear.
In some cases you may be inclined to stick with WEP because your network contains one or more devices that don’t support WPA (common examples include the Nintendo DS or TiVo boxes with third-party WLAN adapters). It may be tempting, but be mindful of the risks. These days using WEP encryption is akin to keeping your house keys under the front door welcome mat and hoping nobody takes the time to notice that they’re there.