Whapped by WEP: Dangerously defective security still being sold

What if you bought a new Wi-Fi access point today, and then discovered that it uses a 12-year old security technology that vendors have known since 2001 is dangerously insecure?

Insane as it may sound, products like that are apparently still being sold. Online. Right now.

Eight years ago the Wi-Fi Wired Equivalency Privacy (WEP) secure encryption protocol was deemed seriously flawed. Any amateur hacker can break the code and listen into a Wi-Fi session that uses WEP within minutes using software tools readily available on the Web. Five years ago the industry adopted Wi-Fi Protected Access (WPA) and then moved on to WPA2. So why are resellers still offering WEP products on the Web, with no warnings or disclosures?

This doesn't surprise Mike Horowitz, who blogs about security for Computerworld. He says a huge percentage of Wi-Fi networks are still using WEP. But selling these things without full disclosure borders on criminal. Perhaps these vendors should be held liable for damages.

Consider: Today the FTC issued guidelines for bloggers requiring that they fully disclose when they receive free products or payments from vendors in exchange for reviews. A mommy blogger can be fined $11,000 for not disclosing that a $10 toy sent to her by a manufacturer was sent free of charge, but manufacturers and resellers get to sell dangerously defective Wi-Fi equipment? Something is out of whack here. Perhaps the FTC should also force resellers and manufacturers to slap the equivalent of a Surgeon General's Warning on Wi-Fi equipment that still only supports WEP.

I'm not just talking about shady online discounters. Amazon.com offers the Linksys WCG200 Wireless-G Cable Gateway for $124.99 through partner J&R Music and Computer World. The product description makes no mention of security. To find out that it's an insecure WEP-only device, customers must click on the data sheet link. There, listed under security, are three letters that should give every consumer pause: "WEP." No WPA. No WP2. Just the discredited WEP. Amazon also offers this product through AntOnline, DataVision, ComputerVideo, The Price Pros and other vendors. Two other sites I visited offer refurbished version of the same unit as well, including this unit at Buy.com. Amazon also offers this Belkin unit. The description says it's WEP only. The product manual says WPA or WEP. Which is right?

Unwary consumers could pay $125 or more for what is for all intents and purposes could be a defective product.

The Linksys WCG200 unit is also discontinued, according to Cisco, which owns the Linksys brand.

How I got stuck with WEP

Why do I know this? Because I recently installed a WCG200 wireless cable gateway on my home office network. This device acts as both a cable modem and wireless router. I had the device lying about and decided to replace my cable modem and wireless router with a single, integrated device that uses less energy, saves me a cable modem rental fee from the cable provider and reduces desktop cables and clutter.

I installed it quickly, without paying too much attention. Only later, when I began testing a Kodak wireless printer, did I go back into the administrative console and discover that I had set up WEP security.

Alarmed, I called Cisco, which confirmed that the device only supports WEP and that no upgrade for the device is available. Cisco no longer makes a wireless cable gateway product, according to a sales person. But you can still buy it online.

Grasping at Straws

So what if you have one of these things? I had already returned my cable modem to the cable company for credit and I am loathe to go crawling back. But given that I live next to a college campus, using WEP doesn't seem like a smart idea. So I asked fellow blogger Mike Horowitz for advice.

"You should not use WEP, I suggest a new router," he said.

I tried bargaining. I was pretty sure I already knew the answers but I thought I would give it a shot anyway. I noted that there are a few other security features on the device. For example, I could up the encryption level from 64-bits to 128 bits.

Sorry, Mike said, but any flavor of WEP can be broken.

I tried again. Every computer has a unique MAC address built into the networking hardware. A feature called MAC address filtering lets you only grant access to machines with MAC addresses in your approved list. Surely if I turned on the MAC address filtering feature I could restrict access? A hacker would have to guess the correct address to get in, would they not? There are millions of combinations.

Sorry again, Mike said. "They don't have to guess. MAC addresses are never encrypted when traveling over the air so bad guys can just borrow an allowed MAC address. It's easy to forge a phony MAC address." And don't forget, he said, they can see everything you transmit whether they can access your device to get to the Internet or not - including login names and passwords.

What if I hide? I could turn off the SSID broadcast feature so that people searching for wireless networks wouldn't see my unit.

Strike three. "It can be seen. Lots of software shows networks that are not broadcasting their SSID. They are broadcasting after all," Mike said.

So it appears that what I have here is a boat anchor. I'll want a new Wi-Fi certified unit that has WPA2 security (even WPA2 security can be hacked unless you use a long password, Mike warns).

I have three choices. I could bring back the cable modem from Time Warner and pay the $1 per month rental fee and then add a Wi-Fi router to that. Alternately, I could turn off Wi-Fi feature on the WCG200 and use it only as a cable modem, then add a modern Wi-Fi wireless router. Or I could try to find another integrated unit - the greenest option. For some reason, however, those appear to be a scarce commodity these days. Either way I'll be reading Mike's How to Buy a Wireless Router before I go shopping this week.