dslreports logo
 story category
Why Are Vendors Still Using WEP?
A tinker-toy wall vs. the barbarian horde
Glenn Fleishman at Wi-Fi Networking News wants to know why vendors are still shipping product with WEP encryption (Nintendo DS, Kodak EasyShare-One) when it has been made very clear it's about as secure as moist tissue paper. "What’s the solution? Sales. The more Wi-Fi appliances that ship, the more pressure that will build (on chipmakers)," Glenn suggests.
view:
topics flat nest 

Vchat20
Landing is the REAL challenge
Premium Member
join:2003-09-16
Columbus, OH

Vchat20

Premium Member

Whats the solution? VPN

'nuff said. if your so f'ing worried about privacy, either get a wifi device with better encryption or use VPN.
newyorkslick
join:2001-12-19
Rosedale, NY

newyorkslick

Member

Re: Whats the solution? VPN

Exactly. And why the hell does Nintendo DS need WAP or WAP2 for??

oliphant
I Have 8 Boobies
Premium Member
join:2004-11-26
Corona, CA

oliphant

Premium Member

Re: Whats the solution? VPN

said by newyorkslick:

Exactly. And why the hell does Nintendo DS need WAP or WAP2 for??
I'm assuming you mean WPA and why do they need them? Because the APs they're trying to connect to (namely home networks) use them. Unless you run an open AP or live at the airport the Nintendo DS is worthless for online gaming.

pcscdma
hi
Premium Member
join:2004-01-14
Winterset, IA

pcscdma

Premium Member

Re: Whats the solution? VPN

If you play ad hoc multiplayer games then encryption is unnecessary.

oliphant
I Have 8 Boobies
Premium Member
join:2004-11-26
Corona, CA

2 edits

oliphant

Premium Member

Re: Whats the solution? VPN

IF you only play ad hoc, but if you want to play on Nintendo's upcoming ONLINE gaming service you have to dumb-down your encryption which is beyond lame. Even Sony realized WEP is lame and added WPA-TKIP to the PSP. Nintendo should do the same.
oliphant

oliphant to Vchat20

Premium Member

to Vchat20
said by Vchat20:

'nuff said. if your so f'ing worried about privacy, either get a wifi device with better encryption or use VPN.
That's the bitch. Nindendo doesn't offer better encryption. This isn't about the AP, it's about the device.
Spudge_Boy
join:2004-09-17
Orange, CA

Spudge_Boy

Member

Re: Whats the solution? VPN

No, this is about the AP/Router. Every device on a wireless network has to use the lowest common denominator for security, so if one device (Nintendo DS) uses WEP, everything has to use WEP.

oliphant
I Have 8 Boobies
Premium Member
join:2004-11-26
Corona, CA

oliphant

Premium Member

Re: Whats the solution? VPN

That's what I said.

http://www.dslreports.com/forum/remark,14596351;iframe=1#14596425
Spudge_Boy
join:2004-09-17
Orange, CA

Spudge_Boy

Member

Re: Whats the solution? VPN

Groovy. At least we are on the same page.

The problem is:

1. Vendors shipping devices without WPA.

2. Customers not willing to learn anything about what they are installing.

Raphion
join:2000-10-14
Samsara

Raphion to oliphant

Member

to oliphant
So I have to set up VPN on all my computers just because Nintendo is too stupid or tightassed to add WPA support.

And that won't stop people from sponging off my connection when it's open for Nintendo BTW.

oliphant
I Have 8 Boobies
Premium Member
join:2004-11-26
Corona, CA

oliphant

Premium Member

Re: Whats the solution? VPN

I know, it's completely lame. Why would Nintendo bother having wireless if they don't do it right? Sony did the same thing with the PSP and then finally followed up with WPA MONTHS after release. Late but at least they did it. Nintendo should follow suit and with their online gaming service coming, they should do it quickly.

Cheese
Premium Member
join:2003-10-26
Naples, FL

1 recommendation

Cheese to Vchat20

Premium Member

to Vchat20
said by Vchat20:

'nuff said. if your so f'ing worried about privacy, either get a wifi device with better encryption or use VPN.
A VPN for home browsing? Makes sense
DavidJWood
Premium Member
join:2001-10-12
UK

DavidJWood

Premium Member

WEP is unacceptable

I've retired all my WEP only gear, and won't buy anything that doesn't support at least WPA-PSK (TKIP encryption).

I guess most buyers don't appreciate the seriousness of insecure wireless. There are products in some brackets (such as wireless VoIP phones) where most or all of the products only support WEP - and presumably they're selling.

It's down to us to create pressure on the vendors to support WPA-PSK with TKIP encryption as a minimum - and ideally WPA2 (including WPA2-Enterprise) with the mandatory AES encryption.

My home wireless LAN uses WPA TKIP with EAP-TLS using FreeRADIUS - though I wouldn't be too unhappy using WPA-PSK. I had a FreeBSD box suitable to run FreeRADIUS, which wasn't too hard to set up, so I thought why not.

There's also a huge job in educating the public that no wireless security and WEP is a liability. Maybe ISPs need to advise their customers to secure their kit - though I'm not sure using AUPs is the way to do it.

David

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

FFH5

Premium Member

Re: WEP is unacceptable

Your right. And the best way to deal with the problem is to refuse to buy any WiFi device that doesn't support WPA. My router and laptop use WPA/PSK and I won't buy any device that would require downgrading to WEP.

ropeguru
Premium Member
join:2001-01-25
Mechanicsville, VA

ropeguru

Premium Member

Re: WEP is unacceptable

said by FFH5:

Your right. And the best way to deal with the problem is to refuse to buy any WiFi device that doesn't support WPA. My router and laptop use WPA/PSK and I won't buy any device that would require downgrading to WEP.
Sorry, not really trying to pick on you today.

But what about those people out there that would be FORCED to upgrade their access points if vendors did not include WEP as an option? There are still a lot of users that have older access point that do not support WPA/PSK technology.

So here again we would have companies forcing consumers to shell out more money to buy things they really do not need to.

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

1 edit

FFH5

Premium Member

Re: WEP is unacceptable

said by ropeguru:
But what about those people out there that would be FORCED to upgrade their access points if vendors did not include WEP as an option? There are still a lot of users that have older access point that do not support WPA/PSK technology.
I never said that WEP couldn't be a subset option of a device that has WPA built-in. I just said I would never buy anything that didn't have WPA capabilities, nor should the vendors make anything new without WPA capability. The device could still have WEP capability to access older AP's.
jpark
join:2005-02-05
Jackson, TN

jpark to DavidJWood

Member

to DavidJWood
The real problem is devices marked as WPA compliant which are not. Saturday I bought a wireless cable modem (Motorola) which was plainly marked on the box as WPA certified. It only had WEP encryption available. I emailed Motorola to make sure I wasn't just missing a configuration option. Nope - only supports WEP.

Of course, I returned the unit.

Devices state they are WPA compliant when they are not. Devices also state they are WPA2 compliant when they are not.

Its very difficult to buy anything when you can't trust the manufacturer to correctly state the device's capabilities.
redenson6
join:2003-12-19
Richardson, TX

redenson6 to DavidJWood

Member

to DavidJWood
wireless routers are getting cheap enough now that you can put the most insecure devices on a separate one and isolate it from the rest of your network for better security. Dirty fix but getting cheap enough to be attractive, right?
chrpai
join:2004-04-11
Cedar Park, TX

chrpai

Member

Not On My Network

I've considered purchasing a media extender and a few other gadgets lately, but when I look at them they are running WEP not WPA. Well my AP is setup for WPA only so those devices won't be joining my network which means I won't be giving my money to those vendors.

Wireless Major
@199.72.x.x

Wireless Major

Anon

Does DS really need it?

While most wi-fi gear needs advanced encryption, what in the hell does the Nintendo DS need to support encryption at all for?

What types games are you playing that require security? And while it probably would be nice if it supported the most advanced encryption, its not that big of a pain in the ass to setup a temporary AP using a USB adapter.

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

1 recommendation

FFH5

Premium Member

Re: Does DS really need it?

said by Wireless Major :

While most wi-fi gear needs advanced encryption, what in the hell does the Nintendo DS need to support encryption at all for?

What types games are you playing that require security? And while it probably would be nice if it supported the most advanced encryption, its not that big of a pain in the ass to setup a temporary AP using a USB adapter.
The reason is that if you have 1 router/AP it can't support some devices with WPA and some with WEP and some with no encryption. So to use that Nintendo WiFi, you would also have to switch your laptop to WEP or no encryption as well. And that isn't very smart to do.

oliphant
I Have 8 Boobies
Premium Member
join:2004-11-26
Corona, CA

oliphant

Premium Member

Re: Does DS really need it?

It's amazing how people don't get that.
WirelessMajr
Premium Member
join:2005-08-03
College Place, WA

WirelessMajr

Premium Member

Re: Does DS really need it?

I fully understand why most equipment needs to support advanced encryption as I said previously, I'm not stupid.

However, you can purchase a cheap USB wi-fi adapter if you *really* wanted to, and you dont have to change your overall network topology.

Problem solved.

So, does the DS really need encryption? Nope. With the unit costing $120, and games hovering around the $30 range, if you can afford that, then it stands to reason that you can afford a cheapass POS USB wi-fi adapter to use as an unencrypted low power, small range, temporary access point.

DrTCP
Yours truly

join:1999-11-09
Round Rock, TX

DrTCP to Wireless Major

to Wireless Major
said by Wireless Major :

While most wi-fi gear needs advanced encryption, what in the hell does the Nintendo DS need to support encryption at all for?

What types games are you playing that require security? And while it probably would be nice if it supported the most advanced encryption, its not that big of a pain in the ass to setup a temporary AP using a USB adapter.
Because, if your most of your network has WPA/WPA2 and only one device is using WEP or open. It is enough to open a hole in your whole network by cracking the WEP key and using that key in another device to intrude the network.

Having said that some high end enterprise AP can segregate network into different VLANs each using different encryption than you can get your game console only access the internet but this type of AP is typically not found in home networks.

I can understand the vendor is trying to be relevant to broadest customer base but they should include updated security options for people that has move on.
DavidJWood
Premium Member
join:2001-10-12
UK

DavidJWood

Premium Member

Re: Does DS really need it?

It doesn't even need to be a high end enterprise AP to run multiple SSIDs operating on different VLANs using different encryption. 3Com 3CRGPOE10075 will do it according to the documentation, and that's less than GBP100 including tax here in the UK.

Of course, you need a network topology that can cope with multiple VLANs to make use of it, though if you have no VLANs, it will also allow the use of different encryption on different SSIDs on the same LAN.

Multiple SSIDs (with different security settings) on the same LAN doesn't get you round the problem of allowing anyone that can crack your WEP key being able to use your network, though if you put the higher volume traffic (such as from a laptop) over something secure, you could potentially slow an attacker down. Before anyone says that MAC filters would bolster WEP, they won't - they're worthless as MACs are trivially sniffed and, on most equipment, trivially spoofed.

In the end, no matter what you do, WEP is insecure. I'd be wary of allowing a device using WEP to operate on a separate LAN that my firewall only allowed the minimum necessary access to the Internet - so yes, it would matter to me if I was in the market for a DS.

Allowing open access to the Internet or access to the machines on my LAN that contain my data from a wireless LAN using WEP is completely unacceptable to me, and, if they understood the risks, I suspect would be unacceptable to most people.

The problem is that your average person buying a wireless device doesn't understand the risks, and wants "plug and play" operation. Throw in the amount of bogus advice about MAC filtering, turning off DHCP and restrictive subnets, and add in that it's not always straightforward to get WPA working with older gear (older versions of Windows need a third party supplicant, WPA can be very tricky on some *NIXes and older wireless hardware needs replacing) and you can see why people don't bother.

Fortunately, the situation is getting better. Most new machines, be they Macs or Windows boxes, support WPA "out of the box", and I haven't come across a wireless card for a PC for some time that doesn't support at least WPA with TKIP. The problem is very much with 'gadgets' - Wi-Fi Pocket PCs usually support at least WPA with TKIP, but other wireless devices tend not to support anything other than WEP, and I won't be buying them.

I suspect that a fair few WPA-PSK installations use passphrases with insufficient entropy. That's really another argument, except to encourage wireless manufacturers to go beyond providing WPA-PSK to building in a small RADIUS server capable of EAP-PEAP and maybe EAP-TLS, though not by stealing GPLed FreeRADIUS code! EAP-PEAP is pretty easy to set up at both the RADIUS server and client end once the basic server configuration is done.

David
Spudge_Boy
join:2004-09-17
Orange, CA

Spudge_Boy

Member

Re: Does DS really need it?

Dude, get serious. The average human has trouble setting up one wireless network, let alone a multi SSID wireless network. You don't really think that the people using Nintendo DSs are network engineers do you. They are for the most part kids (except for me).

The answer is not running a high end wireless network. The solution is Nintendo (and others) getting its act together.
DavidJWood
Premium Member
join:2001-10-12
UK

DavidJWood

Premium Member

Re: Does DS really need it?

said by Spudge_Boy:

The answer is not running a high end wireless network. The solution is Nintendo (and others) getting its act together.
I agree - see my first comment on this item. My point was that even with one of these multi SSID APs, you still need to think very carefully about your network, otherwise WEP is still a weak link.

However, I was pushing things with this second comment more towards a consideration of how we should engineer APs. Built in RADIUS with EAP-PEAP, and defaulting to WPA - it could be little more complex than a web wizard to enter user names and passwords, and suitable setup instructions for the clients or even a little tool to set up the wireless client for you.

Couple that with an easy switch to degrade to WPA-PSK (and a default of an auto-generated 63 character passphrase, which can be easily downloaded as a text file for easy copy and paste), a strong warning if WEP is chosen, and a very strong warning if encryption is turned off - would it work?

Unfortunately there's never going to be a complete "plug and play" solution to secure wireless - the two things are opposite in many ways.

I know there's issues to overcome - these are just broad brush comments, and I know how hard it is to create easy to use UIs, even for network administrators, because I've done it professionally.

The bigger problem is almost certainly creating public awareness of importance of securing wireless. If consumer pressure for easy to use secure wireless grows, the manufacturers will respond.

David
Spudge_Boy
join:2004-09-17
Orange, CA

Spudge_Boy

Member

Re: Does DS really need it?

I agree, we need customers to demand that every wireless product ships with WPA at the very minimum, let alone WPA 2.

nixen
Rockin' the Boxen
Premium Member
join:2002-10-04
Alexandria, VA

nixen to DavidJWood

Premium Member

to DavidJWood
said by DavidJWood:

It doesn't even need to be a high end enterprise AP to run multiple SSIDs operating on different VLANs using different encryption. 3Com 3CRGPOE10075 will do it according to the documentation, and that's less than GBP100 including tax here in the UK.
£100 (about $175) for a decently featureful AP verus $14.95 for a WEP-only device, so junior can play his Nintendo? Guess which one a lot home buyers are going to go for? Further, given the number of people that do NO encryption in the first place (as evidenced by several prior threads about abuse of such networks), won't make difference what encryption is possible in the device.

-tom
Spudge_Boy
join:2004-09-17
Orange, CA

Spudge_Boy to Wireless Major

Member

to Wireless Major
Nintendo is just about to launch an online service. If you want to use that service, then you have connect it to your network via wireless. You must then dumb down your encryption to WEP, because the Nintendo DS doesn't support WPA.

It isn't about the DS needing WPA to protect it. It is about the DS needing WPA to connect to a truly secured wireless network. Otherwise you must drop everything to WEP. That is the problem.

KAD Imaging
Just Shoot It
Premium Member
join:2002-09-21
Hialeah, FL

1 edit

KAD Imaging

Premium Member

Re: Does DS really need it?

said by Spudge_Boy:

Nintendo is just about to launch an online service. If you want to use that service, then you have connect it to your network via wireless. You must then dumb down your encryption to WEP, because the Nintendo DS doesn't support WPA.

It isn't about the DS needing WPA to protect it. It is about the DS needing WPA to connect to a truly secured wireless network. Otherwise you must drop everything to WEP. That is the problem.
Actually it's not. The solution is easier than you think. Most ISP's are providing modems with built-in router functions these days (Westells, Zyxells) so all you need is to go buy a "real" router ala Linksys/Netgear and a cheap AP. Your "DS" will be outside of your personal network but still able to access the net. This way you can use WPA on your laptop but have the other AP with WEP or nothing. All you'll give up is internet access if anything.

••••

Morac
Cat god
join:2001-08-30
Riverside, NJ

Morac

Member

Living in the past

I won't buy anything that does not support 802.11g and WPA (preferably WPA2). My network is set up as 802.11g (for speed purposes) only which is why I won't buy products that don't support 802.11g.

People might say why does a portable gaming system need to use WPA (or any) encryption. They are correct, for the most part. Who cares if someone intercepts your game traffic. The problem is that home access points only let you set up WPA or WEP not both. This wouldn't be as much a problem if an AP could support WPA and WEP simultaneously and then restrict the WEP traffic to certain ip addresses.

In any case since most people leave their networks completely open anyway (at least my neighbors do), I guess I could always use one of these products on their network.

DrTCP
Yours truly

join:1999-11-09
Round Rock, TX

DrTCP

Re: Living in the past

said by Morac:

This wouldn't be as much a problem if an AP could support WPA and WEP simultaneously and then restrict the WEP traffic to certain ip addresses.
Segregation based on IP is weak. They should setup a different VLAN for each security domain. Some enterprise AP are able to do this but these features are unlikely to show up in consumer AP.
salahx
join:2001-12-03
Saint Louis, MO

salahx

Member

Backwords compatibilty

Some systems do not support WPA - most older Windows system, some Linux drivers, older routers & network adapters, etc.

Its going to be some time before WEP is finally killed off. In the meantime, vendors will still keep shipping WEP-capable devices so it'll work with older software and hardware.

WEP is still better than nothing.

DrTCP
Yours truly

join:1999-11-09
Round Rock, TX

DrTCP

Re: Backwords compatibilty

said by salahx:

In the meantime, vendors will still keep shipping WEP-capable devices so it'll work with older software and hardware.
IMHO, it is OK to ship Wi-Fi equipment with WEP capability but the real problem is that some vendors are stupidly shipping WEP as the ONLY security option even with the new devices which is absolutely no no (vendor did not get it!) They should offer WPA and WPA2 security options.

nobody_really to salahx

Anon

to salahx
Some systems do not support WPA - most older Windows system
Yes where is the WPA driver for Windows 2000????
ossito16
join:2004-07-31
Whiting, IN

ossito16

Member

WEP is good enough.

I do not understand the hype about wifi security. It takes a long time to crack a WEP, unless some clown is using wifi to p2p. It has been my experience that my laptop battery would run down b4 I cracked average wifi connection w/WEP. The few times I seen a WEP get cracked it was on very high traffic wifi. How many ppl in a starbucks or any other hotspot actually have cracked a WEP or even know the names of tools needed to do so? I personally use MAC/WEP, I would bet any money that there is not one person within 5 miles of my house who even knows about cracking WEPs.

•••

jmn1207
Premium Member
join:2000-07-19
Sterling, VA

jmn1207

Premium Member

Good Enough for Some

WEP encryption does the job when all you need is something to keep your neighbors from accidentally jumping on your wireless connection. It uses a minimal amount of resources and if used along with MAC restrictions and disabled SSID, you can keep the simpleton from gaining access.

That said, if anyone really wants to get access to your wireless devices, WPA-PSK will probably only buy you a little more time, and most people do not have the ability to use anything stronger than that at home.

•••••••

Vchat20
Landing is the REAL challenge
Premium Member
join:2003-09-16
Columbus, OH

Vchat20

Premium Member

(DS) Solution? USB Adapter

i should also make note that from what ive read about the USB adapter for the DS is that its locked to just the DS. so if you are really so concerned about security as you say you are, use the usb adapter for your DS and keep your precious wifi network locked up tighter than fort knox.

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

Reasons...

maybe it is cheap, compatible with all wireless devices, etc. Security isn't #1 to a lot of people. Also, I have to upgrade ALL my network stuff to get rid of WEP. I just don't have the money and time to do that. I do secure my networks as much as I can with firewall softwares, WEP password (better than nothing), turn off WAP11 when not in used, etc.

BourneKilla
join:2005-04-12

BourneKilla

Member

Solution...

It seems they already sold a bunch anyway... 1 of 2 things will happen. Nintendo will provide a firmware update if possible or someone will create a homebrew mod. Does anyone know how much throughput WPA kills? I hope they put a good card in the thing...

a name
@xtra.co.nz

a name

Anon

Re: Solution...

I know nothing about Networking.

But what you do is you use a wireless router and you block all IP addresses from connecting to the router except that of the Nintendo DS.

If you are connecting through your PC's internet connection you block all IP addresses except for your PC and your Nintendo DS.

That's what I would do.

Unfortunately I have no idea of how to do that.

That's why Nintendo is releasing it's USB wireless device, to allow your grandma to do exactly what I said. Ease of use. 1 click secure my ass connection.

r81984
Fair and Balanced
Premium Member
join:2001-11-14
Katy, TX

r81984

Premium Member

Mac Filtering

Why not just buy a cheap WEP router to use with your WPA router and set it up with mac filtering with only the nintendo mac address being allowed?