Wednesday, August 30, 2006

Attacks Against WEP and Bump Keys

Any security professional should know that Wired Equivalent Privacy is broken. However, thanks to Alan Saqui's blog I learned of another attack method that completely devastates WEP.

At almost the same time Brandon Greenwood sent me a link to this YouTube video about bump keys. This is an attack against physical locks that succeeds with minimal effort against most locks on the market. It was publicized in the United States at Hope 6 last month by Barry Wels of The Open Organization of Lockpickers (TOOOL) and Marc Tobias. MSNBC and Slashdot ran stories, and this week a NBC affiliate reported on the problem as well. This week Marc Tobias is blogging on the subject, and I've learned that locks by Abloy and Medeco are resistant to bump keys. Finally, the blogosphere has some commentary on the problem.

It seems to me that attacks against WEP and bump keys are examples of the same problem. In either case, a determined intruder with sufficient tools and expertise is going to overcome your preventative security measures and compromise you. In my books I call this fact prevention eventually fails. Eventual compromise is the reason I recommend detection and response, as well as insurance.

However, relying solely on WEP while the front door to your data center is propped open is no better than installing a vulnerable door lock on a shoddy frame. In those cases, addressing the popular flaw (vulnerable WEP, vulnerable door lock) still leaves many other avenues of attack open. Most opportunistic wireless intruders will pass a WEP-encrypted network for one that is wide open. Most opportunistic physical intruders will pass a locked door for one that is wide open.

In both cases, fighting the battle to address vulnerabilities is a losing cause. Removing threats by prosecuting criminals is the most effective way to reduce risk.

I feel better knowing I have a big dog in my house, though.

4 comments:

ak said...

Actually, the bump key attack is pretty old, and an article about it was published in Die Datenschleuder #86 (the hacker magazine published by the Chaos Computer Club) in 2005.

Richard Bejtlich said...

ak, I know it's old... but it just became publicized in the US.

James Crawford said...

The thing that bothered me the most is that it is near forensically impossible to tell if someone bumped a lock vs just used the proper key. If there is no evidence of break-in there may be problems filing claims with insurance.

Schlage Primus locks are "resistant" to bumping as well. The high security locks such as the primus and medecos have tight restrictions on key duplication. A bit of security by obscurity, which is not always as bad as people in the security field tend to think.

One of my friends is experimenting with high weight grease and oils to try and fortify the lower security locks around his company against the bumping type attacks. It would be wonderful is something as simple as that could foil this type of attack.

Ish Kumar said...
This comment has been removed by a blog administrator.