Security → WEP and TKIP Wi-Fi encryption methods to be discontinued

H-Security | 17 June 2010

quote:

---

Over the coming three years, the outdated WEP and WPA-TKIP Wi-Fi encryption methods are to be removed from the WFA's (Wi-Fi Alliance) test schedule. The IEEE standards association had already put the WEP standard, which is known to be unsafe, on its hit list in 2004 and intends to add the vulnerable TKIP standard soon.

As early as January of 2011, the WFA plans to disallow TKIP for new access points (APs); from 2012, the obsolete standard is to be disallowed in all Wi-Fi devices. For WEP, the bell will toll a little later: From 2013, access points (APs) will no longer be allowed to offer WEP, and a year later the standard will be disallowed in all Wi-Fi devices. In addition, the WPA2-Mixed mode, in which access points are allowed to offer TKIP for secondary encryption, will be removed in 2014. Only WPA2-AES is to be permissible from then on.

---

»www.h-online.com/securit ··· 835.html

That would be a neat trick if they could pull it off. The only way would be if there were some undetectable (or at least currently undetected) backdoor that would allow a vendor to force a firmware change in all existing WAPs. This is not very likely, and it would be much more a security risk than the use of WEP or WPA-TKIP. Not to mention that it would violate unauthorized network access laws in many countries and states.

Um, they're only referring to their testing and certification scheme, which applies only to new devices going forward.

There is no suggestion that prior devices would have these facilities disabled.

Perhaps that was what the article intended to say, but the actual words were:The phrase "disallowed in all Wi-Fi devices" does not have the same meaning as "disallowed in all new Wi-Fi devices".

Finally! Hopefully, we will have new devices with the latest encryption support by then to stop using WEP (yes, I even still use them for very old devices but with an old WAP that is used for a few hours).

What's more likely: that the article was inartfully written, or that they believe they can bend the time-space continuum?

With some Internet pundits, both scenarios are equally likely.

They could speed things up, if they could persuade ISPs to actually provide support for IPv6. Once that happens, many of us will be replacing routers and APs with IPv6 compatible ones.

What about old (and not so old) devices that do not support decent encryption?
I believe the Xbox 360 wireless A/G adapter only supports TKIP. The DS only supports WEP. Even though the DSi supports WPA, it doesn't work with old games. It probably won't with the 3DS either.

"I believe the Xbox 360 wireless A/G adapter only supports TKIP."

It supports WPA2 - »majornelson.com/archive/ ··· ort.aspx

//A

i am honestly surprised that WAPs still support WEP at all. but i guess this is one of the big issues with computing security. Legacy devices still have to be supported if you want people to buy newer hardware.

What is worse than having present-day WAP's support WEP is that some of this equipment is set up to use WEP as the default setting out of the box. Mr./Mrs. Clueless User will most likely go with the default settings (since they will have no idea why the settings should be changed), thus leaving themselves vulnerable.

Another issue is with support for the better encryption modes in some hardware; even newly purchased equipment. This is an issue I have run into with a Linksys router and a new HP system where the adapter on the HP will not connect to the router with anything other than WEP even though it shows support for other modes.

Don't be too quick to put the blame on the user as there are still hardware compatibility issues to take into account...

JMHO
Mike

True, the user may need to downgrade to WEP in order to use older hardware. That should have to be an action taken by the user, however, and not the factory-default setting of the WAP. If the default is WEP, too many folks are likely to accept it without even knowing that other, more-secure options exist and may perhaps work with their equipment.

If the manufacturers can manage to put a "Note- run the setup CD before connecting the equipment" sticker on the WAP's, I am sure they could put a "Note- this unit is preset for the most secure wireless option, but you may need to change this if it doesn't work with your older hardware- see Section ABC of the User Manual" warning sticker on it also.

That is why I have a separate AP for WEP stuff (not always on either) for old devices. Main router is using WPA2 and is always on.

I have a laptop that doesn't like AES. Right now I still have to use WPA with TKIP. I still feel safe with it.

No matter what goes on in the WiFi enviroment, its not safe.
Even if I have WPA2 AES, I still would NOT do something that requires sensitive online business.

Hard wired is the way to go....

It's pretty safe. Thats the whole point of having encryption. You should be more worried about malware and spyware.