Wired Equivalent Privacy (WEP): Definition & Risks

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.

The wired equivalent privacy, or WEP, is part of the IEEE 802.11 standard designed to keep traffic sent through wireless networks more secure. It was created to help prevent cyberattacks, such as man-in-the-middle (MiiM) attacks, from being successful. 

WEP uses a static key of 10 or 26 hexadecimal digits to encrypt data. In the late 1990s and early 2000s, it was widely used and often the primary security choice router configuration tool offered to users.

Wired equivalent privacy has since been superseded by WPA (Wi-Fi protected access) and then WPA2, which was designed to address the security vulnerabilities that WEP presented. WPA uses a dynamic key and message integrity checks to ensure a higher level of cybersecurity. 

WPA2 is an upgraded version of WPA. It is based on the robust security network (RSN) mechanism and can be even more secure than WPA. 

WPE is a retired security protocol that has been deemed insecure. It has been replaced, first by first WPA and then by WPA2.

What is wired equivalent privacy (WEP)?

WEP, or wired equivalent privacy, is a security algorithm presented by the Institute of Electrical and Electronics Engineers (IEEE) as part of the IEEE 802.11 internet standard that was ratified in 1997. 

WEP was created to secure and ensure data confidentiality at the same level that a traditional wired network offered. Wireless connections transmit data through radio waves, which can be intercepted. WEP was designed to encrypt this data so that even if it were to be intercepted, such as through a MiiM attack, the threat actor would not be able to decipher its contents.

Due to U.S. government-imposed restrictions on the exportation of cryptographic technology, WEP key sizes were initially limited to a 40-bit key (called WEP-40) for the 64-bit WEP protocol. As these restrictions were lifted, the extended 128-bit WEP protocol using the 104-bit key (WEP-104) was introduced. WEP uses the RC4 stream cypher for confidentiality and the CRC-32 checksum for integrity. 

The 64-bit WEP key uses a string of 10 hexadecimal (base 16) alphanumeric characters with each character representing 4 bits, while the 128-bit WEP key uses a string of 26 hexadecimal alphanumeric characters. These characters are either numbers between 0 and 9 or letters between A and F. 

Using WEP, all traffic is encrypted as a single key, meaning that it uses a static key. This key is used to connect computers to a wireless-security-enabled network. Computers connected to this network can exchange encrypted messages.

WEP vs. WPA vs. WPA2

With WEP, all traffic (regardless of the device) is encrypted with the same static single key. As technology has advanced, bad actors have learned how to decrypt this single key; therefore, they have access to all of the confidential transmissions. 

Similarly, anyone connected to the secure network would have access to the single key and therefore be able to read the transmissions regardless of if they were authorised or intended to do so. As a result, WEP was officially retired in 2004 after the Wi-Fi Alliance introduced WPA (Wi-Fi protected access) and then WPA2.

  • WPA: WPA was introduced to replace WEP in 2003. Instead of authorising all users with the same key, WPA instead uses the temporal key integral protocol (TKIP) to dynamically alter the key. Threat actors were no longer able to match the static single key as they could with WEP since the key was now more dynamic and changing.

WPA was created as an interim solution, as an extension of WEP under the IEEE 802.11i standard. WPA also increased the key size to 256-bit and included message integrity checks to ensure that data packets had not been captured or altered by threat actors.

  • WPA2: WPA was also exploited and replaced by WPA2 in 2004. WPA2 operates on two modes. The personal mode or pre-shared key (WPA2-PSK) uses a shared passcode for access. It is typically used in home environments. The enterprise mode (WPA2-EAP) is designed for organisational or business use. WPA2 is based on the RSN mechanism.

Both modes of WPA2 use the counter mode cypher block chaining message authentication protocol (CCMP), which is based on the advanced encryption standard (AES) that offers verification for both message authenticity and integrity. AES replaces TKIP, and CCMP is a much stronger protocol that makes it more difficult for threat actors to guess the encryption pattern.

Benefits of WEP

Wired equivalent privacy is meant to protect Wi-Fi transmissions by encrypting the data so outsiders who are not inside the encrypted network will not be able to read the messages or data contained within. WEP is better than no security at all, and it is still used on older devices that do not support WPA or WPA2. 

WEP encrypts data to and from the access point with a static key. Anyone who is connected to the secured network has access to this key and therefore the decrypted transmission.

Critiques of WEP

Wired equivalent privacy is a retired Wi-Fi security algorithm that has been deemed unsafe and easy for threat actors to crack. For this reason, it is almost never recommended to use WEP to secure Wi-Fi networks or transmissions. 

Because WEP is an out-of-date Wi-Fi encryption method, it has the following drawbacks:

  • Threat actors are able to easily guess the static key and therefore gain access to the confidential messages. A threat actor can listen in to transmissions and collect data packets. With these details, they are able to decrypt the encryption key. 
  • A static key is used, which means that every connected device on the network has access to all of the confidential message contents. Once connected to the WEP-secured Wi-Fi network, the user is granted authorisation through the static and single key.
  • WEP only supports 64-bit or 128-bit encryption key sizes, which can be more easily decrypted than the larger 256-bit encryption key.
  • WEP is limited to the use of hexadecimal characters, which only allow for numbers 0–9 and the letters A–F. The key length is therefore not very secure. Standard computers have the ability to hack these keys.

A WEP-protected network can be cracked in under a minute, especially if the network sees a lot of traffic. Threat actors are then able to intercept a large number of data packets. WEP has been demonstrated to be extremely insecure and should not be used to protect Wi-Fi networks. 

Key takeaways

The wireless security algorithm WEP (wired equivalent privacy) was the first security protocol to protect traffic on wireless networks in the same way that traffic on wired networks is kept confidential. 

WEP uses a 64-bit or 128-bit static key with hexadecimal characters. This single static key is shared with everyone on the WEP-secured network for authentication purposes. WEP was initially created to protect messages from being read by threat actors even if they were intercepted.

As technology continued to advance, WEP was found to be easily cracked, as key lengths are too short and restricted, and the same key is used for all transmissions. All a threat actor has to do is collect data packets. Then, they are able to decrypt the static key and use it to authenticate themselves on the network. 

WEP was replaced first by WPA and then WPA2, which is more secure and uses a dynamic key and message integrity checks. 

Wired equivalent privacy is not recommended to be used for Wi-Fi encryption today. Instead, more current security protocols are optimal.

References

WEP: The “Wired Equivalent Privacy” Algorithm. (November 1994). Institute of Electrical and Electronics Engineers (IEEE).

RC4 Encryption Algorithm Stream Ciphers Defined. (2022). Okta.

CRC32. (2022). The PHP Group.

Wi-Fi Alliance. (2022). Wi-Fi Alliance.

802.11i Overview. (February 2005). Institute of Electrical and Electronics Engineers (IEEE).