Erik Tews and Martin Beck will present their findings at PacSec net week but the message is clear: layered security is your best chance at actually achieving security.

I held out on posting this until the whitepaper was released. You can now find it here: http://dl.aircrack-ng.org/breakingwepandwpa.pdf

I don’t have time read the whole thing before class recommend that you do!

Open APs make life, especially in a densely populated city, just a little bit easier. The prevalence of 802.11x-capable devices creates a high demand for basic connectivity. Aside from laptops, think of the iPhones, N95s and even Wiis that rely on WiFi to fully exploit their functionality. When you need Internet access, you really need net access. Help out your neighbors, guests and random passerbys. If it doesn’t hurt you, setup an open AP.

Otherwise, please use strong security. From my apartment, I can receive signals from a dozen APs. Technically, these are SSIDs but I’m assuming that residential areas will typically have one AP per SSID.

Of these, three are open, six or seven use WEP and the remainder use WPA/WPA2.

I would have expected to see virtually all WPA/WPA2 networks except for the one or two that are 802.11b. I have three theories regarding this:
1) It might be that the “Easy Setup” software that comes with most routers defaults to WEP for the sake compatibility.
2) Possibly the wording on the setup instructions is such that users would be more inclined to choose WEP.
3) Or it could simply be that users have no incentive to choose their encryption scheme.

To support theory three: I believe that most residential users have no idea that WEP is almost useless for wireless encryption. Therefore, if there is some small benefit in compatibility and no preceptible increase in security, a reasonable user would have no incentive to choose WPA over WEP.

To give an analogy, I see WEP as the equivalent to closing your door. Most people won’t come in but it requires minimal effort to do so. WPA2 is like closing your door and locking it. An attacker must expend significant effort to break in. To extend the analogy, an open AP is like an open door. Thirsty people will come in and drink water from your kitchen faucet.

That middle road will both deny people a resource and provide a false sense of security. Go all the way either for security or openness.