How to open a WEP AP correctly?

I'm on the latest snapshot (r26302-4f87a4d84f ) on Generic x86/64. Builded with the firmware selector with this config:

base-files busybox ca-bundle dnsmasq dropbear e2fsprogs firewall4 fstools grub2-bios-setup kmod-amd-xgbe kmod-bnx2 kmod-button-hotplug kmod-dwmac-intel kmod-forcedeth kmod-fs-vfat kmod-igb kmod-igc kmod-ixgbe kmod-nft-offload kmod-tg3 libc libgcc libustream-mbedtls logd luci mkf2fs mtd netifd nftables odhcp6c odhcpd-ipv6only opkg partx-utils procd procd-seccomp procd-ujail uci uclient-fetch urandom-seed urngd nano-full htop wpad-mbedtls kmod-rtw88-8821cu usbutils usb-modeswitch

The reason for this is a rtw8821cu WiFi stick which seems to be supported in snapshot only.

Now I followed this cause I need to open a WEP network: https://openwrt.org/docs/guide-user/network/wifi/encryption#wep_encryption_not_recommended
It seemed to work and even LUCI shows it's configured to WEP but at the same time it is disabled and I see this in the logs:

Tue May 14 08:03:12 2024 daemon.err hostapd: Line 29: unknown configuration item 'wep_key0'
Tue May 14 08:03:12 2024 daemon.err hostapd: Line 30: unknown configuration item 'wep_default_key'
Tue May 14 08:03:12 2024 daemon.err hostapd: 2 errors found in configuration file '<inline>'

This is the whole /etc/config/wireless:
image

So what am I doing wrong?

//EDIT: From looking at hostapd codes it seems the ifdef CONFIG_WEP resolves to false, so it jumps through all the else ifs until it reaches this, which prints exactly the error messages I saw: https://w1.fi/cgit/hostap/tree/hostapd/config_file.c#n5072

This is weird through as openwrt defines that here: https://github.com/openwrt/openwrt/blob/main/package/network/services/hostapd/Makefile#L591

So did I find a bug and if so: Where to report?

WEP is completely insecure and no longer offered by OpenWrt, should you still require it (don't!), you will have to build OpenWrt from source and explicitly enable it.

3 Likes

@slh Wow, that's a bummer.

If I have the option between everyone entering the network cause it is open or using WEP to keep at least noobs away I choose the second one. Which rises the question: Why does OpenWRT still support open networks / how can open be more secure than WEP?

There is no excuse for running WEP (it's even disallowed for modern WLAN standards).

Open network 'may' still be useful for hotspot like scenarios (and it doesn't need those obsolete algorithms/ dependencies).

3 Likes

It won't even keep the noobs away because Aircrack-ng exists. Breaking WEP encryption is literally one of the first tutorials new users can read to learn the tool, and that tutorial was written in 2010! If anything, one could argue having a WEP network makes it even more likely that a noob will test their newfound aircrack-ng skills on it!

WEP is so broken it's basically no better than just running an open wireless network, and it has been that way for more than twenty years now.

In August 2001, Scott Fluhrer, Itsik Mantin, and Adi Shamir published a cryptanalysis of WEP[4] that exploits the way the RC4 ciphers and IV are used in WEP, resulting in a passive attack that can recover the RC4 key after eavesdropping on the network.

It is possible to perform the attack with a personal computer, off-the-shelf hardware, and freely available software such as aircrack-ng to crack any WEP key in minutes.

Cam-Winget et al.[15] surveyed a variety of shortcomings in WEP. They wrote "Experiments in the field show that, with proper equipment, it is practical to eavesdrop on WEP-protected networks from distances of a mile or more from the target."

At least with an open network there's no delusion that the wireless network is secure in any way.

5 Likes

WEP reduces maximum radio speed to G or N while open network is permitted in all newer radio standards. WPA3 includes OWE, open to connect still negotiating per-client key and making them unable to snoop on eachother. Or for interop WPA2+AES is still permitted and you can print a QR code for guests even with 15 years old devices.

2 Likes

@brada4 So how exactly do I get my Nintendo 2DS XL in DS compatibility mode to connect to that WPA2+AES Network? Nintendo says not possible but this device got released in 2017, so just 7 years ago, restricting your statement that I can do this with 15 years old devices.

3DS is also b/g only, so I don't care about higher standards. All I want is having a dedicated network for that 3DS which is not open.

Anyway, installed Arch Linux in a VM and using that now for a WEP compatible hostapd. Sad that people like me have to switch to general purpose distributions now as the "open" router distribution restricts users choices.

//EDIT: See, I really don't want to sound mean. I know how badly broken WEP is. The way I see this is that a network I spawn on demand only, have the SSID hidden, have a MAC filter active and is WEP encrypted is still better than just a plain open network. In my eyes this configuration might not stop experts like you from entering the network but it might at least stop the neighbor kid to enter it when dad cutted the WiFi / forbid to go online.

Open network with mac filter

1 Like

And set txpower as low as practical and disable legacy_rates to make it difficult for someone to connect to it from outside your house.

1 Like

The Nintendo support states something different, even on Reddit there're people who had success with this.
I don't own one, so i can't verify this.

1 Like

So it is WPA1+TKIP? You just need to make a new AP then with degraded security.

No, it doesn't. You have to read carefully:

Which is a completely different thing as running 3DS software, so this from your Nintendo link applies:


For more informations see for example
https://www.reddit.com/r/3DS/comments/1mikdr/wpa2_support_in_nintendo_ds_connections/

Just make DS network isolated like guest

I stand corrected.