Sniffing is trivially easy on shared media networks:

• Shared Media Examples:
  • Hub-based Ethernet networks (all traffic visible to all ports)
  • Wireless networks (WiFi – radio signals broadcast to all nearby devices)
  • Same collision domain on Ethernet cable
• Attack Method:
  • Promiscuous Mode: Network adapters can be configured to capture ALL packets, not just those addressed to them
  • No special hardware required – available on most network adapters
  • Wireless makes this even easier – “war driving” with long-range WiFi antennas
• Access Requirements:
  • Physical access to shared media (same cable/hub)
  • Within range of wireless access point
  • Located in same collision domain as sender/recipient

Attackers on isolated (switched) network segments can use ARP poisoning to intercept traffic between two hosts, positioning themselves as a Man-in-the-Middle (MITM).

Attack Scenario:

1. Initial State: Alice wants to communicate with Bob on a switched network. Eve (attacker) is also on the network but on an isolated segment (switch prevents direct sniffing).
2. ARP Request: Alice broadcasts an ARP request asking “Who has Bob’s IP? Tell me your MAC address.”
3. Malicious Response: Eve responds to Alice’s ARP request claiming to have Bob’s IP address, but provides Eve’s MAC address instead of Bob’s actual MAC address.
4. MITM Position:
   • Alice’s ARP table now maps Bob’s IP to Eve’s MAC address
   • All traffic Alice sends to Bob actually goes to Eve first
   • Eve can inspect, modify, or log the traffic
   • Eve forwards packets to Bob to avoid detection (becoming a transparent MITM)

WEP allows Initialization Vectors (IVs) to be reused across different frames, and many implementations handle IVs poorly:

• Fixed IV: Some cards set IV=0 for all packets (802.11 compliant!)
• Reset on Reboot: Some cards reinitialize IV to 0 each time device powers up
• IV Wraparound: 24-bit IV space = only 2^24 = 16,777,216 possible values
  • At 5 Mbps with 1500-byte packets: IV wraps in less than 12 hours
  • Birthday paradox: expect IV collision within ~5000 packets (minutes of traffic)

Attack Mechanism:

When two packets use the same IV with the same key:

Exploitation:

1. XOR Ciphertexts: C₁ ⊕ C₂ = P₁ ⊕ P₂ (XOR of two plaintexts)
2. Known Plaintext Attack: If attacker knows or can guess P₁, can solve for P₂
3. Cryptanalysis: Even without known plaintext, statistical analysis of P₁ ⊕ P₂ can reveal both plaintexts using known techniques

Goal: Pre-compute keystreams for all possible IVs to enable instant decryption of any intercepted packet.

Method:

1. Obtain Known Plaintext-Ciphertext Pairs:
   • Wait for predictable traffic (DHCP, ARP, DNS queries with known structure)
   • Inject known packets from outside the network
   • Observe broadcast traffic encrypted and sent in clear
2. Extract Keystream: For known pair (P, C) with IV:
   • RC4(IV, K) = P ⊕ C
   • Now have the keystream for this specific IV
3. Store in Dictionary: Save <IV, RC4(IV, K)> pair in database
4. Decrypt Future Packets: When intercepting new packet with known IV:
   • Look up keystream for that IV in dictionary
   • P = C ⊕ RC4(IV, K)
   • Instant decryption without key recovery

Storage Requirements:

• 2^24 possible IVs = ~16.7 million entries
• Each entry: IV (3 bytes) + keystream (1500 bytes for max Ethernet frame) ≈ 1503 bytes
• Total storage: ~24 GB for complete dictionary
• Practical for modern storage capacity

Comparison to Brute Force:

• Brute forcing 40-bit key: 2^40 = ~1 trillion attempts (feasible but time-consuming)
• Brute forcing 104-bit key: 2^104 operations (computationally infeasible)
• Dictionary attack: Works equally well against both key sizes!

WEP uses CRC-32 for integrity checking, but CRC is a linear function over the Galois Field GF(2), where addition is XOR:

CRC Homomorphic Property:
c(x ⊕ y) = c(x) ⊕ c(y)

This mathematical property allows attackers to modify ciphertext in predictable ways without knowing the key or plaintext!

Attack Mechanism:

1. Intercepted Ciphertext:
   C = RC4(IV, K) ⊕ (M, c(M))
2. Desired Modification:
   Attacker wants to change message from M to M’ = M ⊕ Δ
3. Compute Modified Ciphertext:
   C’ = C ⊕ (Δ, c(Δ))
4. Verification (this is why it works):
   C’ = C ⊕ (Δ, c(Δ))
      = RC4(IV, K) ⊕ (M, c(M)) ⊕ (Δ, c(Δ))
      = RC4(IV, K) ⊕ (M ⊕ Δ, c(M) ⊕ c(Δ))
      = RC4(IV, K) ⊕ (M’, c(M ⊕ Δ))    ← CRC linearity
      = RC4(IV, K) ⊕ (M’, c(M’))       ← CRC linearity again
5. Result: Modified ciphertext C’ will decrypt to M’ and pass the integrity check!

Attack Power:

• No key required – attacker doesn’t need to know K
• No plaintext required – attacker doesn’t need to know M
• Blind modification – can modify encrypted messages in predictable ways
• No detection – modified packets pass WEP integrity check

Example Attack: Modify encrypted IP packet to change destination address without knowing packet contents or key.

If attacker knows one plaintext-ciphertext pair, can inject arbitrary traffic:

Given:

• Known plaintext M
• Corresponding ciphertext C
• IV value v used for that packet
• Relationship: C = RC4(v, k) ⊕ (M, c(M))

Attack Steps:

1. Extract Keystream:
   RC4(v, k) = C ⊕ (M, c(M))
   Attacker now knows the keystream for IV=v
2. Create New Message: Craft arbitrary message M’ with checksum c(M’)
3. Encrypt New Message:
   C’ = RC4(v, k) ⊕ (M’, c(M’))
4. Inject Packet: Send packet with IV=v and ciphertext C’
   • AP will decrypt successfully
   • Integrity check will pass
   • Attacker’s message accepted as legitimate traffic

Note on IV Reuse: Attacker is reusing the same IV (v) for injection, but WEP specification allows this! The standard doesn’t prohibit IV reuse across different packets.

Impact: Complete bypass of WEP access control – attacker can inject arbitrary frames without knowing WEP key.

WEP’s shared key authentication is vulnerable to replay attacks:

1. Attacker Observes Legitimate Authentication:
   • Challenge (nonce in plaintext): N
   • Response (nonce encrypted): RC4(IV, K) ⊕ N
2. Extract Keystream:
   RC4(IV, K) = (RC4(IV, K) ⊕ N) ⊕ N
   Attacker knows both challenge and response, can compute keystream
3. Authenticate as Legitimate User:
   • Send authentication request to AP
   • Receive new challenge N’
   • Encrypt N’ using captured keystream: RC4(IV, K) ⊕ N’
   • Send response with same IV as captured exchange
4. Result: Authentication succeeds without knowing WEP key!

Fundamental Flaw: Authentication should prove knowledge of secret key, but due to keystream reuse, observing one successful authentication allows unlimited future authentications.

Attacker can trick the AP into decrypting arbitrary ciphertext:

1. Intercept Encrypted Packet: Capture packet with ciphertext C containing unknown message M
2. Modify Destination Address: Use message modification attack (CRC linearity) to change encrypted IP destination to attacker’s IP address:
   • Compute Δ such that original_dest ⊕ Δ = attacker_IP
   • Modify C to C’ = C ⊕ (Δ, c(Δ))
   • C’ now decrypts to M’ with destination = attacker_IP
3. Inject Modified Packet: Send C’ back into network
4. AP Decrypts and Forwards: AP decrypts packet, passes integrity check, and forwards to attacker’s IP
5. Attacker Receives Plaintext: Packet arrives at attacker’s machine in plaintext form

Result: Attacker obtains decryption of any intercepted packet without knowing the WEP key.

The most devastating attack: recovers the actual WEP key from intercepted traffic.

Attack Characteristics:

• Type: Passive cryptanalytic attack on RC4 key scheduling algorithm
• Target: Exploits relationship between RC4 output and key
• Requirement: Specific “weak IVs” that leak key information
• Success Rate: ~15% of all IVs are “weak”

Attack Process:

1. Capture Packets: Collect large number of encrypted packets (4-6 million packets typically required)
2. Identify Weak IVs: Filter packets to find those using weak IVs (specific patterns in first few bytes)
3. Statistical Analysis: Use weak IV packets to derive key bytes:
   • Each weak IV packet votes for most likely value of specific key byte
   • Statistical analysis resolves key one byte at a time
   • First byte recovered first, then second byte, etc.
4. Key Reconstruction: After sufficient packets, recover complete WEP key with high probability

Practical Implementation (AT&T Labs Tech Report):

Attack Acceleration:

• Active Injection: Inject packets to force AP to generate more traffic with weak IVs
• Packet Replay: Replay captured ARP requests to stimulate responses
• Tools Available: Aircrack-ng suite automates entire attack
• Modern Implementation: Can crack WEP in minutes on moderately busy network