Smashing WEP in a Passive Attack
In this paper, we report extremely fast and optimised active and passive attacks against the old IEEE 802.11 wireless communication protocol WEP. This was achieved through a huge amount of theoretical and experimental analysis (capturing WiFi packets), refinement and optimisation of all the former known attacks and methodologies against RC4 stream cipher in WEP mode. We support all our claims by providing an implementation of this attack as a publicly available patch on Aircrack-ng. Our new attacks improve its success probability drastically. We adapt our theoretical analysis in Eurocrypt 2011 to real-world scenarios and we perform a slight adjustment to match the empirical observations. Our active attack, based on ARP injection, requires \(22\,500\) packets to gain success probability of \(50\,\%\) against a \(104\)-bit WEP key, using Aircrack-ng in non-interactive mode. It runs in less than \(5\) s on an off-the-shelf PC. Using the same number of packets, Aicrack-ng yields around \(3\,\%\) success rate. Furthermore, we describe very fast passive only attacks by just eavesdropping TCP/IPv4 packets in a WiFi communication. Our passive attack requires \(27\,500\) packets. This is much less than the number of packets Aircrack-ng requires in active mode (around \(37\,500\)), which is a huge improvement. We believe that our analysis brings on further insight to the security of RC4.