WEP can be easily cracked in both 40− and 128−bit variants by using off−the−shelf tools readily available on the Internet. As of the time this was written, on a busy network, 128−bit static WEP keys can be obtained in as little as 15 minutes.
Besides the shared−key weakness that WEP suffers, some of the other known vulnerabilities of WEP are as follows:
- No per−packet authentication. Subsequent frames transmitted after the authentication frame do not contain any authentication data.
- Vulnerability to disassociation attacks. Disassociation is where a wireless LAN adapter terminates its communication with an AP.
In disassociation attacks, an adversary injects forged packets into a wireless LAN, requesting that a valid wireless LAN adapter be disassociated, effectively requiring the valid adapter and AP to perform reauthentication.
- No user identification and authentication. The authentication and identification supported in the 802.11 standard provide only MAC−level authentication and identification. The actual user of the network device is never authenticated.
- No central authentication, authorization, and accounting support. Each AP manages its own authentication, authorization, and accounting (logging activities). If more than one AP is used, the effort involved in managing APs is a factor of the number of APs used.
- RC4 stream cipher is vulnerable to known plaintext attacks. RC4 is considered unsafe due to known cryptographic attacks. Though these attacks require a significant amount of processing power, the insecurity of using RC4 adds to the vulnerability of the WEP protocol.
The initialization vectors (IVs) are at the center of most of the issues that involve WEP. Because the IV is transmitted as plaintext and placed in the 802.11 header, anyone sniffing a WLAN can see it. At 24 bits long, the IV provides a range of 16,777,216 possible values.
A University of California at Berkeley paper found that when the same IV is used with the same key on an encrypted packet, known as an IV collision, a hacker could capture the data frames and derive information about the data as well as the network. For more information, refer to the paper at wep−faq.
In addition to the weaknesses found in the WEP protocol by the University of California at Berkeley, recently cryptanalysts Fluhrer, Mantin, and Shamir discovered inherent shortcomings with the RC4 key−scheduling algorithm.
Because RC4 as implemented in WEP chose to use a 24−bit IV and does not dynamically rotate encryption keys, these shortcomings are demonstrated to have practical applications in decrypting 802.11 frames using WEP.
The attack illustrated in the paper focuses on a large class of weak IVs that can be generated by RC4, and highlights methods to break the key using certain patterns in the IVs.
The WEP protocol is, therefore, considered insecure due to the improper use of initialization vectors and the key scheduling as defined in the WEP protocol, and the lack of authentication primitives for both packet and user−based authentication.
IEEE 802.11 is currently working on extensions to WEP for incorporation within a future version of the standard. This work was initiated in July 1999 as Task Group E, with the specific goal of strengthening the security mechanisms so as to provide a level of security beyond the initial requirements for WEP.
The enhancements currently proposed are intended to counter extremely sophisticated attacks, including those that have been recently reported in the press.
In addition it needs to be noted that the choice of encryption algorithms by IEEE 802.11 are not purely technical decisions, they are limited by government export law restrictions as well.