Passive Attacks
the key scheduling algorithm (KSA) issue - several weak IVs can reveal key bytes after statistical analysis
researchers at AT&T/Rice University and the developers of AirSnort demonstrated this vulnerability and verified that WEP keys can be derived after as few as 4 million frames
using dynamic WEP keys can mitigate this vulnerability, but not eliminate
WEP injection can be used to inject new packets to increase the number of weak IV (not "pure" passive attack) (as source/destination address and payload remain the same, the AP responds with "duplication" error on the network layer
Passive WPA PSK Dictionary Attack
All these attacks have been practically implemented! Airsnort, dwepcrack, Wepcrack, Aircrack, WepLab