Passive Attacks

  • the key scheduling algorithm (KSA) issue - several weak IVs can reveal key bytes after statistical analysis

  • researchers at AT&T/Rice University and the developers of AirSnort demonstrated this vulnerability and verified that WEP keys can be derived after as few as 4 million frames

  • using dynamic WEP keys can mitigate this vulnerability, but not eliminate

  • WEP injection can be used to inject new packets to increase the number of weak IV (not "pure" passive attack) (as source/destination address and payload remain the same, the AP responds with "duplication" error on the network layer

  • Passive WPA PSK Dictionary Attack

All these attacks have been practically implemented! Airsnort, dwepcrack, Wepcrack, Aircrack, WepLab