IV Replay Attack

  1. A known plain-text message is sent to an wireless client (an email message, ICMP request, ..)

  2. The attacker will sniff the wireless looking for the predicted cipher-text

  3. The attacker will find the known frame and compute the key stream

  4. The attacker can grow the key stream to any size required

    • The attacker builds a frame one byte larger than the known key stream size (ICMP frame should be ideal for obtaining the response)

    • The attacker augments the key stream by one byte - he tries all possible values (i.e. he sends 256 ICMP requests)

    • When the attacker guesses the correct value, the expected response (e.g. the ICMP reply message) is received

    • The attacker can repeat this process until the desired key stream length is obtained