Passive Attacks

  • the key scheduling algorithm (KSA) issue - several weak IVs can reveal key bytes after statistical analysis

  • researchers at AT&T/Rice University and the developers of the AirSnort demonstrated this vulnerability and verified that WEP keys can be derived after as few as 4 million frames

  • using dynamic WEP keys can mitigate this vulnerability, but not eliminate

  • WEP injection can be used to inject new packets to increase weak IV (not "pure" passive attack) (a source/destination address and payload remain same, the AP responses with "duplication" error on network layer

  • Passive WPA PSK Dictionary Attack

All these attacks have been practically implemented! Airsnort, dwepcrack, Wepcrack, Aircrack, WepLab