WEP encryption for WLANs cracked in under a minute
Researchers from the Technical University of Darmstadt have achieved another breakthrough in cracking WEP encrypted wireless networks. As Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann describe in a paper, they were able to reduce the number of captured packets required for a successful attack by a factor of ten. A wireless network secured with 128-bit WEP encryption can, according to the researchers, be cracked in less than a minute using their attack method. An archive can be downloaded from the working group's website, which adds the new method to the Aircrack WEP cracking program.
Until now, the most efficient WEP attacks needed between 500,000 and two million WEP packets to calculate the 104-bit key which is used for 128-bit WEP. These could be generated using repeated injection of an encrypted ARP query - ARP reinjection - in about ten to 40 minutes, even if the wireless network was being used only sporadically.
The Darmstadt researchers were able to improve the attack method developed by Klein against the RC4 algorithm used by WEP, such that the individual bytes of the key could be calculated independently. As a result, just 40,000 WEP packets should suffice to achieve a 50 per cent probability of calculating the key. With 85,000 packets, the probability rises to 95 per cent. According to the researchers, the method should also work with WEPplus, since their attack is not directed against the weak IVs, which WEPplus deliberately avoids using.
The 25/06 issue of c't reported that studies had shown that more than half of WLANs were still secured using WEP in 2006. The only way for users to protect themselves from WEP attacks is by switching to the more secure WPA or WPA2 protocols. In 2006, around 17 percent of WLANs were using these protocols, with 22 percent of the access points tested being completely unencrypted. The first distributors have already started to offer their customers favourable terms for switching to WPA capable hardware.