Flaws in WEP encryption were exploited using a series of replays and very specific cryptographic attacks. In this video, you’ll learn the process that the bad guys used to break WEP encryption.
<< Previous Video: Near Field CommunicationNext: WPA Attacks >>
When you’re on a wireless network, you still need to be aware of the possibility of a replay attack. This is very similar to the replay attacks you would get on a wired network. In fact, on a wireless network it may be even a little bit easier to gather the information that someone might need to then perform that replay attack. This is a big problem for people that are trying to protect their wireless networks in the enterprise because you’re sending that signal out everywhere. It’s very difficult to localize it, and therefore that opens up some security concerns for you as a security professional.
It’s obviously easy to capture this data, especially on something like a hot spot where all of the information is naturally in the clear. You’re not doing any type of WEP or WPA encryption, you have to require the end user to provide their own VPN or other encryption mechanism to be able to protect their data. And of course, not everybody on the wireless access point in these public areas is going to have that type of security in place. It’s very easy for the bad guy to tune in the SSID of the wireless access point and listen to all of the information going by. That’s a perfect place to gather information that you can then use for a replay attack.
The cryptographic problems of the WEP encryption protocol were really something that we were able to take advantage of because of a replay issue. The WEP encryption allows you to replay information using exactly the same key. And so it was very easy for someone to collect information and then send that information back out again.
To perform a crack of WEP encryption you needed to gather a lot of initialization vector packets. These are packets that normally are sent back and forth when a system is connecting to the wireless network, but when you’re trying to gather thousands of these you need to create your own method to gather them. And being able to send ARP requests across this wireless network allowed us to build a large group of initialization vector packets and store all of that data. You can sit and either wait for people to do it themselves or take advantage of this replay of the ARP information and gather thousands of these packets very, very quickly.
Once you have all of these initialization vector packets, it only takes a matter of seconds then to extrapolate the WEP key from this. And of course, once you have the WEP key you have access to all of the data going across that wireless network. You can see this cryptographic vulnerability in WEP was significant and it was made so much easier to take advantage of by using this ARP replay attack.