January 17, 2007

Attacks Against WEP Clients

Sergey Gordeychik
gоrdey @ ptsеcurity com
Introduction
Speaking about WEP protocol vulnerabilities in 2007 seems possible only in the context of a historical retrospective, however, anyone can easily come across it even today. All the known WEP hacking techniques are primarily aimed at access points and require interaction with AP. This article describes a technique that allows restoring a WEP key not accessing AP and being within the station radio coverage.

For instance, a WEP key to a home access point can be obtained when its owner uses a laptop in a plane or office.

Attacks against wireless network clients
Attacks against wireless network clients are an effective malware tool. One of the most wide-spread techniques is creation of a false access point.

According to the researches based on the technique Gnivirdraw, up to 80% of clients contain insecure connections in a profile or connect to false access points for other reasons. However, if a station uses any security mechanisms, even such as WEP, attackers have fewer chances to succeed. A malware user can set a false access point with an arbitrary WEP key and a lot of clients will connect to this point on the channel level, but they will be unable to exchange information.
 
Fig. 1. Connecting to a false access point