- The Easiest Way to Get in
- A Short Fence to Climb: Bypassing Closed ESSIDs, MAC, and Protocols Filtering
- Picking a Trivial Lock: Various Means of Cracking WEP
- Picking the Trivial Lock in a Less Trivial Way: Injecting Traffic to Accelerate WEP Cracking
- Field Observations in WEP Cracking
- Cracking TKIP: The New Menace
- The Frame of Deception: Wireless Man-in-the-Middle Attacks and Rogue Access Points Deployment
- Breaking the Secure Safe
- The Last Resort: Wireless DoS Attacks
- Summary
Field Observations in WEP Cracking
To end the WEP cracking story, here are some observations from our practical work. There are specific conditions in which RF noise, an unreliable link, or host deassociation or deauthentication can increase rather than decrease the amount of WEP-encrypted traffic flowing through the wireless net.
One such condition is the presence of connection-oriented protocol links. Imagine two hosts communicating over the wireless link using TCP or SPX. If the link is unreliable or fails, the data segments will be retransmitted many times until the whole datagram is eventually passed. The amount of packets necessary to transmit the same amount of data will increase and so will the amount of interesting IV frames to catch. Even more, to alleviate the awful link problem, the system administrator might decrease the frame size as all wireless networking manuals and how-tos advise. This will surely help, but it will also increase the amount of fragments sent, with each fragment having its own very special IV. Please note that the casual RF problems of multipath, active interference, and hidden nodes are common reasons to decrease the wireless frame size; truly, "the network stability and network security are two sides of the same coin" (Dan Kaminskiy). It is interesting that no research has been done to establish the mathematical relation between the preset 802.11 frame size and the time efficiency of WEP cracking. Surely it is a useful topic that many wireless hackers might like to investigate.
Another case of link disruption generating excessive amounts of traffic is triggering routing updates. Imagine a link-state routing protocol (let's say OSPF) running over the wireless network. Should the link to one of the routers go down, an LSA flood will follow, giving a new data to the Dijkstra algorithm to work on. Now imagine that the link goes down periodically, thus creating a "flapping route." In a situation in which both designated and backup routers' links go down, router elections will take place: more packets, more IVs. Distance vector protocols like RIP and IGRP aren't any better; not only do they constantly generate volumes of wireless network traffic, but should the link go down, a flood of triggered updates will begin. These examples demonstrate that wireless DoS attacks (both first and second OSI layer) are not just a mere annoyance or possible man-in-the-middle attack sidekicks, but can constitute part of a greater network intrusion plan involving accelerating the shared WEP key disclosure.