The Register reports on an interview with the authors of an ARP-based WEP attack that has a 95% probability of cracking a WEP-secured wireless network in less than two minutes.
How did you develop the attack?
Ralf-Philipp Weinmann: Andrei, Erik, and I share a room. We've basically seen Andreas Klein's RC4 attack in late 2005 when he presented a talk here in Darmstadt at local workshop (Kryptotag).
We didn't realise the potential of the attack until early 2007 when I realised that apparently nobody outside of Germany was aware of the attack since the preprint was only available in German until then. Erik and I then bounced ideas back and forth about the applicability of the attack against WEP and quickly realised that it was more than an order of magnitude faster than any previous key recovery attack. Erik wrote some code, Andrei improved it.
Simultaneously, we became aware that an improved version of Andreas Klein's paper had been submitted to the Workshop on Coding and Cryptography, this time in English. First attempts against a demo network showed that the code indeed did work as expected on our side. We began writing the paper and put it on the IACR ePrint server. Simultaneously, Erik released the code for people to verify our results.
What type of speedup does your attack provide over previous attacks?
Erik Tews: The old attack needed between 500,000 to 2 million packets to "work usually". We (Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann) showed that our attack has a success probability of 50 per cent with 40,000 packets and success probability of 95 per cent with 85,000 packets. So perhaps the speedup is a factor of 15 or so in the number of packets required.
CPU-Time of our attack is about three seconds on a consumer laptop. I think the CPU-Time of the original attack was longer, but could vary very much.
We found out that a rate of about 764 data packets per second can be reached using ARP injection. So to make it a little bit easier for the reader we can say that 60 seconds are enough to collect 40,000 packets and crack the key with a 50 per cent success rate. If the rate of packets is lower, then we need longer.
Three seconds of CPU time on a consumer laptop and less than two minutes sniffing traffic. In other words, if your wireless network is "secured" with WEP, someone can stop outside on the street, crack your network, and be gone before you've even started to wonder what they're doing sitting there.