Skip to content

WEP (Wired Equivalent Privacy)

WEP was the original 802.11 security protocol, defined in the 802.11-1997 standard. It is fundamentally broken at the cryptographic level and should not be deployed. Any WEP network is compromised given sufficient captured traffic.

The recommended tool for WEP key recovery is WEPWolf, which runs PTW, KoreK, FMS, and RC4-bias attacks from a single command on any pcap/pcapng capture. See the WEP cracking guide for a step-by-step walkthrough. aircrack-ng remains necessary for active radio attacks (injection, replay).

WEP Design

WEP uses the RC4 stream cipher with a 24-bit initialization vector (IV) prepended to the static key. Each frame is integrity-protected with a CRC-32 checksum (called the ICV) appended before encryption.

WEP key lengths:

Name Static key IV Total RC4 key
WEP-40 40 bits (5 bytes) 24 bits (3 bytes) 64 bits
WEP-104 104 bits (13 bytes) 24 bits (3 bytes) 128 bits

The 3-byte IV is prepended to the key in the order IV[0] || IV[1] || IV[2] || Key before initializing the RC4 KSA (Key Scheduling Algorithm).

Why WEP Is Broken

IV Reuse

The 24-bit IV space contains only 2^24 = 16,777,216 unique values. On a moderate-throughput network, the IV space is exhausted within hours, guaranteeing IV reuse. Two frames encrypted with the same IV and static key produce XOR-related ciphertext: C1 XOR C2 = P1 XOR P2. If either plaintext is known (e.g., ARP frames have known structure), the other is immediately recoverable.

CRC-32 Linearity

CRC-32 is a linear function over GF(2): CRC(A XOR B) = CRC(A) XOR CRC(B). An attacker can flip arbitrary bits in a WEP-encrypted frame's ciphertext and update the ICV checksum without knowing the key. This completely breaks integrity protection; bit-flipping attacks are trivial.

RC4 Key Scheduling Weakness

The RC4 KSA processes the full key bytes sequentially. Certain IV values of the form (A+3, 255, X) cause the KSA's internal state to leak information about specific key bytes through the first byte of the keystream. Fluhrer, Mantin, and Shamir (FMS) formalized this in 2001. Statistical analysis of sufficient weak IVs recovers the key bytes one at a time.

Attack Overview

Attack Year Authors Packets needed Method
FMS 2001 Fluhrer, Mantin, Shamir ~4,000,000 data frames Weak IV + KSA keystream correlation
KoreK 2004 KoreK ~500,000 data frames 17 statistical correlations; fewer IVs than FMS
PTW 2007 Pyshkin, Tews, Weinmann ~40,000 ARP frames Multibyte attack on all keystream bytes
ChopChop 2004 KoreK 1 frame (active) Decrypt by truncating + replaying
Fragmentation 2005 Andrea 1 frame (active) Recover keystream via fragmentation
Caffe-Latte 2007 AirTight ~40,000 (client) Client-side; no AP needed
Hirte 2008 Tews, Beck ~40,000 (client) ARP fragmentation variant

FMS / KoreK

Statistical attacks exploiting RC4 KSA weaknesses. Require large numbers of frames using weak IVs. KoreK extended FMS with additional correlations, significantly reducing the required frame count.

PTW (Pyshkin-Tews-Weinmann)

The most efficient key recovery attack. Instead of targeting only weak IVs, PTW uses correlations between the keystream's first bytes and the key bytes for all IVs. Requires ARP frames (68 bytes) because the plaintext structure is known:

  • ARP header structure is predictable (source/dest IP and MAC)
  • Known plaintext → known first bytes of keystream → statistical correlation

PTW is the default attack in both WEPWolf and aircrack-ng. WEPWolf additionally ships the Sepehrdad "Smashing WEP" RC4-bias database, which recovers keys from fewer packets than PTW alone. With ARP replay injection: ~40,000 unique IVs → WEP-40 or WEP-104 key in under 60 seconds.

ChopChop

Interactive decryption: the attacker truncates the last byte of an encrypted frame and sends modified copies to the AP. If the AP accepts (indicates valid CRC), the last byte is determined. Repeating recovers the full plaintext and the corresponding keystream, usable for crafting arbitrary encrypted frames. Does not directly recover the WEP key.

Fragmentation

Exploits the 802.11 fragmentation mechanism to recover keystream from a single known-plaintext fragment. The recovered keystream can be used to encrypt new frames. Like ChopChop, does not recover the key.

Caffe-Latte / Hirte

Client-side attacks that work without proximity to the AP. The attacker induces the client to retransmit ARP requests by sending gratuitous ARPs, then injects the client's own encrypted traffic back at it in a loop. Sufficient IVs accumulate from the client's transmissions alone.

Spec References

  • WEP definition: IEEE 802.11-1997, 802.11b-1999
  • FMS attack: Fluhrer, Mantin, Shamir: "Weaknesses in the Key Scheduling Algorithm of RC4" (2001)
  • PTW attack: Pyshkin, Tews, Weinmann: "Breaking 104 Bit WEP in Less Than 60 Seconds" (2007)
  • ChopChop: KoreK, H1kari (2004)