Wireless LANs are not sufficiently protected, even if network administrators use the built-in security protocol WEP (Wired Equivalent Privacy). A seven-month investigation conducted in London found that 94% of all wireless LANS in use were inadequately protected from attacks. The Cybercrime Unit, a division of the International Chamber of Commerce, found that wireless networks are poorly secured, if they are secured at all. Drive-by hacking is becoming ever more popular: hackers drive through office districts in a car and try to penetrate company WLANs from the street where their signals can still be received.
Three researchers at the University of California at Berkeley, Nikita Borisov, Ian Goldberg and David Wagner, discovered a major security flaw in WEP encryption last year. Furthermore, in August of 2001, cryptographers Scott Fluhrer, Itsik Mantin and Adi Shamir published a paper on the weaknesses of RC4 encryption, on which WEP is based. Shortly thereafter, in late August of 2001, a student at Rice University and two employees of AT&T Labs - Research (Adam Stubblefield, John Ioannidis and Aviel D. Rubin) successfully implemented the ideas expressed in those two publications. What's so fatal about it is that it doesn't require any type of special equipment. All you need is a PC with a standard wireless card working with modified drivers downloaded off the Internet. With this equipment you can record and evaluate several hundreds of thousands of data packets.
How WEP Works
WEP currently uses two encryption depths, 64 and 128 bits. The key is derived from a 24-bit initialization vector (IV) and the actual secret key of 40 or 104 bits. The oft-cited 40-bit encryption is equivalent to 64-bit encoding. The standard does not mention anything about key management; the only requirement is that the WLAN card and the access point use the same algorithm. Usually, everyone on the local network uses the same secret key. The RC4 algorithm uses this key to generate an indefinite, pseudorandom keystream. However, the WLAN users use different IVs to prevent the data packets from always using the same RC4 key "randomly" generated on the basis of an identical WEP key.
Before a data packet is transmitted, an integrity check (IC) computes a checksum. Its purpose is to keep hackers from altering the data during the transmission. RC4 then generates the keystream from the secret key and IV. Then WEP concatenates the data and IC with the keystream using the exclusive-or (XOR) function. First the IV is transmitted in plain text, then the encrypted data. By regenerating the RC4 keystream from the IV and the known key, the recipient can finally decrypt the data by running XOR.