WEP: IV Collision Attack

WEP prepends a 24-bit Initialisation Vector to the secret key before handing both to RC4. Only 2²⁴ ≈ 16.7 million IVs exist. The birthday paradox guarantees a collision — two packets sharing an IV — after roughly 4 900 packets. Once an IV repeats, the keystream repeats: same vulnerability, same crib-drag attack.

IV (3 bytes · 24 bits)
chosen per-packet at random
Secret key (5 bytes · 40 bits)
shared, never changes
→ RC4 →
Keystream
XOR'd with plaintext

Packet capture simulation

Each simulated packet picks a random 24-bit IV. The birthday paradox says collisions arrive far sooner than the full IV space is exhausted.

Secret WEP key
Packets captured
0
Birthday-paradox collision probability
0.0%

Expected first collision ≈ 4 900 packets (√(2 × 2²⁴) × 1.18)

Recent packets (IV · ciphertext preview · payload type)

How it works

WEP (Wired Equivalent Privacy, IEEE 802.11, 1997) tried to add per-packet key diversity by prepending a fresh 24-bit IV to the shared secret before initialising RC4. The assumption was that with 16.7 million possible IVs, repetition would be rare enough to be safe.

The birthday paradox demolished that assumption. After only ~4 900 packets — a few seconds on a busy network — there is a 50% chance of an IV collision. After ~9 700 packets the probability exceeds 99.9%. Many consumer access points simply incremented the IV by one for each packet, guaranteeing a full wrap every 16.7 million frames and cycling through all IVs in minutes on a saturated link.

A collision means two packets share a keystream. Their ciphertexts XOR together to give PA ⊕ PB, and the attack becomes straightforward crib-dragging, amplified by the predictable LLC/SNAP and IP/ARP headers that begin almost every Wi-Fi frame.

A separate, more powerful attack — Fluhrer–Mantin–Shamir (FMS, 2001) — exploits weak RC4 IVs to recover the secret key byte-by-byte from a few million packets. WEP was formally deprecated in 2004 and replaced by WPA/WPA2 (TKIP, then AES-CCMP).