KoreK attack

The KoreK attack is a class of attacks on the WEP protocol. It is named after its discoverer, who posted this attack in the NetStumbler forum to demonstrate the insecurity of WEP-protected networks. He used the pseudonym KoreK .

The attack is based on the weaknesses of the cyclical redundancy check (CRC), because with CRC it is possible to determine the bits that change in the CRC value when the message changes. KoreK took advantage of this fact by proposing to cut off the last byte of the packet in question and to change the CRC value assuming a cut 0.

This modified packet is sent to the wireless access point and its response is awaited. If the packet was accepted, it can be assumed that the last byte was 0. In the event that the packet was rejected, the CRC value is adjusted so that it assumes a 1 and the packet is sent again. This process is repeated until the access point accepts the packet. In the worst case, this process has to be repeated 255 times until the access point accepts the packet. If the last byte is now known, the further bytes are successively continued until the content of the entire packet is known.

This process only takes a few seconds, but can easily be detected as large numbers of incorrect WEP packets arrive at the access point. If the firmware of the access point is adapted accordingly, this attack could be prevented.

Individual evidence

↑ Rafik Chaabouni: Break WEP Faster with Statistical Analysis . June 2006, Chapter 4 ( epfl.ch [PDF] semester paper at EPFL ).

↑ Original thread about the KoreK attack (in English)

[1] Rafik Chaabouni: Break WEP Faster with Statistical Analysis . June 2006, Chapter 4 ( epfl.ch [PDF] semester paper at EPFL ).

[2] Original thread about the KoreK attack (in English)