How we tested

We set up two test beds at Lab Alliance partner Opus One's labs in Tucson, one for stations (clients running wireless network interface cards) and one for access points and wireless LAN switches.  Both sets of tests were monitored using Dell laptop computers running Red Hat Linux 9 and a modified version of AirSnort, the open source Wired Equivalent Privacy (WEP) key recovery tool.  We also made heavy use of our AirMagnet Handheld to diagnose minor interoperability issues between different wireless devices.

AirSnort is designed to recover the WEP keys of any network it sees, as quickly as possible.  It does this by collecting all packets from all stations and all access points.  We modified our version of this open source tool to only look at the packets sent from the device being tested.  This change enabled us to identify whether it was the station or the access point that was vulnerable to AirSnort key recovery.  We also modified AirSnort to print out the "weak" initialization vectors that it was using to guess the WEP key.

We used an IBM Thinkpad laptop with a 1.2 GHz processor and 512M-byte RAM running a clean installation of Windows 2000 SP4 to test each wireless PCMCIA card, connecting the station to a Cisco Aironet 350 access point.  To test access points, we used the same laptop with a Cisco Aironet 350 card to generate traffic.

For each test, we used the Unix "ping" command with the flood option to generate a high rate of bidirectional traffic over the airwaves.  We let the AirSnort laptop listen to the traffic for a minimum of 50 million packets, usually about 12 hours at the very high traffic rate we were generating. 

We wanted to be sure that AirSnort saw every possible initialization vector (IV), therefore giving it the best chance of recovering the WEP key.  Since there are 16 million IVs, we had to generate sufficient packets to guarantee that every IV was seen at least once (it doesn't do AirSnort any good to see the same IV twice).

Although most wireless devices use a simple counter to generate IVs (this is actually the most secure method), some products use a random number generator.  We picked 32 to 50 million packets as a "safe" range to guarantee that we were actually measuring the WEP performance of the product.  Even though we were saturating the airwaves, it takes a long time to generate that many packets.  Claims that WEP keys can be recovered in 15 minutes are, we discovered, highly exaggerated.

That level of traffic flooding would be highly unusual in a typical enterprise WLAN.  In fact, we had to shut our building wireless network down during the test, because the traffic we were generating saturated the 802.11b/g frequency range.