When an IV is reused, we call this a collision. When a collision occurs, the combination of the shared secret and the repeated IV results in a key stream that has been used before. Since the IV is sent in clear text, an attacker who keeps track of all the traffic can identify when collisions occur. A number of attacks become possible upon the discovery of IV collisions.
A key stream attack is a method of deriving the key stream by analyzing two packets derived from the same IV. Simply stated, XORing the two cipher texts together will equal XORing the two plain texts together. Figure 3.4 shows this in detail.
Figure 3.4. A key stream attack.
In the upper left, we have taken 8 bits (plain text 1) and XORed them with our key stream. This results in cipher text 1. In the upper right, we have taken a different set of 8 bits (plain text 2), but XORed them with the same key stream, which results in a second cipher text. You will notice that XORing the two cipher texts together gives us a result equal to XORing the two plain texts together. Therefore, if both cipher texts are known (presumably captured from a sniffer) and one plain text is known, the second plain text can be derived.
You may be wondering, “That's cool, but how do I know the first plain text, so I can derive the second plain text?” There are two ways. First, if you are able to see the target machine from a computer on the Internet (or a compromised host on the target LAN), you could send a packet to the target machine. Since it comes from you, the plain text payload of the packet would be known. You could identify the packet by forcing an unusual packet size and searching for that size in your sniffer log data.
An alternative way to learn the plain text of a packet is to guess. A number of TCP/IP protocols utilize known handshaking procedures. For example, DHCP, ARP, and other broadcast packets use well-documented signatures.
Keep in mind that key stream attacks only work when IVs are repeated. This is a major flaw in the implementation of WEP. Because the standard does not define how to implement IVs, they are often repeated and it is perfectly acceptable to reuse them. In fact, in order for an AP to remain compliant with the standard, it must accept IVs that have been reused. This violates a major tenet of RC4: It is unsafe to reuse the same key, ever! Keys should never be reused or repeated.