Reaction Attacks This attack can be performed even if the machines behind the wireless network have no connection to the Internet at all, but the packet to be decrypted needs to be a TCP packet (which is common) We use the fact that if we modify a packet in a way that makes the TCP checksum invalid, the packet will be silently dropped when we retransmit it But if the TCP checksum on the modified packet is correct, we'll get an ACK packet back It turns out that we can arrange to make the TCP checksum valid or invalid exactly when any given bit of the plaintext message is 0 or 1 So each time we check the reaction of the recipient to a modified packet, we learn one more bit of the plaintext