There is a significant number of publicly available "open" access points; the rest are protected with Wired Equivalent Privacy (WEP) encryption or Wifi Protected Access (WPA). A worm can propagate over unprotected wireless networks in the way shown in Figure 2. Moreover, as a result of design and implementation flaws, WEP encryption is insecure. There is a handful of WEP attacks in the literature, e.g. weak IV attacks [30], keystream re-use [15,22] and more recently fragmentation attacks [20] . These attacks are not just of theoretical value; they have been implemented into many practical and efficient WEP cracking tools freely available on the Internet. Wepcrack [8] did a performance comparison on some of such tools. Among them, Aircrack [1] is particularly powerful with a high success rate and relatively low cracking time that could vary between 5 seconds to 1 minute. However Aircrack needs to spend considerable time to sniff and capture sufficient wireless packets before cracking attempt. For example, after analyzing wireless usage statistics at a university campus [7], we determine that it may take 1-2 hours on average to successfully crack WEP encryption. Instead of passively sniffing packets, the worm could also employ active attacks e.g., discovering the encrypted version of a plaintext packet [8]. As for WPA, while not inherently weak, it is susceptible to bruteforce attacks if used with a weak password in the most common WPA/PSK configuration. Given the apparent susceptibility of the currently available protection mechanisms, it seems likely that worms would consider carrying the additional payload of including cracking tools.