The Hole 196 Controversy: The Problem Beyond the Problem

Hole 196 appears to be real - and illustrates the need for a more formal process regarding flaws in major specs and standards

OK, so the phone started to ring off the hook yesterday afternoon regarding the Hole 196 802.11 security flaw. I won't go into the technical details here, partially because I'm still researching possible fixes and partially because I don't want to steal AirTight's thunder as they continue to roll out what they've discovered. But suffice it to say that AirTight has discovered a serious security flaw in 802.11 that affects the integrity of WPA2 under certain circumstances, that they are able to demo the problem, that the actual work required to produce the results they discovered is about ten lines of code, and that attacks like this one might already be occurring as the flaw has always been present. Good security practice (see below) can mitigate the problem to some degree, so all is not lost, and I'm sure the flaw can be fixed. But the real question is how problems like this should be revealed to the security and wireless communities as a whole, and especially to the public. That's where things get fuzzy.

Basically, the attack is a man-in-the-middle/ARP-cache-poisoning technique, and these have been documented before on wired networks. The attack can only be performed by an authorized (via 802.11's security mechanisms) user, so this also involves an element of a spy job. But make no mistake: these occur, and industrial espionage involving double-agent employees has been known to happen. The bottom line is that an authorized user can capture the decrypted (again WRT 802.11) traffic of other users, and the attack cannot be detected by wired IDS/IPS systems.

But here's the good news: It can be detected by wireless IDS/IPS systems, and I'm sure AirTight is ready to ship their implementation right now. This is also likely a great opportunity for leadership on the part of the Wi-Fi Alliance, along the lines of their work with WPA as a fix to WEP. And no one involved with 802.11 should feel bad about this - while it would be great if such issues could be avoided, human beings, especially those working in large groups with multiple agendas, make mistakes. And I'm sure there's a long-term fix here, although it will take quite a while to propagate, and it's possible that some older equipment might be obsoleted altogether by this issue. Such happens - you're not using WEP anymore, are you? In the meantime - my advice about using a VPN (yes, even inside the physical perimeter), encrypting all sensitive data while in residence anywhere, using strong (ideally, two-factor) authentication, and installing a WLAN assurance system, stands. Anyone using such has a bit less to worry about - keeping in mind, of course, that all security implementations have their vulnerabilities. I always assume that the next security challenge is lucking outside my door right now. When it comes to security, you're never, ever "done".

Note also that, as this is an attack that only a trusted insider can pull off, it might be a good idea to think about the background-checking process used to screen new hires, and to do updates on a random sampling from time to time. Ultimately, this is a people issue - someone must knowingly do something that is clearly wrong. We can learn a lot from how the government manages security clearances. Yes, I know this can be burdensome; security always is.

The bigger challenge, though, is in how to bring problems like this to light. Some callers roundly criticized AirTight for the process they're using to reveal the issue at hand. But there is no industry-mandated or even industry-accepted methodology here - the Wi-Fi Alliance has no formal process or requirements placed on its members, and, regardless, AirTight isn't a member of the Alliance, so they have no obligation here anyway. There is an ongoing revision process with 802.11, but the gears turn slowly there. We might even argue that the very complexity of the standard as it exists today (and, remember, more is being added and amended all the time) is to blame. But note that the problem is not with AES - this is a protocol issue. We tend to focus security concerns on the nature of encryption algorithms, but in this case it's the protocols that are the problem. Every element of the security value chain requires, again, constant scrutiny.

Such is the nature of complex systems. We try. We make mistakes. We learn. We move on to the next challenge. Apart from marketing slogans, perfection will likely remain an abstract, theoretical goal. Just ask the folks at Lexus, who, while relentlessly pursuing perfection, also had to recall a whole bunch of cars that most of us wouldn't mind driving in the least.

• Wireless / Mobile
• 802.11
• AirTight
• Hole 196
• inside jobs
• Wi-Fi Alliance