Skip Links

Wi-Fi WPA2 vulnerability FAQ

AirTight's WPA2 exploit seems to be an ARP spoofing attack

By , Network World
July 28, 2010 05:33 PM ET

Network World - So this guy at AirTight Networks says Wi-Fi Protected Access 2 has a "hard shell on the outside, but a soft underbelly inside"due to an overlooked vulnerability, and an attacker can decrypt traffic that's been encrypted with WPA2. Is this total panic time?

Well, probably not, based on tentative conclusions from folks who've been trying to figure out what's going on from the very limited information AirTight Networks has released so far.

(See "WPA2 vulnerability found".)

The Wi-Fi Alliance crafted WPA2, based on the IEEE 802.11i specification. Do they have a response to AirTight?

Not yet. A spokesman says they're waiting for the details from the Black Hat conference in Las Vegas. (AirTight will reveal full details of this exploit Thursday afternoon, July 29, during a presentation at the event.)

What actually is going on?

Apparently -- and this is important -- nothing new.

That's according to 802.11 security expert Matthew Gast, who's written "802.11 Wireless Networks: The Definitive Guide" from O'Reilly Media, and is a voting member of the IEEE 802.11 working group, chair of the Wi-Fi Alliance's Security Technical Task Group, and director of product management at Aerohive Networks.

Gast says his best guess -- at this point -- is that the AirTight exploit is Address Resolution Protocol (ARP) spoofing, a "man in the middle attack." According to Wikipedia. "Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead.”

That's what appears to be happening in the AirTight exploit, according to Gast. "The ARP spoofing is when the attacker rewrites the MAC address of the default router," he says. "To do that, it masquerades as the AP. Think of the attack as having two components, since you are operating at both Layer 2 (Wi-Fi) and Layer 3 (IP/ARP). The Layer 3 component is well understood; the Layer 2 component is just the way that you transmit the Layer 3 attack on Wi-Fi as opposed to Ethernet.”

ARP spoofing is not unique to WPA2. "If you replace the wireless access point with a switch, and all the wireless connections with Ethernet cables, the [AirTight] attack would still work," Gast says.

Secondly, in this exploit the attacker has to be an authorized user on the wireless network, not some passerby, and both attacker and the victim have to be connected to the same wireless LAN -- the same SSID on the same access point, according to Gast.

Third, the attacker does not actually recover, break or crack any WPA2 encryption keys, according to Gast.

And finally, check to make sure something called "client isolation" is turned on in your access points. If it is, it will disrupt the attack.

What's client isolation?

It blocks two wireless clients attached to the same access point from talking with each other, because the access point refuses to forward traffic from the victim to the attacker, which is critical to the success of this attack. According to Gast, nearly every WLAN vendor implements this feature.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News