Skip Links

AirTight defends Wi-Fi WPA2 'vulnerability' claim

A "publicity stunt?" Major threat? Or easily contained?

By , Network World
July 30, 2010 12:02 PM ET

Network World - Executives at AirTight are defending their description of a little-known "vulnerability" in the 802.11 standard in the face of criticism following their demonstration of a Wi-Fi exploit at the Black Hat security conference. One WLAN vendor called the claim a "publicity stunt."

Others are saying the attack, which can only be mounted by an internal authorized WLAN user, is so limited in scope that it would be easier for an attacker to just use the unattended computer in a neighbor's cubicle or even bribe a fellow employee to access data.

WiFi WPA2 vulnerability FAQ 

"What those limitations really mean is that 'YES' there are much easier ways to get the data," says Jennifer Jabbusch, chief information security officer, Carolina Advanced Digital, a Cary, N.C. IT services company. "In a scenario like this, that data is most likely (more than 99.9% likely) to be [already] unencrypted on the wire. In addition to that, the close physical proximity [required] would mean an attacker could also just as easily walk over to the victim's machine and load a tool to collect data while they're at lunch or getting a soda in the break room. The wireless attack is 'going around your butt to get to your elbow,' as we say in the South."

She analyzed the AirTight exploit previously in her SecurityUncorked blog

WLAN vendor Aruba Networks issued its own analysis, by Robbie Gill of the company's engineering department, which concluded, "The attack scenario described by AirTight is well known and old news – it was, in short, a publicity stunt."

Yesterday's detailed demonstration at Black Hat Arsenal, a demo area associated with the Black Hat info security conference, confirmed nearly all of the details that Jabbusch and others had been expecting. [See: "Wi-Fi WPA2 vulnerability FAQ".] It did little to convince observers that the exploit constituted a serious threat to enterprise wireless LAN security

AirTight, which markets the SpectraGuard wireless intrusion prevention software, late last week revealed it had uncovered a vulnerability in the IEEE 802.11 specification, but released only a few details

There are two components of the attack. The first uses what AirTight now alternately refers to as a "vulnerability" or a "limitation" in the 802.11 specification: a shared encryption key called the group temporal key (GTK), shared by all clients connected to the same access point, can't detect an address spoofing attempt (the pairwise keys, which are used to scramble data between a given client and the access point, can).

In AirTight's exploit, an attacker uses the GTK to impersonate the access point, and in essence convince another client - attached to the same access point and to the same BSSID - to accept a new default router destination, a well-known technique called Address Resolution Protocol (ARP) spoofing or poisoning. The victim then sends traffic to the bona fide access point, which forwards it to the attacker masquerading as the default router.

"The subtle point (that many people seem to miss) about exploiting the GTK in WPA2 for launching an ARP Spoofing attack is that the footprint of the attack is only in the air and the payload is encrypted," says Kaustubh Phanse, principal wireless architect at AirTight. "So no wire-side security solution is ever going to catch this attack over WPA2, nor will existing APs see anything abnormal. Even a wireless IPS will not catch this attack, unless it has the smartness of detecting the anomalous behavior exhibited over the air."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News