Upshot of the WPA2 brouhaha

* Nothing new, you say? Define 'new.'

We could argue about security all day long. Every move we make -- from breathing to crossing the street to sending credit card data over a wireless network -- contains a measure of risk. We continually draw mental lines between the risks that we just accept as facts of life and those we deem important enough to actively try to mitigate.

Specific to the wireless LAN industry, there are folks whose job it is to ferret out vulnerabilities that could be exploited and that current, standards-based technology might not address. One reason for their work, of course, is self-serving: to identify opportunities for their companies to build and sell security products that close the holes.

“Wi-Fi WPA2 vulnerability FAQ”]

But security experts (at least, those on the right side of the law) tend to have an altruistic nature, too. Most want to keep the public informed so that holes aren't exploited out of WLAN operator ignorance.

Such is the case with AirTight Networks' Md Sohail Ahmad, who demonstrated a WPA2 vulnerability this week at two security conferences in Las Vegas. The vulnerability, which his company dubbed "Hole 196," is documented in passing in the 1200-page Wi-Fi standards document. In that sense, it's a known vulnerability, so dissenters argue that there's really nothing new.

What's new is someone noticing the language, figuring out how to exploit it, and suggesting that folks might want to be aware of it. Personally, I consider that a positive service to the industry. Apparently, so did the conference organizers at Black Hat and DEF CON 18, who invited Ahmad to demonstrate Hole 196 at their events.

Black Hat : 'Unhackable' Android phone can be hacked

After all, how many enterprises are aware of the vulnerability and that the man-in-the-middle exploits of it that AirTight has been demonstrating might be happening as we speak? I'm going out on a limb and guess that not many WLAN administrators have read the 1200-page standard word for word and, even if they did, picked up on the broadcast, shared-key verbiage and its implications.

WLAN vendors, of course, are up in arms because they don't want people to think that Wi-Fi is broken. And, indeed, to imply that it is and that the sky is falling would be hyperbole. WPA2's AES-based encryption has not been cracked.

So should you worry or not?

I wouldn't put your WLAN deployments on hold, but, depending on your security risk profile, you might want to take this issue into account as you build your Wi-Fi security environment.

To help decide what tactics, if any, to take, here are a few defensive statements you are likely to hear or read about Hole 196 and a few things you should know about them:

* Rebuttal 1: "The same type of ARP poisoning attack can happen on an Ethernet LAN, as well. Everybody knows that."

Re-rebuttal: That's true. The difference is that today's intrusion detection and protection systems (IDS/IPS) that operate on wired networks detect and deflect these attacks. Hole 196 is contained on the wireless portion of the network only. According to the 802.11 standard, group keys, called Group Temporal Keys (GTKs) and used to encrypt/decrypt broadcast packets, by definition, are unable to detect address spoofing and data forgery. Will wireless IDS/IPSs figure out a way to detect them in the near future? Probably.

* Rebuttal 2: "Client isolation filters exist in Wi-Fi networks today and will deflect Hole 196 exploits."

Re-rebuttal: Partially true. AirTight agrees that client isolation, which prevents two client devices from communicating directly to one another through an AP, is a good way to fix step two of the two-step Hole 196 exploitation process, which is when the AP comes into the picture. However, in step one of the exploit, clients talk directly to other clients, bypassing the AP. Client isolation doesn't help on this front.

"It's possible that other hacker exploits might come up where only step one is necessary," observes Kaustubh Phanse, AirTight's wireless architect.

An important note: Client isolation isn't part of the 802.11 standard; it's a proprietary capability supported by several WLAN vendors. And these capabilities aren't necessarily turned on in every enterprise, because they do impose some extra overhead. But, indeed, if you got 'em, and you're worried about Hole 196, turn 'em on.

* Rebuttal 3: "Only authorized users can exploit the vulnerability and they can already wreak havoc with the corporate network."

Re-rebuttal: Maybe true, maybe not, depending on your security setup. Indeed, it's an authorized user that would be exploiting Hole 196. But the importance of insider hacker detection and prevention shouldn't be underestimated. CSO's January 2010 Cyber Security Watch Survey revealed that while most of the top 15 security policies and procedures are aimed at preventing insider attacks, 51% of respondents to its survey who experienced a cyber security event were still victims of an insider attack.

"People on the inside of the company can do the greatest economic damage," acknowledges wireless guru Matthew Gast.

Gast chairs the Wi-Fi Alliance's Security Technical Task Group and is director of product management at Aerohive Networks. In the case of Hole 196, the shared GTK, used for broadcast communications, is only as secret as the level of trust you have for inside employees, he says.

Gast says that during a Hole 196 exploit, an AP would, in fact, seem to be receiving frames from itself. "That is an easy anomalous event to detect," he says.

Still, Wi-Fi APs don't detect such events today.

"But because this is important to our customers, Aerohive will be producing a software fix to provide administrators visibility into whether or not this attack is occurring on their networks and to take action automatically," Gast says. "I don't believe this is going to be unique. The entire industry will likely do something."

That's good news. It's up to you or your chief security officer to decide whether the documented vulnerability is worth losing sleep over. In the meantime, try not to shoot the messenger.


Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022