AirTight defends Wi-Fi WPA2 'vulnerability' claim

A "publicity stunt?" Major threat? Or easily contained?

AirTight is defending its claim to have uncovered a vulnerability in the 802.11 specification, and to have mounted an undetectable insider attack based on it. Some have dismissed it as a "publicity stunt."

Executives at AirTight are defending their description of a little-known "vulnerability" in the 802.11 standard in the face of criticism following their demonstration of a Wi-Fi exploit at the Black Hat security conference. One WLAN vendor called the claim a "publicity stunt."

Others are saying the attack, which can only be mounted by an internal authorized WLAN user, is so limited in scope that it would be easier for an attacker to just use the unattended computer in a neighbor's cubicle or even bribe a fellow employee to access data.

WiFi WPA2 vulnerability FAQ 

"What those limitations really mean is that 'YES' there are much easier ways to get the data," says Jennifer Jabbusch, chief information security officer, Carolina Advanced Digital, a Cary, N.C. IT services company. "In a scenario like this, that data is most likely (more than 99.9% likely) to be [already] unencrypted on the wire. In addition to that, the close physical proximity [required] would mean an attacker could also just as easily walk over to the victim's machine and load a tool to collect data while they're at lunch or getting a soda in the break room. The wireless attack is 'going around your butt to get to your elbow,' as we say in the South."

She analyzed the AirTight exploit previously in her SecurityUncorked blog

WLAN vendor Aruba Networks issued its own analysis, by Robbie Gill of the company's engineering department, which concluded, "The attack scenario described by AirTight is well known and old news – it was, in short, a publicity stunt."

Yesterday's detailed demonstration at Black Hat Arsenal, a demo area associated with the Black Hat info security conference, confirmed nearly all of the details that Jabbusch and others had been expecting. [See: "Wi-Fi WPA2 vulnerability FAQ".] It did little to convince observers that the exploit constituted a serious threat to enterprise wireless LAN security

AirTight, which markets the SpectraGuard wireless intrusion prevention software, late last week revealed it had uncovered a vulnerability in the IEEE 802.11 specification, but released only a few details

There are two components of the attack. The first uses what AirTight now alternately refers to as a "vulnerability" or a "limitation" in the 802.11 specification: a shared encryption key called the group temporal key (GTK), shared by all clients connected to the same access point, can't detect an address spoofing attempt (the pairwise keys, which are used to scramble data between a given client and the access point, can).

In AirTight's exploit, an attacker uses the GTK to impersonate the access point, and in essence convince another client - attached to the same access point and to the same BSSID - to accept a new default router destination, a well-known technique called Address Resolution Protocol (ARP) spoofing or poisoning. The victim then sends traffic to the bona fide access point, which forwards it to the attacker masquerading as the default router.

"The subtle point (that many people seem to miss) about exploiting the GTK in WPA2 for launching an ARP Spoofing attack is that the footprint of the attack is only in the air and the payload is encrypted," says Kaustubh Phanse, principal wireless architect at AirTight. "So no wire-side security solution is ever going to catch this attack over WPA2, nor will existing APs see anything abnormal. Even a wireless IPS will not catch this attack, unless it has the smartness of detecting the anomalous behavior exhibited over the air."

Phanse says that although the GTK limitation is clear in the specification "its implication — that inter-user data privacy is inherently absent in WPA2 -- is not obvious to the user community at large….Given that in a WPA2-secured network, all packets over the air are using the strong AES encryption, the common [mis]understanding is that no other user [including an authorized user] should be able to decrypt and steal data from another authorized user. And it was important to debunk this misconception and create awareness among the users who are relying on WPA2 to protect their Wi-Fi users."

He has a point, according to some. "Since by definition use of WPA2 means all wireless transport is encrypted, then all insider attacks are encrypted over the WLAN," says John Pescatore, a vice president at Gartner who specializes in network security. "Where they stay off the wired LAN, wired side network security does not see. That's why there is a need for WLAN IPS…"

Not everyone is buying AirTight's position.

Aerohive's Matthew Gast, who's also chairman of the Wi-Fi Alliance's Technical Security Working Group, argues in a post on the company's blog, where he quotes from several places in the IEEE standard, that to call this a "little known vulnerability" is an overstatement. "[I]t's hardly a secret that the GTK does not provide source address authentication," he insists.

"It is not clear why the AirTight attack conducts ARP poisoning by encrypting the ARP frame with GTK and directly sending it to the victim bypassing the AP," according to Aruba's Gill.

Gill says that if access-point-based countermeasures such as client isolation, where the AP prevents clients attached to it from communicating with each other, and IP-ARP spoofing prevention are missing, then the AirTight attacker could carry out the attack through the access point itself, and trick all the attached clients. If these countermeasures are present, and the AirTight attacker uses GTK to bypass them on the access point, the countermeasures will prevent the victim from reaching the fake default router, so the attack won't be successful, Gill argues.

"My feeling is: yes, there is a vulnerability; no, it's not a significant threat, especially to corporate resources," says CAD's Jabbusch. "The only reason I can see [for] jumping through these hoops [as an attacker] is to grab non-corporate (private) data the victim may be passing. Again, that would still be limited to unencrypted Web traffic."

Wireless LAN vendors differ in whether, or to what degree, their products can mitigate this attack.

"When the victim and client are on the same SSID on the same AP, [then] Aerohive HiveAPs are vulnerable in certain configurations – just like everybody else," says AeroHive Vice President of Product Management and Technical Marketing Adam Conway. "If a customer has peer-to-peer policy enforcement configured on our AP or clients are on other SSIDs, then they are invulnerable in our product today – this is not the case for all vendors today."

"The Xirrus Array already has tools in place to mitigate this vulnerability," says Alan Amrod, vice president of marketing at Xirrus. "The Xirrus Array has station-to-station blocking and ARP filtering features that eliminate ARP poisoning and man-in-the middle attacks on both the wired and wireless sides of the network. These features are already in use by a majority of our customers."

Aruba says its access points also enable client isolation, and in addition have the ability to block IP and ARP spoofing "by keeping track of MAC address and IP address bindings of all WLAN clients."

John Cox covers wireless networking and mobile computing for Network World.


Blog RSS feed

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022