Vulnerability, Potential Exploit In Cisco WLAN APs 35
An anonymous reader writes "The AirMagnet Intrusion Research Team has uncovered a new wireless vulnerability and potential exploit associated with Cisco wireless LAN infrastructure. The vulnerability involves Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points. The potential exploit, dubbed SkyJack by AirMagnet, creates a situation whereby control of a Cisco AP can be obtained, whether intentionally or unintentionally, to gain access to a customer's wireless LAN."
Unintentionally? (Score:3, Interesting)
a situation whereby control of a Cisco AP can be obtained, whether intentionally or unintentionally, to gain access to a customer's wireless LAN.
Unintentionally?
It's one thing to accept that in the perpetual arms race you'll regularly fall behind and your job is to limit those situations to a manageable minimum. It's a completely differnt matter when a non threatening actor may stumble upon a vulnerability.
"Yes, sir, the bank doors do open automatically when a stray cat passes in front of it at night. You see, cats have precisely the size we didn't account for in our supersecure doors."
Config option, not all that bad (Score:4, Interesting)
Re:The only real security.... (Score:3, Interesting)
.... Is a wire from the computer to the network.
There is no such thing as real security, the best you can hope for is secure enough, so no one wants to waste time with you.
Re:say that again? (Score:2, Interesting)
I suppose I should clarify:
Although the article states, "This ultimately could lead to an enterpriseÃ(TM)s access point connecting outside of the company to an outside controller, and therefore being under outside control." Most business buildings are both large and concrete, there's a reason you find many access points, it's because the signal doesn't travel well, even from the hall to the back of a hotel room.
Most people don't carry around running access points, especially cisco ones, and just happen to have OTAP turned on. It seems pretty unlikely this would happen often or at all in the wild.
Re:Unintentionally? (Score:3, Interesting)
Good arguments.
Ok, then we should try to work out a way that disallows this. Guess it comes down to good ol' security and lack thereof. Not necessarily on the "culprit"'s side, i.e. the one (or the one's computer, respectively) that trespasses, more on the side of a piece of autoconf'-able piece of hardware that isn't secured properly.
So who's to blame if something like this happens?
Re:Unintentionally? (Score:3, Interesting)
The only real fix would be better security on the side of the autoconfigurable hardware. Unfortunately, that would likely add either cost or inconvenience, or both, so I'm not sure how to push it. One concrete step, though, that I'd like to see, would be some clever thinking on making devices easier to provision without potentially dangerous trust.
For instance, in this case, the "over-the-air-configuration" stuff is obviously there for ease and convenience; but introduces security concerns. In a lot of cases, though probably not all, a device is handled at least once before being installed(if only by the guy taking it out of the box). If there were a couple of contacts on the case, containing power and a low cost bus(i2c, 1-wire, ttl serial, whatever) and a matching cradle, you could have the installers do an offline key-fill. Have the device ship, unconfigured, such that if it has no prior configuration, it will listen on that bus. Afterwards it no longer will. The installer will pull it out of the box, pop it in the cradle for ten seconds, it'll get the public key of your AP controller over that bus, and will then refuse to take orders from any controller with a different key, and will not listen to that bus in the future.
Something like that would add only a few cents to manufacturing cost, and a few seconds to install time; but would(barring hideous implementation flaws) allow 95% of the autoconfiguration without the security risks.