Forgot your password?
typodupeerror
Security Wireless Networking IT

Wi-Fi WPA2 Vulnerability Found 213

Posted by kdawson
from the keep-your-enemies-closer dept.
BobB-nw sends along news based on yet another press release in advance of the Black Hat conference: a claimed vulnerability in WPA2 Enterprise that leaves traffic open to a malicious insider. "...wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available. Malicious insiders can exploit the vulnerability, named 'Hole 196' by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried. Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network, and compromise other authorized devices using open source software, according to AirTight. 'There's nothing in the standard to upgrade to in order to patch or fix the hole,' says Kaustubh Phanse, AirTight's wireless architect who describes Hole 196 as a 'zero-day vulnerability that creates a window of opportunity' for exploitation." Wi-Fi Net News has some more detail and speculation.
This discussion has been archived. No new comments can be posted.

Wi-Fi WPA2 Vulnerability Found

Comments Filter:
  • so, not a hole (Score:2, Insightful)

    by Bizzeh (851225)

    so rather than a hole, its more a forced proxy? a user who knows your password, is decrypting your traffic, and re-broadcasting it with different content... if this user has your password, you need to have a think about who you give your password to

    • Re:so, not a hole (Score:5, Insightful)

      by Iwanowitch (993961) on Saturday July 24, 2010 @08:02PM (#33017510)

      Unless the wifi network is at a Starbucks, a university or a corporation.

      That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.

      • Re:so, not a hole (Score:5, Insightful)

        by Culture20 (968837) on Saturday July 24, 2010 @08:14PM (#33017590)

        That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.

        How's he do that? Am I relying on WPA2 as my only encryption across the 'net?

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Not through my SSL or VPN connection, he can't.

      • Re: (Score:2, Funny)

        by Anonymous Coward
        Creepy guy? Wow, you sound like an ignorant female. Laughing aloud.
      • by RAMMS+EIN (578166)

        ``Unless the wifi network is at a Starbucks, a university or a corporation.

        That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.''

        Not unless he also knows how to break SSL. I've never assumed that any path between me and my mail server was secure, whether wired or wireless, WEP or WPA. So I only read mail over end-to-end encrypted protocols. Of course, most people still send e-mail through unencrypted SMTP, and without very reliable authentication, so I assume neither

        • Re:so, not a hole (Score:4, Insightful)

          by hitmark (640295) on Sunday July 25, 2010 @04:16AM (#33019522) Journal

          depends on how diligently one checks the certificates.

          • Re: (Score:3, Insightful)

            by RAMMS+EIN (578166)

            Correct. I have actually worked at organizations where they used a certificate signed by their own certificate whenever you accessed something over HTTPS. And since they had added their certificate to the trusted list in Internet Explorer, very few people actually noticed. I did not access my e-mail or enter any passwords not already known to those organizations over those links.

      • by dissy (172727)

        That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.

        And that is different from yesterday (before the exploit was known) how exactly?

        That person not using encryption could and did have their email intercepted already. So add one more unknown person to the mix, its not any worse than before.

        This is why one should use encryption. If the atom 'grandma wants to check email and encryption is too hard' is actually still true, then the problem is lack of encryption. Adding one more layer of no encryption is not the thing making the situation worse.

      • Re:so, not a hole (Score:5, Insightful)

        by Nyder (754090) on Saturday July 24, 2010 @10:47PM (#33018396) Journal

        Unless the wifi network is at a Starbucks, a university or a corporation.

        That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.

        No, the creepy guy sitting 2 tables from you? he's just viewing porn.

        See that nice dressed business woman? She's stealing your data.

      • Aren't those completely open APs anyway?
      • Re: (Score:2, Interesting)

        by silverdr (779097)
        > That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.

        Can he?

        Ah - you wrote "_your_ e-mail", right? I am pretty sure he can't do much of reading of _my_ e-mail based on this particular exploit.

        And if _you_ rely on WPA (or whatever) within your (W)LAN to protect you from unauthorised reading of your e-mail, then you should really reconsider your approach to data security.
    • by yuhong (1378501)
      Except that they don't need your password, all they need is access to any user account on your WPA(2) network to sniff the Wi-Fi traffic of any other user.
      • Re:so, not a hole (Score:5, Interesting)

        by zippthorne (748122) on Saturday July 24, 2010 @11:47PM (#33018622) Journal

        So.. its the same as the wired ethernet, then? Except that instead of just plugging in a wire and sniffing away, it takes a small amount of effort?

        I guess "WiFi is slightly safer than wired networks, when it comes to malicious peers" isn't quite as attention grabbing a headline.

        • by hitmark (640295)

          depends, are we talking hub or switch?

          • by Sique (173459)

            We are talking switch here:

            monitor session 1 source interface Gi0/1 - 23
            monitor session 1 destination interface Gi0/24

            • by hitmark (640295)

              that would indicate that your inside the settings of the switch, iirc. Thats a bit more access then just plugging a computer in and setting it to sniff any traffic it see.

          • Re:so, not a hole (Score:4, Informative)

            by amorsen (7485) <benny+slashdot@amorsen.dk> on Sunday July 25, 2010 @06:30AM (#33019930)

            Do not rely on switches for security within a particular VLAN, unless you go high-end and really know what you are doing. There are a million ways to beat switch "security", including mac spoofing, forcing the switch to flood traffic, fake DHCP, fake ARP, fake RA or ND (on IPV6). Each of those attacks can be stopped by a sufficiently clever and well-configured switch, although right now it is difficult to find one that can do RA and ND protection.

    • Re: (Score:2, Insightful)

      by mr exploiter (1452969)

      Am I the only who thought that WPA didn't protected against what this "attack" is doing? I'm not convinced either that this is a real vulnerability.

  • by Denis Lemire (27713) on Saturday July 24, 2010 @07:59PM (#33017478) Homepage

    This vulnerability is only useful if the attacker knows your WPA key. In other related news, it has been discovered that those who know your root password can delete all your files.

    • Re: (Score:3, Interesting)

      by tagno25 (1518033)

      This vulnerability is only useful if the attacker knows your WPA key.

      This is for WPA2-EAP (may or may not cover WPA2-PSK). So they need a valid username and password, not just a key.

    • by maximander (806231) on Saturday July 24, 2010 @08:13PM (#33017586)

      When I give someone my root password, I assume they can delete all my files.
      When I give them a limited shell account and set permissions correctly, I don't make that assumption.

      This exploit is more like the later than the former: WPA was supposed to keep traffic of each individual user safe, and now it doesn't.

      • by Denis Lemire (27713) on Saturday July 24, 2010 @08:22PM (#33017658) Homepage

        M'eh, if you have anything sensitive that you're sending over the network it should be sent securely, period. ie) via SSH, HTTPS, etc... Otherwise, you're just doing it wrong.

        Having an additional layer like WPA provided is indeed a nice thing, but this being compromised isn't the end of the world. I'd be far more concerned if there was a vulnerability that allowed someone to bypass WPA all together and connect to a network in which he or she isn't authorized.

        The encryption of the traffic itself really isn't that much of a selling point when it'll continue across the wired network in the clear once it hits the router or switch upstream. Encryption that isn't end-to-end really isn't worth the time spent talking about it.

        • by yuhong (1378501) <yuhongbao_386NO@SPAMhotmail.com> on Saturday July 24, 2010 @08:51PM (#33017836) Homepage
          Yep, WEP stood for Wired Equivalent Privacy, which was all it and WPA(2) was intended to provide, nothing more.
      • Re: (Score:3, Insightful)

        by Shadyman (939863)
        "When I give them a limited shell account and set permissions correctly, I don't make that assumption."

        Isn't the idea to always expect the worst? I'd tend to assume that if I give anyone any access at all, that they will find a way to break it.
        • > Isn't the idea to always expect the worst? I'd tend to assume that if I give
          > anyone any access at all, that they will find a way to break it.

          The worst would be to assume that they will find a way to break it no matter what you do even with no access at all and so it is all hopeless.

  • Yawn (Score:3, Insightful)

    by Jeffrey Baker (6191) on Saturday July 24, 2010 @08:03PM (#33017520)

    In other news, people on your wired ethernet segment can also see your "private" traffic. If you care so much, use SSL. Next scaremongering non-story in 3, 2, 1.

    • Not normally (Score:3, Insightful)

      by Sycraft-fu (314770)

      The whole point of a switch is that it sends data only to the host that it is for. So you don't get my data out your switch port. If you clone a MAC, that doesn't do the trick as it just confuses the switch and some data goes to one computer, some to the other, and the connection works poorly. Back in the day you could overload the switches in various ways and make them act like hubs, but that is also noticeable, and it doesn't work on new high quality switches.

      Wired networks are actually pretty secure from

      • Of course, this is why serious attackers on a switch don't try cloning MACs. They send gratuitous ARPs to the systems they want to sniff traffic from and pretend to be the default router. Or they take over the root of the spanning tree on the switch. Or they send an email to their target that says "Click this link to download nekkid pictures of " but actually installs a keystroke logger.

        None of that is as hard as the 133t hax0rs want you to believe. Not trivial, and not undetectable, but not particularly

        • by hitmark (640295)

          the email keylogger have nothing to do with the kind of network one is running...

  • by CaptSaltyJack (1275472) on Saturday July 24, 2010 @08:05PM (#33017542)
    "I'm starting with the man in the middle
    I'm asking him to change his ways
    Every packet is encrypted just a little
    If you wanna make your network a safer place
    Find the man in the middle and punch his face."
  • Mommy, Jimmy's sniffing my packets again, make him stop!

  • VPN (Score:5, Insightful)

    by Jaime2 (824950) on Saturday July 24, 2010 @09:07PM (#33017916)
    I've been telling people to use VPN over WiFi connections forever. Even better, put your wireless devices on the outside of the firewall, so they have no choice but to VPN in. This also makes giving a random guest access to your wireless no big deal. Any one who thinks wireless networking will ever be safer than an old-fashioned hub is deluding themselves.
    • But the article pretty clearly demonstrates that it already is safer than the old-fashioned hub: with the old fashioned hub, every computer can hear every other computer, and nobody encrypts anything at all by default. Even with the new exploit, there are some parts of the communication that still aren't compromised by a malicious peer, which is something that wired "hub" networks really can't claim. (switched networks OTOH, if you've got enough switches...)

      Also, with VPN, once someone is connected to the

    • Any one who thinks wireless networking will ever be safer than an old-fashioned bath tub is deluding themselves.

      There, thats fixed it for you!

  • Hi.

    We recently had some security tests with a consulting firm and, while no WiFi test was done (we have no WiFi), I was curious and asked the guy about WiFi security. He told me that, given that there was a constant traffic, he could break any WiFi in about two hours. So I do not know if this vulnerability is a completely different thing or that guy was just too much optimistic.

    Anyone does have first hand info?

    • Statements like, "I could break any WiFi in about two hours," are red flags that you should higher a different security researcher...

      The terms "any", "ever" or "all" are not in most security researcher's vocabularies when talking about unknowns or speculative situations.
      We prefer to use terms that imply some degree of uncertainty such as "mostly", "almost never", and "nearly all" since the one thing we know
      as security researchers is "trust no one", followed closely by "there is almost always an exception to

  • So, if you grant someone access to your encrypted wireless network, the person you granted access to can access data on that network? Who would have thunk it?

    • by udippel (562132)

      So, if you grant someone access to your encrypted wireless network, the person you granted access to can access data on that network? Who would have thunk it?

      Is that 'data' in your sentence or 'encrypted data'?
      Is that 'data' in your sentence or 'keys'?

  • Just to make sure (I've never read the WPA2-EAP specs), the login username/password for access to the wireless is encrypted with another layer and isn't now cleartext to any malicious authenticated user? Any place with single sign-on for Wireless and Computers could be seriously exposed to internal baddies.
  • In other words, if someone is already logged into a network they can perform a MITM attack against user(s) on that network?

    Maybe it's just me, but I never considered traffic *within* a network to be secure from other network users, even on a wired network.

  • Is there any wi-fi crypto left standing?

    I understand that only applies to Enterprise mode; so will enterprises revert to using passphrases? Or if you use passphrases you already don't have protection from your peers?

    Also, TFA talks only abou WPA2. However, there seems to be no reason to think it does not apply to WPA as well. Is anyone sure?

  • Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network, and compromise other authorized devices using open source software, according to AirTight

    Wouldn't it be easier for said malicious insider to just give the man-in-the-middle the PSK?

  • Anyone else note the gratuitous dig at open source:

    user can decrypt, over the air, the private data of others, inject malicious traffic into the network, and compromise other authorized devices using open source software,

    So I guess everything would be OK except for those pesky kids and their free software. *sigh*

    -- MarkusQ

  • by X.25 (255792)

    Holy crap, I am really sentimental now.

    I remember the good old days of security world, where BH/CCC/Defcon/etc presentations were technical marvels and work of extremely bright people.

    Ah, good old days...

  • by fph il quozientatore (971015) on Sunday July 25, 2010 @03:40AM (#33019406) Homepage
    ...I'm using WEP, so I am perfectly safe!
  • Ahmad says it took about 10 lines of code in open source MadWiFi driver software, freely available on the Internet

    Which is no longer used in current Linux kernels (and won't even compile properly without major tweaks.

    The problem appears restricted to WPA Enterprise (802.1X with TKIP/AES-CCMP) in practical terms, because a malicious user must have legitimate credentials to gain access to the network to exploit the flaw.

    And admin level access to the system to perform MAC spoofing. Sure, another user could

    • by Splab (574204)

      Uhm, what?

      The point of mad wifi is he can use that to exploit the WPA2, it seems that you think it's an exploit within the drivers. Doesn't matter if it's used in the current kernels, you can just install an earlier version.

      Also, this exploit is useful if you have access to the network, since you have physical access to some machine near the AP, you have some admin access to the machine, thus this is very much an issue if you only rely on WPA2.

Work is the crab grass in the lawn of life. -- Schulz

Working...