Wi-Fi WPA2 Vulnerability Found 213
Posted
by
kdawson
from the keep-your-enemies-closer dept.
from the keep-your-enemies-closer dept.
BobB-nw sends along news based on yet another press release in advance of the Black Hat conference: a claimed vulnerability in WPA2 Enterprise that leaves traffic open to a malicious insider. "...wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available. Malicious insiders can exploit the vulnerability, named 'Hole 196' by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried. Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network, and compromise other authorized devices using open source software, according to AirTight. 'There's nothing in the standard to upgrade to in order to patch or fix the hole,' says Kaustubh Phanse, AirTight's wireless architect who describes Hole 196 as a 'zero-day vulnerability that creates a window of opportunity' for exploitation." Wi-Fi Net News has some more detail and speculation.
so, not a hole (Score:2, Insightful)
so rather than a hole, its more a forced proxy? a user who knows your password, is decrypting your traffic, and re-broadcasting it with different content... if this user has your password, you need to have a think about who you give your password to
Not that big a deal... (Score:5, Insightful)
This vulnerability is only useful if the attacker knows your WPA key. In other related news, it has been discovered that those who know your root password can delete all your files.
Re:so, not a hole (Score:5, Insightful)
Unless the wifi network is at a Starbucks, a university or a corporation.
That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
Yawn (Score:3, Insightful)
In other news, people on your wired ethernet segment can also see your "private" traffic. If you care so much, use SSL. Next scaremongering non-story in 3, 2, 1.
Re:so, not a hole (Score:5, Insightful)
That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
How's he do that? Am I relying on WPA2 as my only encryption across the 'net?
Re:so, not a hole (Score:2, Insightful)
Not through my SSL or VPN connection, he can't.
Re:Not that big a deal... (Score:5, Insightful)
M'eh, if you have anything sensitive that you're sending over the network it should be sent securely, period. ie) via SSH, HTTPS, etc... Otherwise, you're just doing it wrong.
Having an additional layer like WPA provided is indeed a nice thing, but this being compromised isn't the end of the world. I'd be far more concerned if there was a vulnerability that allowed someone to bypass WPA all together and connect to a network in which he or she isn't authorized.
The encryption of the traffic itself really isn't that much of a selling point when it'll continue across the wired network in the clear once it hits the router or switch upstream. Encryption that isn't end-to-end really isn't worth the time spent talking about it.
Re:so, not a hole (Score:1, Insightful)
That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
How's he do that? Am I relying on WPA2 as my only encryption across the 'net?
if you're dumb enough to do that for anything important to you, especially when using a wireless network you do not own, then you pay the stupidity tax. that's all. seems fair enough to me so long as no one is representing WPA2 as the be-all and end-all of perfect security, and in that case the unfairness is limited to that person or corporation only.
Re:so, not a hole (Score:4, Insightful)
Re:Not that big a deal... (Score:3, Insightful)
Isn't the idea to always expect the worst? I'd tend to assume that if I give anyone any access at all, that they will find a way to break it.
Re:Not that big a deal... (Score:5, Insightful)
Re:so, not a hole (Score:2, Insightful)
Yeah, stupid standard users who have no idea. Luckily we are the elite, so we are not affected. Right?
VPN (Score:5, Insightful)
Re:so, not a hole (Score:3, Insightful)
can use the shared key to spoof the AP and send messages to other users, and force them to give up or change their unique per-user keys
I haven't read the spec, but it seems odd that per-user keys would be given up or changed in response to a broadcast message. Could this attack be mitigated by only performing these kinds of actions in response to direct, non-broadcast messages?
Re:Not that big a deal... (Score:4, Insightful)
It's "Wired Equivalent Privacy" only if your idea of "wired privacy" involves dangling a cable out the window down into the alley behind the building.
Re:so, not a hole (Score:0, Insightful)
Yeah, stupid standard users who have no idea. Luckily we are the elite, so we are not affected. Right?
what an absolutely predictable response. yes people who can inform themselves about important matters such as their own security, with freely available information, at their own leisure and at the cost of only a bit of effort, who then refuse to inform themselves are stupid. that's correct. there is nothing wrong with saying so. they aren't stupid because their actions are not likable, they are stupid because they do not look after their own interests. they are especially stupid because they view education as something that only a teacher or professor can give to them.
let's get this part straight. an action that harms or potentially harms others in order to benefit yourself is selfish. an action that harms or potentially harms you in order to benefit others is sacrificial and altruistic. an action that harms or potentially harms you while benefitting no one else is stupid. it's really that simple. if stupidity is painful it is not because i frown upon it, it is because it is inherently a self-defeating idea.
now, i wish all instances of an "elite" were like this one. anyone who is literate and wishes to join this "elite" can find lots of excellent documentation for free literally at the touch of a button. they will find it for audiences ranging from beginner/entry-level to experienced expert and anything in-between. the willingness to do some reading and educate oneself is the only barrier to entry for joining this "elite".
want to talk about financial and industrial elites? how about governmental or military elites? think those are so easy to join up with? didn't think so.
besides, one need not become an expert in computer security. you don't have to comprehend encryption algorithms or the cryptanalytic techniques used to compromise them. you don't need to be a programmer. all you have to do is understand that when you are using someone else's network, you have no default expectation of privacy and should plan accordingly. you don't have to understand how SSL works to know that it is a remedy for this situation, same deal with a VPN. an idiot is capable of understanding that.
i would love to see how you respond to this. it is likely though not certain that you will read it, but will not respond to it. after all you might want to save face and all of that, and that is hard to do with a childish and utterly predictable response like the one you have committed yourself to.
Not normally (Score:3, Insightful)
The whole point of a switch is that it sends data only to the host that it is for. So you don't get my data out your switch port. If you clone a MAC, that doesn't do the trick as it just confuses the switch and some data goes to one computer, some to the other, and the connection works poorly. Back in the day you could overload the switches in various ways and make them act like hubs, but that is also noticeable, and it doesn't work on new high quality switches.
Wired networks are actually pretty secure from snooping over all. It's not impossible, but it is damn hard.
Fire the consultant (Score:2, Insightful)
Statements like, "I could break any WiFi in about two hours," are red flags that you should higher a different security researcher...
The terms "any", "ever" or "all" are not in most security researcher's vocabularies when talking about unknowns or speculative situations.
We prefer to use terms that imply some degree of uncertainty such as "mostly", "almost never", and "nearly all" since the one thing we know
as security researchers is "trust no one", followed closely by "there is almost always an exception to the rule".
I'm certain that there is at least one "WiFi" your researcher could not break in approximately two hours, thus voiding the "any" term they used.
When in doubt just say, "Prove It."
Re:so, not a hole (Score:5, Insightful)
Unless the wifi network is at a Starbucks, a university or a corporation.
That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
No, the creepy guy sitting 2 tables from you? he's just viewing porn.
See that nice dressed business woman? She's stealing your data.
Re:so, not a hole (Score:2, Insightful)
Am I the only who thought that WPA didn't protected against what this "attack" is doing? I'm not convinced either that this is a real vulnerability.
Re:so, not a hole (Score:3, Insightful)
Pedestrians should look both ways before they cross the road and observe the local traffic laws and customs. That's taking an active interest in your own personal security. But also, vehicle operators should be wary of pedestrians and certainly try not to run them over, even if they don't look both ways.
The problem here isn't that we shouldn't strive to educate users. The problem is that the user being poorly educated in these matters isn't an excuse for running somebody over.
Re:so, not a hole (Score:4, Insightful)
depends on how diligently one checks the certificates.
Re:so, not a hole (Score:4, Insightful)
or assassinated
Re:so, not a hole (Score:1, Insightful)
Yeah, but when a woman does it, it's hot!
Re:Discrepancy: Theory vs. Practice (Score:4, Insightful)
Because in practice, making sure that there is absolutely no hint of a secure piece of information is incredibly tricky. Most programmers traditionally have little concept of actual *secure* programming. Most implementations of perfectly secure algorithms are subject to flaws because people didn't treat side-cases, or properly analyse how the traffic use would affect the algorithm, etc. e.g. not renegotiating keys often enough, so that people can see enough traffic to decrypt a key in a relatively short space of time.
Additionally, this isn't an attack on the crypto. The crypto secures the conversation, it does not necessarily prove identity and if it does prove identity most places don't care about the identity (how many company distinguish individual users/computers over the wireless network by anything other than MAC/IP/username given? AES is still 100% perfectly intact. If you'd been using, say, OpenVPN or OpenSSH with the same algorithm over an unsecured wireless network, the internal encrypted conversation would still be virtually as secure today as it was when AES was invented. The problem is that the *implementation* of AES wasn't designed to cover the usage scenario here, and probably never could be because of the way the access to this particular tiny piece of this part of the broadcast specification is granted. Basically, the flaw has always been sitting there in WPA, not in AES which is still chugging along nicely doing its job. Shocking that a wireless "encryption" fails to properly implement a security scheme because of a bad implementation that side-steps the actual encryption itself... that's never ever happened before ever anywhere :-P
Moral of the story: only trust crypto from those well-established in the crypto-field that's been attacked and attacked and still is approved for government/military use in lots of sensible countries. And then make sure you have a damn good implementation that's not overly complex, or cast in stone, such that most people can't examine it / play with it / fix it.
If you'd been running OpenVPN over the same wireless network, but using OpenVPN's key infrastructure and encryption instead of WPA or WEP or anything at all (i.e. completely "open" wireless) you would still be secure. A bad implementation of a particular encryption in WPA allows people to bypass steps of the actual encryption process that were never designed to be bypassed. It's almost an "out of band" security vulnerability - i.e. nothing to do with whether you use AES or Blowfish or 3DES or whatever you choose... they basically find a way around the (still theoretically secure) encryption that has no effect on the efficacy of the encryption itself.
Basic rule: Just because your "Ethernet-over-the-mains" devices says it uses AES, don't think that means it's "secure". Chances are that it's not.
Re:so, not a hole (Score:3, Insightful)
Correct. I have actually worked at organizations where they used a certificate signed by their own certificate whenever you accessed something over HTTPS. And since they had added their certificate to the trusted list in Internet Explorer, very few people actually noticed. I did not access my e-mail or enter any passwords not already known to those organizations over those links.