|
Secure Your Network (and Clients) Against Hole 196
By Eric Geier (NoWiresSecurity Founder
& CEO) - originally published on
Wi-FiPlanet
In the last month, there has been much
publicity over a "new" vulnerability in WPA/WPA2 encryption
(unofficially named "Hole
196") originating from AirTight Networks. Here I'll briefly
describe the weakness, then share tips on how to protect yourself
from attacks using this exploit, whether on your network or when
using public networks.
I used the word new with quotes as this isn't technically a fresh
vulnerability. The name "Hole 196" was coined because the
vulnerability is hinted at on the last line of page 196 of the
revised IEEE 802.11-2007 specification. This is the standard all
Wi-Fi products are based on. AirTight Networks has merely brought
light to the issue.
Understanding the Hole 196 vulnerability
First, it's important to understand
that attacks using this vulnerability must be performed within the
network. The culprit must already have network credentials and be
successfully connected. Attacks can't be made against a corporate
network by Joe Hacker in the parking lot, unless Joe somehow got the
login information for the network. Attacks are more likely to come
from a rouge employee or insider.
The Hole 196 vulnerability applies to both the Enterprise (802.1X)
and Personal (PSK) modes of Wi-Fi Protected Access, however it's
more significant to wireless networks using the Enterprise mode.
Another important note -- others refer to this as a WPA2 weakness,
but it actually applies to both versions: WPA (TKIP) and WPA2 (AES).
To understand the vulnerability, you must realize one of the
benefits of using the Enterprise mode of WPA/WPA2: Each user or
connection receives its own encryption key. Thus, users can't
decrypt the traffic of other users -- or so we thought. When using
Personal mode, users connect with a single encryption key, thus they
can by default read each other's traffic.
The Hole 196 vulnerability lets users on a network protected with
the Enterprise mode decrypt packets from other users. It's not truly
cracking the encryption. It's a man-in-the-middle attack using the
ARP cache-poisoning technique, like we've seen on wired networks.
The underlying issue is with the 802.11 protocol.
Keep in mind, this vulnerability also applies to public networks
that secure their Wi-Fi hotspots with Enterprise encryption and
802.1X authentication. A hotspot user might snoop on unsuspecting
users that thought their traffic was protected.
The bottom line is that an authorized user can capture the decrypted
traffic of other users, send potentially harmful traffic (such as
malware) to them disguised as one of the network's access points (APs),
and/or perform denial-of-service attacks.
Protecting your network from the vulnerability
While we wait for vendors and
standards to patch this security hole, here are a few things you can
do to help mitigate the vulnerability on your private network:
-
Segregate access with VLANs and
virtual SSIDs: Putting departments and groups on different
virtual networks can help isolate the attacks to only the
originating virtual network. Smaller businesses can use the DD-WRT
firmware replacement to get the virtual LAN and multiple SSID
support.
-
Enable client isolation:
Some vendors include this proprietary feature on their APs and
controllers, though with varying names for the feature. It stops
user-to-user communication; therefore it helps prevent users
from part (not all attacks) of this vulnerability.
-
Use VPN connections too: If
you are really paranoid, you can tunnel each user's traffic
through a VPN server. Thus if someone successfully eavesdroppers
on another user, the culprit will just see a bunch of gibberish.
If you don't already have a VPN solution, consider OpenVPN.
In the near future, you should:
-
Update AP firmware: Vendors
may fix this issue by a simple software update, so make sure you
keep your APs and other network components update-to-date.
-
Update your wireless IDS/IPS
systems: Wireless intrusion detection systems (IDS) and
intrusion prevention systems (IPS) have the ability to detect
and alert you of these types of attacks. These solutions will
likely be updated to detect Hole 196, so make sure you keep it
updated. If you don't already have a wireless IDS/IPS system in
place, consider it now.
Protecting yourself from the
vulnerability on public networks
As briefly mentioned, the Hole 196
vulnerability also applies to secure public networks or Wi-Fi
hotspots that use WPA/WPA2-Enterprise with 802.1X authentication.
Since anyone can pay to connect, this might be where we see the most
attacks of this kind. Like on a private network, a hacker might be
able to capture your decrypted network/Internet traffic and possibly
send you harmful traffic.
However, protecting your traffic isn't difficult. Tunnel into a VPN
server and your real traffic can't be captured. If you don't have a
VPN server at home or work, consider a commercial or free hosted
service.
This isn't the only vulnerability
Remember, this is just one of many
vulnerabilities of using wireless networks. I'll leave you with a
couple more tips to keep you and your network safe:
-
When using the Personal (PSK)
mode, use long, complex mixed character passphrases--shorter
ones can be guessed by dictionary-based attacks.
-
When using the Enterprise mode
with 802.1X, properly configure these three key PEAP or
certificate settings in Windows, otherwise you'll be susceptible
to man-in-the-middle attacks:
-
Check the Validate server
certificate option and select the Trusted Root Certificate
Authority from the list.
-
Check the Connect to these
servers option and input the domain name or IP address of
the RADIUS server.
-
Check Do not prompt user to
authorize new servers or trusted certificate authorities.
-
Wi-Fi networks used by businesses
or organizations should always be using the Enterprise mode, so
access can be better controlled. Though it requires a RADIUS
server, there are hosted solutions for smaller organizations.
-
Don't rely on disabling SSID
broadcasting or MAC address filtering for security.
|
