Frequently Asked Questions
Wireless Vulnerabilities and Threats
Wireless Vulnerability Management
New and upcoming standards
Café Latte Attack (WEP/WPA/WPA2 TKIP Attack)
What is the "Hole196" vulnerability?
Wireless Vulnerabilities and Threats
What is a viral SSID?
Like a virus spreads from an infected host to a healthy host infecting the latter, a viral SSID spreads from an infected wireless-enabled computer to another. Technically, a viral SSID is the network name (SSID) of an ad-hoc or peer-to-peer network connected over WiFi. In contrast, the non-viral SSIDS are the network names of the infrastructure networks (comprising of clients connected via an AP). “Free Public WiFi,” “hpsetup,” and “default” are some examples of viral SSIDs.
What are ad-hoc networks? Do they pose a threat to network security?
An ad-hoc network is formed when clients connect to each other directly without depending on an AP for communication. Ad-hoc networks are a major threat to network security as ad-hoc clients bypass the organization’s security policy control and content filters. Unauthorized users could enter private networks by establishing ad-hoc connections with authorized user devices.
What is a denial-of-service (DoS) attack?
A DoS attack disrupts normal network operation by making network services unavailable for legitimate users. In wireless networks, a DoS attack involves jamming a frequency band by sending high-power noise on that frequency or transmitting frames to disallow medium access to legitimate users.
Are there DoS attacks specific to WiFi networks?
Features in the 802.11 standard can be misused to launch a DoS attack. A malicious user can spoof MAC address of a legitimate device and send fake management messages (e.g., deauthentication, disassociation) to disconnect the device. Alternatively, the 802.11 virtual carrier sensing mechanism can be exploited by reserving the medium for large intervals not allowing legitimate clients to access the medium during this time.
Are there ways to protect WiFi networks against DoS attacks?
802.11 management messages are sent unencrypted allowing malicious user to fake them and launch a DoS attack. IEEE 802.11 working group is developing 802.11w standard for encrypting management frames. When this standard is available, it will protect WiFi networks from some DoS attacks. A more powerful and complete solution is to use an automatic wireless intrusion blocking system that truly prevents all kinds of 802.11 DoS attacks.
What exactly happens in MAC spoofing?
In broadcast environments such as WiFi or Ethernet, MAC addresses are used to uniquely identify devices sharing the medium and deliver frames addressed to them. In MAC spoofing a user alters the MAC address of a device to falsely pose as another device. A malicious user may spoof MAC address for hiding the identity of the attacking device, using the identity of an authenticated legitimate device to enter a network, bypass access control lists and stealthily launch attacks. In wireless LANs, the MAC address of either an AP or client device can be spoofed.
What is Wi-Phishing?
Wi-Phishing is an attack where a malicious user sets up a fake WLAN with a commonly used service set identifier (SSID) and lures clients to connect to the WLAN. Clients probing for these common, vulnerable SSIDs are most likely victims of Wi-Phishing as they automatically connect to the fake WLAN.
What is a Rogue AP?
A Rogue AP is a non-authorized AP connected to an organization’s wired LAN. A rogue AP could be placed maliciously or could be connected inadvertently by employees for wireless access. It is a major threat to network security as it could serve as a wireless backdoor to the private network to which it is connected.
Is the threat from wireless vulnerabilities real?
WiFi networks are everywhere. The plug-and-play nature of WiFi allows users to quickly install and use these networks independently without understanding the associated risks. Wireless malpractices open backdoors to private networks and data. Laptops and handhelds could also be hacked when users access wireless networks on travel, potentially compromising the security of wired networks to which these devices attach.
Wireless Vulnerability Management
Do I need to worry about wireless threats if I limit access to the WLAN by MAC address filtering?
It’s a myth that Mac filtering provides any security. Bypassing MAC filtering is easy. Freely available software tools can be used to sniff MAC addresses being used by devices in the vicinity. MAC spoofing is one of the easiest attacks to launch, and filtering MAC addresses does not provide any security for your wireless LAN. MAC filtering is not only ineffective, but it is cumbersome to maintain for a reasonable-sized wireless LAN.
Am I following WLAN best practices by turning off the SSID broadcasting on my APs?
No. It is a common misconception that turning off SSID broadcast on an AP will not allow unauthorized users to discover the AP. Freely available software tools exist that actively probe and discover APs that respond to these null probes. Passive sniffing of wireless traffic can also allow hackers to discover wireless APs in the vicinity. Turning off SSID broadcast is not only ineffective, but it in fact leads to another severe vulnerability. Authorized clients that usually connect to enterprise APs, probe for the hidden SSID. A hacker can sniff this information and use it to launch a honeypot attack.
Our organization has not deployed a wireless LAN, so why should we bother about wireless security?
Even if you may not have deployed an official WLAN, your employees may connect rogue APs to your network, or use their laptops to connect to external APs potentially opening wireless backdoors to your private wired network. Even a single wireless device on your premises, let alone a wireless LAN, can open a wireless backdoor to your corporate backbone network.
Our wired LAN is protected by a firewall and intrusion detection system. Won’t they also protect my wireless devices connected to the wired LAN?
Non-wireless security solutions such as firewall and intrusion detection systems operate at layer 3 (i.e., network layer) and above. Wireless devices present a potential entry point into the wired LAN at layers 1 and 2 (i.e., physical and link layers), circumventing all wired security measures. The invisible radio waves used for transmission make the traditional "harden-the-network-perimeter" security approach obsolete. Radio waves often spill beyond the confines of a building. Malicious hackers in the airspace can use these waves to enter your network and steal sensitive data.
New and upcoming standards
What is 802.11n?
IEEE 802.11n is touted as the next generation wireless LAN standard. Not a ratified standard yet, this emerging technology is creating a lot of buzz with WiFi-certified pre-standard (based on draft 2.0) equipment already in the market. The excitement is driven by the promise of longer range and ten-fold increase in data transmission rate as compared to its predecessors 802.11a and g.
How does 802.11n achieve the multi-hundred megabits throughput and longer coverage range?
IEEE 802.11n brings many new features at both physical (PHY) and medium access control (MAC) layers to deliver these performance gains. At PHY, it uses the multiple-input-multiple-output (MIMO) technology incorporating multiple transceiver chains. MIMO enables spatial diversity and spatial multiplexing for respectively increasing the range and data transmission rate. In addition, 802.11n allows use of wider 40 MHz channels to double the bandwidth as compared to the legacy 20 MHz operation. At the MAC layer, it uses frame aggregation and block acknowledgements for improving the throughput efficiency.
What frequency bands can 802.11n operate in?
802.11n can operate in both the 2.4 GHz and 5 GHz.
Can I use my legacy (802.11a/b/g) clients with 802.11n AP?
802.11n draft standard defines a mixed mode operation that is backward compatible with legacy 802.11a/b/g protocols. So, you can use legacy clients with 802.11n APs and vice versa.
What is 802.11i?
IEEE 802.11i is the amendment to the IEEE 802.11 standard, specifying security mechanisms for WiFi networks. With this amendment, the legacy wired equivalent privacy (WEP), has been replaced with a stronger encryption technique. WPA2 or wireless protected access is the WiFi-certified implementation of 802.11i.
What is 802.11w?
802.11w is the Protected Management Frames amendment to IEEE 802.11 standard. 802.11w extends 802.11i encryption to management frames protecting WiFi networks from some types of DoS attacks.
Can I upgrade my existing AP software to support IEEE 802.11i standard?
IEEE 802.11i encryption requires special hardware, i.e., earlier platforms cannot be upgraded to 802.11i by software patch.
Does the 802.11ac C-75 WIPS Sensor require more power due to extra antennas?
The C-75 is fully functional using 802.3af power. So there is no need to upgrade to PoE+.
How does the new 802.11ac standard effect the AirTight WIPS system?
The 802.11ac C-75 is able to detect and neutralize threats sourced by legacy (802.11a/b/g), 802.11n and 802.11ac devices. If C-75s are deployed, you have a comprehensive WIPS solution that can handle threats from all types of 802.11 devices.
Café Latte Attack (WEP/WPA/WPA2 TKIP Attack)
What is Café Latte Attack?
The Café Latte attack debunks the age old myth that to crack WEP, the attacker needs to be in the RF vicinity of the authorized network, with at least one functional AP up and running. We demonstrate that it is possible to retrieve the key from an isolated Client - the Client can be on the Moon! - using a new technique called "AP-less WEP Cracking". With this discovery Pen-testers will realize that a hacker no longer needs to drive up to a parking lot to crack WEP. Corporations still stuck with using WEP, will realize that their WEP keys can be cracked while one of their employees is transiting through an airport, having a cup of coffee, or is catching some sleep in a hotel room. Interestingly, Café Latte also has a great impact on the way Honey-pots work today and takes them to the next level of sophistication. At its core, the attack uses various behavioral characteristics of the Windows Wireless stack along with already known flaws in WEP to pull off this feat! We have considered all combinations of network configurations and shown how it is possible to retrieve the WEP key in matter of less than 6 minutes in each case. We exploit the shared key authentication flaw and the message modification flaw in 802.11 WEP, to send a flood of encrypted ARP requests to the isolated Client. The Client replies to these requests with a barrage of encrypted ARP responses. We use these ARP responses and plug them into the PTW cryptographic attack and recover the WEP key in less than 6 minutes. It is important to note that though our talk will center on wireless Clients which run a Windows operating system, the core idea presented can be easily used to find similar attacks for other operating systems.
WPA/WPA2 TKIP Attack
WiFi Protected Access (WPA) was introduced as a replacement for WEP around 2003. By 2003, WEP was complete-ly broken which had a stifling effect on WLAN adoption. It was because of a timely effort on the part of the WiFi Alliance that WPA became available to replace WEP as a better security framework for WLANs. WPA is a security framework whose: (a) encryption component is called Temporal Key Integrity Protocol (TKIP), and (b) authentication component can be either Pre-Shared Key (PSK) -- designed for home users or RADIUS (based on 802.1x) -- designed for enterprise usage. An important property of WPA, besides better security, was that WEP devices could be software/firmware upgraded to WPA. That is, they did not require a hardware upgrade. Since its introduction in 2003, WPA has served the purpose it was designed for very well and no vulnerabilities/exploits were discovered targeting enterprise WPA over last 5 years. Many organizations today have migrated to WPA as their wireless security framework. However, WPA’s stature as a secure protocol was recently challenged (in November 2008) for the first time. TKIP, an essential encryption component of WPA, which was heralded for years as the replacement for the broken WEP encryption, was shown to be vulnerable to a packet injection exploit.
What is the "Hole196" vulnerability?
"Hole196" is a vulnerability in the WPA2 security protocol exposing WPA2-secured Wi-Fi networks to insider attacks. AirTight Networks uncovered a weakness in the WPA2 protocol, which was documented but buried on the last line on page 196 of the 1232-page IEEE 802.11 Standard (Revision, 2007). Thus, the moniker "Hole196". Central to this vulnerability is the group temporal key (GTK) that is shared among all authorized clients in a WPA2 network. In the standard behavior, only an AP is supposed to transmit group-addressed data traffic encrypted using the GTK and clients are supposed to decrypt that traffic using the GTK. However, nothing in the standard stops a malicious authorized client from injecting spoofed GTK-encrypted packets! Exploiting the vulnerability, an insider (authorized user) can sniff and decrypt data from other authorized users as well as scan their Wi-Fi devices for vulnerabilities, install malware and possibly compromise those devices. In short, this vulnerability means that inter-user data privacy among authorized users is inherently absent over the air in a WPA2-secured network.
Can this vulnerability be exploited only by insiders, or can an outsider also hack into a WPA2 network using Hole196?
To exploit Hole196, a malicious user needs to know the group key (GTK) shared by the authorized users in that Wi-Fi network. So only an insider (authorized user) of a WPA2 network, having access to the GTK can exploit this vulnerability.
If Hole196 can be exploited only by insiders, should we really worry about it?
Extensive survey reports consistently show that insider attacks are the most common and costliest threat to enterprise data and network security. If your organization is sensitive about insider threats and you are already taking steps to mitigate insider attacks on the wired network, then the Hole196 vulnerability is significant as it enables one of the stealthiest insiders attacks known that can lead to leakage of sensitive data (e.g., intellectual property, trade secrets, financial information), espionage, unauthorized access to IT resources, identity theft, etc.
Does Hole196 enable or involve cracking of the WPA2 encryption key?
No! Exploiting the Hole196 vulnerability does not involve cracking of the encryption key. This is neither an attack on the AES encryption or the 802.1x (or PSK) authentication.
Does the malicious insider gain access to the private keys, i.e., the pairwise transient key (PTKs) of other authorized users in the WPA2 network?
No! The malicious insider does not gain access to the private keys (PTKs) of other authorized Wi-Fi users in the WPA2 network.
Then in what way can an insider exploit the Hole196 vulnerability?
Our findings show that an insider could exploit Hole196 in three ways: (1) for ARP poisoning and man-in-the-middle attack; (2) for injecting malicious code onto other authorized Wi-Fi devices; and (3) for launching a denial-of-service (DoS) attack without using disconnection frames. In a WPA2 network, a malicious insider broadcasts fake packets (with the AP's MAC address as the transmitter's address) encrypted using the shared group key (GTK) directly to other authorized Wi-Fi clients in the network. One example of an exploit that can be launched using GTK is the classic ARP poisoning (man-in-the-middle) attack (demonstrated at Black Hat Arsenal 2010 and Defcon18). In the ARP poisoning exploit, the insider can include for instance an ARP Request message inside the GTK-encrypted packet. The ARP Request has the IP address of the actual gateway, but the MAC address of the attacker's machine. All clients that receive this message will update their ARP table - mapping the attacker's MAC address with the gateway's IP address. All "poisoned" Wi-Fi clients will send all their traffic, encrypted with their respective private keys (PTKs), to the AP, but with the attacker's MAC address as the destination. The AP will decrypt the traffic and forward it to the attacker, now encrypting it using the attacker's PTK. Because all traffic reaching the attacker (from the AP) is encrypted with the attacker's PTK, the attacker can decrypt the traffic (including login credentials, emails and other sensitive data). The attacker can then choose to forward the traffic to the actual gateway of the network, so that the victim Wi-Fi clients do not see any abnormal behavior and continue their communication.
But ARP spoofing (and man-in-the middle) was always possible over Ethernet or even in a WPA2 network via the AP. So what's new?
ARP Spoofing (and man-in-the-middle) is a classic attack in both wired and Wi-Fi networks. However, in this old way of launching the attack, the AP forwards the spoofed ARP messages on the wireless as well as the wired network. The messages that go on the wire are in the clear (unencrypted). Wired network security has evolved over the years to the point that wired IDS/IPS and even some network switches can readily catch and block this attack on the wire today. The subtle point (that many people seem to miss) about exploiting the GTK in WPA2 for launching an ARP Spoofing attack is that the footprint of the attack is only in the air and the payload is encrypted. So no wire-side security solution is ever going to catch this attack over WPA2, nor will existing APs will see anything abnormal. And note that ARP spoofing is just one example of an exploit over this vulnerability. More sophisticated attacks are possible.
Can this vulnerability be practically exploited?
Unlike the WPA-TKIP vulnerability (announced in November 2008) that was largely of theoretical interest, the Hole196 vulnerability can be practically exploited using existing open source software such as madwifi driver and wpa supplicant, and adding ten lines of code. The man-in-the-middle attack using ARP spoofing was demonstrated at Black Hat Arsenal 2010 and Defcon18. Other attacks such as port scanning, exploiting OS and application vulnerabilities, malware injection, DNS manipulation, denial of service, etc. are possible by misusing GTK.
Are all WPA and WPA2 implementations vulnerable to this attack?
Yes! Hole196 is a fundamental vulnerability in the protocol design. All Wi-Fi networks using WPA or WPA2, regardless of the authentication (PSK or 802.1x) and encryption (AES) they use, are vulnerable.
Are WLAN architectures using stand-alone APs and those using WLAN controllers vulnerable to Hole196?
This vulnerability is fundamental to the WPA/WPA2 protocol design. So as long as a WLAN architecture (stand-alone AP or controller based) is following the standard, it is vulnerable to Hole196.
Is there a fix in the 802.11 protocol standard which I can implement with a software upgrade to protect against this vulnerability?
Unlike in the case of earlier vulnerabilities in Wi-Fi encryption and authentication protocols, there is no immediate fallback in the 802.11 standard that can be used to fix or circumvent this vulnerability.
Can I use the client isolation (or PSPF) feature on my WLAN infrastructure to protect against WPA2 Hole196?
Client isolation is not part of the 802.11 standard, but a proprietary feature that is available on some APs and WLAN controllers. The implementation of the feature is likely to vary from vendor to vendor. Turning ON the Client isolation (or PSPF) feature on an AP or WLAN controller can prevent two Wi-Fi clients associated with an AP from communicating with each other via the AP. This means that while a malicious insider can continue to send spoofed GTK encrypted packets directly to other clients in the network, the data traffic from the victim clients will not be forwarded by the AP to the attacker's Wi-Fi device. However, an attacker can bypass the Wi-Fi client isolation feature, by setting up a fake gateway on the wired network, poison the ARP cache on authorized Wi-Fi devices using GTK and redirect all data traffic to the fake gateway instead of redirecting it directly to his Wi-Fi device. Plus, other attacks such as malware injection, port scanning, denial of service, etc. are still possible using only the first step (sending GTK-encrypted packets)
Is there something I can install on my laptop to protect it against WPA2 Hole196?
Software (such as Snort or DecaffeintID) can be installed on some Windows and Linux laptops to detect ARP poisoning, though it's not practical to manually install software on large number of endpoints. Further, the software is not supported on most endpoints (e.g., iPhones, iPads, Blackberry, Windows Mobile, Windows 7, etc.) that will continue to be at risk from the WPA 2 Hole196 vulnerability. Besides, those softwares cannot stop a malicious insider from launching other Hole196 based attacks such as malware injection, port scanning, denial of service, etc.
Can a wire-side solution like an IDS/IPS or ARP Poisoning detector on the LAN switch detect this attack?
The footprint of WPA2 Hole196 based insider attacks is limited to the air, making them among the stealthiest of insider attacks known. As a result, no wireline security solution (wired IDS/IPS, firewall, or switch-based ARP Poisoning detection) can detect these attacks.
Can a wireless intrusion prevention system (WIPS) detect this attack?
Hole196 is yet another example of a wireless vulnerability that calls for a multi-layered wireless security approach. A wireless intrusion prevention system (WIPS) can detect attacks based on Hole196 and provide that additional layer of security to comprehensively protect enterprise networks from wireless threats such as rogue APs, misbehavior of Wi-Fi clients, misconfigurations in your WLAN infrastructure, and vulnerabilities in the Wi-Fi security protocols.
Can WLAN AP vendors design a proprietary fix to the vulnerability while maintaining interoperability?
The WLAN AP vendors can circumvent the Hole196 vulnerability by stopping the use of a shared group key (GTK). In most controller-based WLAN architectures today, it is possible to turn OFF broadcast traffic transmission from the APs over the air and instead use the WLAN controller as the ARP proxy. In other words, in this configuration, the GTK does not get used. But according to current WPA2 protocol standard, a GTK needs to be assigned by the AP to each client during the association (four-way handshake) process. AP vendors can implement a patch to their AP software to assign a unique, randomly generated GTK to each client instead of sharing the same GTK among all clients. Using unique GTKs will neutralize the Hole196 vulnerability and still allow interoperability (backward compatibility) with all standard Wi-Fi client devices. And there will be minimal cost associated with this change in terms of reduced data throughput. In absence of an ARP proxy, an AP could send broadcast traffic over the air as unicast to individual clients, though this will potentially result in degradation in the WLAN data throughput depending on the amount of broadcast traffic. In the long term, this approach of deprecating the use of a shared GTK could be adopted in the IEEE 802.11 standard and only PTK could be used.
