Bogus 802.11i Hack

The other day my boss forwards me a link to an eWeek article entitled “WLAN’s Exposed by Hack”.

We’ve just recently deployed a secure wireless infrastructure (using 802.1x) with the intent of upgrading to 802.11i when 802.11i supplicants start to become available. So of course I was concerned to hear there might be a “hack” for 802.11i security.

Unfortunately, the supposed “hack” was more hype than hack. The article started out promising:

A wireless LAN hardware company is set to publicize a RADIUS server security hack that can thwart the recently ratified 802.11i protocol and any WLAN infrastructure that keeps encryption keys housed in access points rather than on a central switch.

Aruba Wireless Networks Inc. will bring its findings to the Internet Engineering Task Force meeting in San Diego next week, said Aruba officials.

Aruba stands to benefit from the vulnerability report because it develops wireless hardware that keeps encryption centralized on the switch rather than on access points, but officials said the vulnerability is critical for IT managers who think the new protocol will keep their WLANs secure all by itself.

Unfortunately, things went downhill quickly from there. The first sign of trouble is this sentence: “The attack needs access to a company’s internal network”. What? The attacker already has access to your internal network? Sounds like wireless security isn’t your biggest concern….

But wait! It gets worst!

The attack needs access to a company’s internal network, to which a cracker would attach a rogue access point, perform ARP (Address Resolution Protocol) poisoning to sniff the traffic between the access point and the gateway, then send a deauthentication packet to a client. When the client reauthenticates, the access point sends a request to the RADIUS (Remote Authentication Dial-In User Service) server, which accepts the user and passes the encrypted keys to the access point. To get the RADIUS server’s shared secret, a hacker can perform an offline dictionary attack on the server, using a tool such as Cain and Abel, according to Aruba officials.

It sounds like Aruba went *way* off the deep end trying to claim that their product solves a pseudo “vulnerability” that nobody else does, and unfortunately the reporters at eWeek seem to have uncritically accepted this steaming load of FUD. This reflects rather poorly on eWeeks reliability, as anyone spending more than a moments thought on Aruba’s claim will notice the following two glaring errors:

1) Despite being publicized as an “802.11i” weakness, this really has nothing to do with the 802.11i protocol. It’s a Radius weakness that’s been know for almost as long as Radius has existed. Strong shared secrets and authentication retry limits on the Radius server can be used to effectively mitigate this issue and have been used for many years.

2) If you’ve got a hostile who’s already connected to your internal network, is running a sniffer, using an offline dictionary tool against the traffic he/she has sniffed, and is using ARP poisoning to impersonate critical network devices/servers, then I don’t think you OR the attacker are going to be very concerned about your wireless infrastructure. Particularly since it’s standard practice to rotate the wireless encryption keys, so the keys the attacker sniffed will only be good for a limited time.

This isn’t really a vulnerability. This is negative vendor hype at it’s worst. Aruba should be ashamed of themselves for stooping to such blatant fear mongering. And eWeek should be ashamed for blindly and unquestioningly accepting Aruba’s dubious information.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s