Forum

OK, this one's been on the radar all week, from [url=http://blog.aerohive.com/blog/?p=342]Devinator's blog[/url] to dozens of others. [url=http://www.airtightnetworks.com/WPA2-Hole196]AirTight is demonstrating the vulnerability at BlackHat[/url].

Just now, Aruba Networks says it just ain't so:

[quote]Hole 196 WPA2 attack nothing but a publicity stunt - read why at #AirHeads On-Line. http://bit.ly/aDtBfV #ArubaNetworks #FB[/quote]

Talk amongst yourselves.

My understanding so far is that the attacker is inside the network authenticated etc and takes advantage of the GTK, the vulnerability does not exist in 802.1x so is only possible with WPA/WPA2.

If an organisation is only running this as their core WLAN security then I am sure there are easier attack vectors as they are a user not an intruder as it were.

However its in vogue as its wireless to comment on this. Any wireless vulnerability is news.

Also if one of your users is doing this I would give them a job.

As described in Aruba's articles, actually Hole196 is MiTM attack with legitime AP as MiTM attack central point and possibility of simple attack prevention, is "isolate clients between SSIDs and within SSID".

Our wlan with Cisco WAP4410N APs has such feature Enabled from pilot-project phase already. Older APs without such feature will be under attack hammer form insiders.

Vertigo

Pete,

802.1X is part of the WPA/WPA2 cert so yes, 802.1X is included.

GT

Thats where it all gets very confusing as I don't believe that is the case. 802.1x is a framework for want of a better term that uses various mechanisms. It can also WPA and WPA2 can also use 802.1x as part of it mechanisms in enterprise but not personal.

So which is a part of which or do we have standards within standards.

I dont believe its as simple as saying 802.1x is a part of WPA2.

From what I have seen the attack is only on WPA/WPA2 personal?

Have to read more over the weekend!

802.1X and PSK are two ways to reach the same goal when it comes to encryption keys. Once an AES or TKIP key is created, and the subsequent PTK and GTK are bound to the device, it doesn't matter which authentication type got them there.

I've never thought about it, but if you did a packet analysis of an AES frame you couldn't tell if it was keyed with WPA-PSK or 802.1X.

GT

It does seem to be a rather meaningless exploit, giving that arp poising has always been possible on a wired network. I think if I had authenticated access to the network they'd be more interesting/destructive things to do than try and get a few wireless client to forward their data to me.

More musings

http://arstechnica.com/business/news/2010/07/wifi-hole196-major-exploit-or-much-ado-about-little.ars/

http://s2n.merunetworks.com/2010/07/hole-196-hey-microcell-the-wheels-are-coming-off/

Dave

Some info for those unfamiliar with ARP poisoning:

http://www.watchguard.com/infocenter/editorial/135324.asp
http://www.harmonysecurity.com/files/HS-P004_ARPPoisoning.pdf

Dave

After reading AirTight "WPA2 (Too) Hole196" presentation I conclude that "Client Isolation(within SSID)/PSPF" protect only against MiTM attack using ARP poisoning, but doesn't protect against:
1. Eavesdropping with forged gateway(wired)
2. Port scanning
3. Malware injection in L3
4. Wireless DoS
All of them are using GTK-encrypted broadcast packets.
IPSec VPN solutions, as example CheckPoint SecureClient Desktop Security with centrally managed IPS, help to protect against 1-3.
Is it worth to deploy WIPS?
=========
Vertigo