Slashdot Mirror
Cisco's LEAP Authentication Cracked
mtrisk writes "Just a day after Cisco released a security warning about its WLSE access point management tool, a tool to crack wi-fi networks using LEAP authentication has been released, reports Wi-Fi Networking News. The tool, called Asleap and developed by Beyond-Security, actively de-authenticates users, sniffs the network when the user re-auntheticates, and performs an offline dictionary attack upon the password."
As a small business, i use a Linksys wireless router. Cisco now owns Linksys. Can anyone alleviate my "phears" and tell me that this vulnerability is more for the hardware found in big companies like Bell Canada, and not my WEP 64 wireless? I'd really appreciate a summary of what all the fuss is about and how it affects people who don't run mega corps. Thanks.
Sure, this is a well done cracking tool, but isn't "cracked" a bit sensationalistic considering it still requires brute forcing the password? The weakness remains the password here, hardly the authentication scheme... good luck dictionary attacking a good password!
Cos the very very large corporation which I very recently used to work for has just rolled out Cisco based wireless across *all* of it's sites worldwide.
Government of the people, by corporate executives, for corporate profits.
It's WHY you really, really ought to have a cryptologist design your subsystems if at all possible. If it's not possible, you need to have them AUDIT it at the very least. Suffice it to say, each and every one of the wireless designs so far seem to be fairly flawed- and I don't believe that a single one was designed by or audited by a competent cryptographer (Someone like Schneier comes immediately to mind- never mind how expensive this sort of person will be for you with the design work or an audit, the embarassment and increased liability for exploits on the system make it far, far more expensive to NOT hire them...).
I'm a fairly competant amateur- I know better than to assume anything I or anyone else that's not an SME produces in this arena is anything but vulnerable until proven otherwise.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
This is an offline dictionary attack, not a cryptographic break as has been done to WEP. If you use a strong password (one not in the dictionary), this won't break it. I don't know if preventing offline attacks was a goal of LEAP; if it was, it's fair to describe this as a crack, but if not, this is really just a tool to automate what was already known to be possible.
Yeah it's been a bad week for Cisco but they aren't Microsoft. They won't ignore these problems. You'll see firmware updates to fix the password problem in a week tops (if it isn't already out). I suspect you'll also see an update to address the LEAP issues.
The only reason to buy Cisco after all (in my experience -- I'm sure the detractors will speak up the minute I click post) is for the support.
I recall a strange off the wall problem I had using an ISDN line card in a 2600 series router a couple of years back. The line card wouldn't co-exist nicely with the 56k DSU/CSU line card in the other slot. After a few days the ISDN interface would choke and die and the router would need to be rebooted.
After working with our vendor's (Ingram Micro) Cisco support group and trying about a million different IOS upgrades they referenced us to Cisco -- the Cisco that we didn't even have a support contract with. They actually flew somebody out (we are on the East Coast) to look at the problem and released a specific IOS upgrade to address that issue once they confirmed it.
Do you think Microsoft would do that for the small time Insurance Agency with one large router (and a couple of smaller ones in our remote offices)? A lousy $6,000 router at that (money for us -- pocket change for Cisco). That's support and that's the reason why I will continue to buy Cisco products even if they are insanely overpriced.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Since large businesses use secure VPN over any insecure channel (wireless, internet, dialup, even inside their own wired network) then it will only affect small businesses or those with poor security specialists who try to save money by putting the security into the network infrastructure.
Unfortunately while the firmware may be upgradeable, the cryptographic functions are usually implemented in hardware (better performance) and it may be hard, if not impossible, to secure the authentication so this kind of attack is harder.
What they really should do is have a public/private key for each access point, with the SSID set to the public key. Then any client can transmit to the access point without possibility of eavesdropping. This would be used to set up the secure LEAP session. Since the password is never sent back to the client then it's not going to be breakable by offline brute force attacks.
Of course, in the end anything is breakable given enough time and/or money.
-Adam
Many people here are talking about the length of time it takes to brute the password. I saw a demonstration of the asleap tool about 1/2 a year ago and it took 15 seconds to reveal the password. Something you need to keep in mind is the fact that there is no salt involved in the password hash for LEAP. So a precached hash of the possible passwords is very easy. All you need is lots of disk space and a well written index of the hashes.
There are quite a few others that are saying well thats only if you let your users pick bad passwords... Come on guys, have you actually worked in the real world? Normal users can't remember crazy passwords, they are going to pick their dog and their favorite football player's number put together. Or their aniversary and the current food they are eating.
Keeping a dictionary of enough passwords to get into the network would be trivial. All you need is one user with a weak password to get in, after that who cares how strong the rest are.
A conspiracy theory.
WEP is broken by design. A few engineers who don't know anything about cryptanalysis making their own encryption system that turns out to be broken is quite plausable however wifi standards are set by the IEEE. The IEEE is not stupid.
Was WEP deliberatly broken to make government snooping easier?
That may seem ludicrus now but what if the likes of consume suceed in their goal of building mesh networks across citys? Securing wireless connections at VPN or application level is so much hassle that only 0.01% of users bother.
The reaction of the American government to the new Chinese wifi encryption standard lends weight to this theory. Supporting WAPI just means hardware manufacturers have to write a bit more software. Once it's in the software it will no doubt be supplied as standard worldwide. It may actuall be secure with little work. Why else would the American government threaten retailation over somthing so obscure?
The site which accidently looks a lot like slashdot, focuses on quality security news; no vuln reports people don't care about... all the latest news and white papers.
A cool white paper on utf-8 shellcodes was released on it too.
So NOW I know why everyone's telling me that LEAP is not the end-game, and we need to move to systems based on PEAP (which is supposed to be an open standard, as opposed to LEAP which is proprietary) or some other, even newer variant.
Security protocols are like windows (the physical kind). Once they're broken, duct tape is not the answer.
Yeah it's been a bad week for Cisco but they aren't Microsoft. They won't ignore these problems. You'll see firmware updates to fix the password problem in a week tops (if it isn't already out). I suspect you'll also see an update to address the LEAP issues.
Read the article - the LEAP problem was reported to them in AUGUST 2003.
I agree they are not a Microsoft, and they are generally much more responsive, but how would you feel if you had over the past six months implemented a major, wonderful, well protected Cisco LEAP wireless network? Only to receive the news that "yeah, we kinda knew since August our security sucked" (for the record, I am NOT in that situation, but LEAP was a contender for our upcoming wi-fi implementation).
Honestly, Bruce Schneier was recently saying that it's no longer about the crypto, as anyone can do strong crypto these days. It's about the factors around it, like usernames and passwords, physical security, but most of all, implementation. You'd think that something which was hailed at the time as the solution to the broken WEP protocol would be partially secure... Ugh. Now I'm just ranting.
-Jack Ash
This is yet another example of why you need to hire security programmers with actual experience in the field, not just outsource it to a cheap Indian programming group with no real experience writing robust protocols.
I'm an ex Cisco security programmer, and thats exactally what was happening before I quit. I wish I could say more...
anyone think this is due to outsourcing besides me?
just after cisco started utsourcing, their products have become faulty, sure, the programmers in india are pretty smart, but most are quickly trained amatuers who are usually new to coding secure applications. anyone else think this may be the case?
Maybe people should stop using dictionary words for passwords?
I think of a phrase and take first letter of each word, like
Top of the morning to you ==> totmty
etc..