Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability, Potential Exploit In Cisco WLAN APs

Posted by timothy on from the just-wrap-it-in-tin-foil dept.

An anonymous reader writes "The AirMagnet Intrusion Research Team has uncovered a new wireless vulnerability and potential exploit associated with Cisco wireless LAN infrastructure. The vulnerability involves Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points. The potential exploit, dubbed SkyJack by AirMagnet, creates a situation whereby control of a Cisco AP can be obtained, whether intentionally or unintentionally, to gain access to a customer's wireless LAN."

13 of 35 comments (clear)

  1. Unintentionally? by Thanshin · · Score: 2, Interesting

    a situation whereby control of a Cisco AP can be obtained, whether intentionally or unintentionally, to gain access to a customer's wireless LAN.

    Unintentionally?

    It's one thing to accept that in the perpetual arms race you'll regularly fall behind and your job is to limit those situations to a manageable minimum. It's a completely differnt matter when a non threatening actor may stumble upon a vulnerability.

    "Yes, sir, the bank doors do open automatically when a stray cat passes in front of it at night. You see, cats have precisely the size we didn't account for in our supersecure doors."

    1. Re:Unintentionally? by fuzzyfuzzyfungus · · Score: 3, Insightful

      Given the amount of effort, particularly in consumer computer systems, to make things happen "automagically"(think DHCP, uPNP, zeroconf, autoconnecting to open APs, and the like), it is far from implausible that a system would unintentionally gain access to another system.

      If, say, you have a bog standard XP laptop, with a bittorrent client or other uPNP-using application running on it, and you start it up within range of an open AP, you could very well connect to somebody else's network and reconfigure their router all automatically. Never mind what might happen if your box is 0wn3d and full of malware that might attempt to automatically spread to other machines on the network you just joined.

      Technology has its share of "Golly shucks, officer, I dunno how this happened" excuses; but it also has huge amounts of automation going on.

    2. Re:Unintentionally? by Opportunist · · Score: 2, Interesting

      Good arguments.

      Ok, then we should try to work out a way that disallows this. Guess it comes down to good ol' security and lack thereof. Not necessarily on the "culprit"'s side, i.e. the one (or the one's computer, respectively) that trespasses, more on the side of a piece of autoconf'-able piece of hardware that isn't secured properly.

      So who's to blame if something like this happens?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Unintentionally? by fuzzyfuzzyfungus · · Score: 2, Interesting

      I'd make an exception if malign intent could be demonstrated(ie. deliberately infecting a nasty XP home box with all sorts of horrible stuff, then "innocently" placing it on a private-but-not-all-that-secure network with intent to cause trouble); but I'd generally be very unwilling to blame for hacking anybody who is just using common technology, right out of the box, with an ordinary level of knowledge.

      The only real fix would be better security on the side of the autoconfigurable hardware. Unfortunately, that would likely add either cost or inconvenience, or both, so I'm not sure how to push it. One concrete step, though, that I'd like to see, would be some clever thinking on making devices easier to provision without potentially dangerous trust.

      For instance, in this case, the "over-the-air-configuration" stuff is obviously there for ease and convenience; but introduces security concerns. In a lot of cases, though probably not all, a device is handled at least once before being installed(if only by the guy taking it out of the box). If there were a couple of contacts on the case, containing power and a low cost bus(i2c, 1-wire, ttl serial, whatever) and a matching cradle, you could have the installers do an offline key-fill. Have the device ship, unconfigured, such that if it has no prior configuration, it will listen on that bus. Afterwards it no longer will. The installer will pull it out of the box, pop it in the cradle for ten seconds, it'll get the public key of your AP controller over that bus, and will then refuse to take orders from any controller with a different key, and will not listen to that bus in the future.

      Something like that would add only a few cents to manufacturing cost, and a few seconds to install time; but would(barring hideous implementation flaws) allow 95% of the autoconfiguration without the security risks.

  2. Unintentionally? by Opportunist · · Score: 2, Insightful

    How do you unintentionally gain access to something? How should I picture this? "Gee, officer, I was leaning against this door and then it suddenly opened and I tripped and then I must have stumbled into the jewelry box and all those rings just happened to pour into my pockets, dunno how this happened..."

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Config option, not all that bad by Boetsj · · Score: 4, Interesting

    Apparently you can 'just' disable Over-the-Air-Provisioning (OTAP) to remove the threat, so it's not that big of a deal I'd say.

    1. Re:Config option, not all that bad by jeffmeden · · Score: 3, Insightful

      Not a big deal if (a) you happened to already do this during rollout or (b) you are properly notified about this and config changes are trivial on your network. In cases where you have a very large network and no centralized configuration manager, you will have to sink a lot of time into this 'fix' and that's assuming you don't use OTAP. In the case that you do use OTAP, or in the case that you are too busy to notice this and/or too busy to spend time reconfiguring all the affected devices, then yes, it can be a 'big deal'.

    2. Re:Config option, not all that bad by SlamMan · · Score: 2, Informative

      If you have a very large network and no centralized configuration manager, you're going to have a lot of problems every time any issue comes up that requires a change. Config managers don't have to be complicated or expensive (see RANCID or CatTools), but not having them inplace means a lot of needless legwork.

      --
      Mod point free since 2001
    3. Re:Config option, not all that bad by 222 · · Score: 2, Informative

      Look at Kiwi CatTools. Its a couple hundred bucks and supports the management of hundreds of devices via scripted CLI. I use it to manage all of my Cisco devices for config backups, etc. If your org can't spare a couple hundred for this management utility, then you have bigger problems than wifi. Kiwi also does a TON of other neat things, like configuration comparisons side by side.

    4. Re:Config option, not all that bad by cbiltcliffe · · Score: 2, Informative

      Config managers don't have to be complicated or expensive (see RANCID......

      We want......a SHRUBBERY!

      Ni...ni...ni!!!

      (For the mods....RANCID is a tool made by Shrubbery Networks....)

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
  4. Re:The only real security.... by Krneki · · Score: 2, Interesting

    .... Is a wire from the computer to the network.

    There is no such thing as real security, the best you can hope for is secure enough, so no one wants to waste time with you.

    --
    Love many, trust a few, do harm to none.
  5. Re:The only real security.... by Anonymous Coward · · Score: 2, Informative

    O RLY?

    "Power sockets can be used to eavesdrop on what people type on a computer."
    http://news.bbc.co.uk/2/hi/technology/8147534.stm

    In this case the hardwire is the problem.

  6. Re:say that again? by Loconut1389 · · Score: 2, Interesting

    I suppose I should clarify:

    Although the article states, "This ultimately could lead to an enterpriseÃ(TM)s access point connecting outside of the company to an outside controller, and therefore being under outside control." Most business buildings are both large and concrete, there's a reason you find many access points, it's because the signal doesn't travel well, even from the hall to the back of a hotel room.

    Most people don't carry around running access points, especially cisco ones, and just happen to have OTAP turned on. It seems pretty unlikely this would happen often or at all in the wild.