Wi-Fi WPA2 Vulnerability Found

← Back to Stories (view on slashdot.org)

Wi-Fi WPA2 Vulnerability Found

Posted by kdawson on Saturday July 24, 2010 @11:43AM from the keep-your-enemies-closer dept.

BobB-nw sends along news based on yet another press release in advance of the Black Hat conference: a claimed vulnerability in WPA2 Enterprise that leaves traffic open to a malicious insider. "...wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available. Malicious insiders can exploit the vulnerability, named 'Hole 196' by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried. Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network, and compromise other authorized devices using open source software, according to AirTight. 'There's nothing in the standard to upgrade to in order to patch or fix the hole,' says Kaustubh Phanse, AirTight's wireless architect who describes Hole 196 as a 'zero-day vulnerability that creates a window of opportunity' for exploitation." Wi-Fi Net News has some more detail and speculation.

12 of 213 comments (clear)

Min score:

Reason:

Sort:

Not that big a deal... by Denis+Lemire · 2010-07-24 11:59 · Score: 4, Insightful

This vulnerability is only useful if the attacker knows your WPA key. In other related news, it has been discovered that those who know your root password can delete all your files.
1. Re:Not that big a deal... by Denis+Lemire · 2010-07-24 12:22 · Score: 5, Insightful
  
  M'eh, if you have anything sensitive that you're sending over the network it should be sent securely, period. ie) via SSH, HTTPS, etc... Otherwise, you're just doing it wrong.
  Having an additional layer like WPA provided is indeed a nice thing, but this being compromised isn't the end of the world. I'd be far more concerned if there was a vulnerability that allowed someone to bypass WPA all together and connect to a network in which he or she isn't authorized.
  The encryption of the traffic itself really isn't that much of a selling point when it'll continue across the wired network in the clear once it hits the router or switch upstream. Encryption that isn't end-to-end really isn't worth the time spent talking about it.
2. Re:Not that big a deal... by yuhong · 2010-07-24 12:51 · Score: 5, Insightful
  
  Yep, WEP stood for Wired Equivalent Privacy, which was all it and WPA(2) was intended to provide, nothing more.
3. Re:Not that big a deal... by John+Hasler · 2010-07-24 13:25 · Score: 3, Insightful
  
  It's "Wired Equivalent Privacy" only if your idea of "wired privacy" involves dangling a cable out the window down into the alley behind the building.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Re:so, not a hole by Iwanowitch · 2010-07-24 12:02 · Score: 5, Insightful

Unless the wifi network is at a Starbucks, a university or a corporation.
That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.

--
One CS student VS 893 DOS games: Let's play oldies
Re:so, not a hole by Culture20 · 2010-07-24 12:14 · Score: 4, Insightful

That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
How's he do that? Am I relying on WPA2 as my only encryption across the 'net?
Re:so, not a hole by jijacob · 2010-07-24 12:42 · Score: 4, Insightful

ssh -D is just a terminal away.
VPN by Jaime2 · 2010-07-24 13:07 · Score: 5, Insightful

I've been telling people to use VPN over WiFi connections forever. Even better, put your wireless devices on the outside of the firewall, so they have no choice but to VPN in. This also makes giving a random guest access to your wireless no big deal. Any one who thinks wireless networking will ever be safer than an old-fashioned hub is deluding themselves.
Re:so, not a hole by Nyder · 2010-07-24 14:47 · Score: 5, Insightful

Unless the wifi network is at a Starbucks, a university or a corporation.
That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
No, the creepy guy sitting 2 tables from you? he's just viewing porn.
See that nice dressed business woman? She's stealing your data.

--
Be seeing you...
Re:so, not a hole by hitmark · 2010-07-24 20:16 · Score: 3, Insightful

depends on how diligently one checks the certificates.

--
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
Re:so, not a hole by Anne+Thwacks · 2010-07-24 21:18 · Score: 3, Insightful

you'll be quite famous.
or assassinated

--
Sent from my ASR33 using ASCII
Re:Discrepancy: Theory vs. Practice by ledow · 2010-07-24 21:59 · Score: 3, Insightful

Because in practice, making sure that there is absolutely no hint of a secure piece of information is incredibly tricky. Most programmers traditionally have little concept of actual *secure* programming. Most implementations of perfectly secure algorithms are subject to flaws because people didn't treat side-cases, or properly analyse how the traffic use would affect the algorithm, etc. e.g. not renegotiating keys often enough, so that people can see enough traffic to decrypt a key in a relatively short space of time.
Additionally, this isn't an attack on the crypto. The crypto secures the conversation, it does not necessarily prove identity and if it does prove identity most places don't care about the identity (how many company distinguish individual users/computers over the wireless network by anything other than MAC/IP/username given? AES is still 100% perfectly intact. If you'd been using, say, OpenVPN or OpenSSH with the same algorithm over an unsecured wireless network, the internal encrypted conversation would still be virtually as secure today as it was when AES was invented. The problem is that the *implementation* of AES wasn't designed to cover the usage scenario here, and probably never could be because of the way the access to this particular tiny piece of this part of the broadcast specification is granted. Basically, the flaw has always been sitting there in WPA, not in AES which is still chugging along nicely doing its job. Shocking that a wireless "encryption" fails to properly implement a security scheme because of a bad implementation that side-steps the actual encryption itself... that's never ever happened before ever anywhere :-P
Moral of the story: only trust crypto from those well-established in the crypto-field that's been attacked and attacked and still is approved for government/military use in lots of sensible countries. And then make sure you have a damn good implementation that's not overly complex, or cast in stone, such that most people can't examine it / play with it / fix it.
If you'd been running OpenVPN over the same wireless network, but using OpenVPN's key infrastructure and encryption instead of WPA or WEP or anything at all (i.e. completely "open" wireless) you would still be secure. A bad implementation of a particular encryption in WPA allows people to bypass steps of the actual encryption process that were never designed to be bypassed. It's almost an "out of band" security vulnerability - i.e. nothing to do with whether you use AES or Blowfish or 3DES or whatever you choose... they basically find a way around the (still theoretically secure) encryption that has no effect on the efficacy of the encryption itself.
Basic rule: Just because your "Ethernet-over-the-mains" devices says it uses AES, don't think that means it's "secure". Chances are that it's not.