Vulnerability, Potential Exploit In Cisco WLAN APs

An anonymous reader writes "The AirMagnet Intrusion Research Team has uncovered a new wireless vulnerability and potential exploit associated with Cisco wireless LAN infrastructure. The vulnerability involves Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points. The potential exploit, dubbed SkyJack by AirMagnet, creates a situation whereby control of a Cisco AP can be obtained, whether intentionally or unintentionally, to gain access to a customer's wireless LAN."

say that again?

[Loconut1389]

exploit, unintentionally?

Re:

[Architect_sasyr]

Some of the worst system compromises I have seen were done by a user who didn't realise that doing X was getting them so far.

Hell, remember the old Windows where you could click Cancel to log in?

Re:

[Loconut1389]

I suppose I should clarify:

Although the article states, "This ultimately could lead to an enterpriseÃ(TM)s access point connecting outside of the company to an outside controller, and therefore being under outside control." Most business buildings are both large and concrete, there's a reason you find many access points, it's because the signal doesn't travel well, even from the hall to the back of a hotel room.

Most people don't carry around running access points, especially cisco ones, and just happen

Re:

[Icegryphon]

yes but it would screw up drives mappings and credentials.

Unintentionally?

[Thanshin]

a situation whereby control of a Cisco AP can be obtained, whether intentionally or unintentionally, to gain access to a customer's wireless LAN.

Unintentionally?

It's one thing to accept that in the perpetual arms race you'll regularly fall behind and your job is to limit those situations to a manageable minimum. It's a completely differnt matter when a non threatening actor may stumble upon a vulnerability.

"Yes, sir, the bank doors do open automatically when a stray cat passes in front of it at night. You see, cats have precisely the size we didn't account for in our supersecure doors."

Unintentionally?

[Opportunist]

How do you unintentionally gain access to something? How should I picture this? "Gee, officer, I was leaning against this door and then it suddenly opened and I tripped and then I must have stumbled into the jewelry box and all those rings just happened to pour into my pockets, dunno how this happened..."

Re:Unintentionally?

[fuzzyfuzzyfungus]

Given the amount of effort, particularly in consumer computer systems, to make things happen "automagically"(think DHCP, uPNP, zeroconf, autoconnecting to open APs, and the like), it is far from implausible that a system would unintentionally gain access to another system.

If, say, you have a bog standard XP laptop, with a bittorrent client or other uPNP-using application running on it, and you start it up within range of an open AP, you could very well connect to somebody else's network and reconfigure their router all automatically. Never mind what might happen if your box is 0wn3d and full of malware that might attempt to automatically spread to other machines on the network you just joined.

Technology has its share of "Golly shucks, officer, I dunno how this happened" excuses; but it also has huge amounts of automation going on.

Re:

[Opportunist]

Good arguments.

Ok, then we should try to work out a way that disallows this. Guess it comes down to good ol' security and lack thereof. Not necessarily on the "culprit"'s side, i.e. the one (or the one's computer, respectively) that trespasses, more on the side of a piece of autoconf'-able piece of hardware that isn't secured properly.

So who's to blame if something like this happens?

Re:

[fuzzyfuzzyfungus]

I'd make an exception if malign intent could be demonstrated(ie. deliberately infecting a nasty XP home box with all sorts of horrible stuff, then "innocently" placing it on a private-but-not-all-that-secure network with intent to cause trouble); but I'd generally be very unwilling to blame for hacking anybody who is just using common technology, right out of the box, with an ordinary level of knowledge.

The only real fix would be better security on the side of the autoconfigurable hardware. Unfortunately,

Re:

[Opportunist]

I'd make it a requirement to connect at least once with a cable to do the initial configuration, where you must enter some sort of passphrase which is then used to authenticate. That way even some permanently broadcasting malware that tries to hijack the WiFi hardware before you could configure it will be locked out. It's not that much of a hassle for the user and the steps required could be put into the manual. Linksys already has those "use this CD before plugging in" steps in its installation routine (ev

Config option, not all that bad

[Boetsj]

Apparently you can 'just' disable Over-the-Air-Provisioning (OTAP) to remove the threat, so it's not that big of a deal I'd say.

Re:Config option, not all that bad

[jeffmeden]

Not a big deal if (a) you happened to already do this during rollout or (b) you are properly notified about this and config changes are trivial on your network. In cases where you have a very large network and no centralized configuration manager, you will have to sink a lot of time into this 'fix' and that's assuming you don't use OTAP. In the case that you do use OTAP, or in the case that you are too busy to notice this and/or too busy to spend time reconfiguring all the affected devices, then yes, it can be a 'big deal'.

Re:

[SlamMan]

If you have a very large network and no centralized configuration manager, you're going to have a lot of problems every time any issue comes up that requires a change. Config managers don't have to be complicated or expensive (see RANCID or CatTools), but not having them inplace means a lot of needless legwork.

Re:

[cbiltcliffe]

Config managers don't have to be complicated or expensive (see RANCID......

We want......a SHRUBBERY!

Ni...ni...ni!!!

(For the mods....RANCID is a tool made by Shrubbery Networks....)

Re:

[222]

Look at Kiwi CatTools. Its a couple hundred bucks and supports the management of hundreds of devices via scripted CLI. I use it to manage all of my Cisco devices for config backups, etc. If your org can't spare a couple hundred for this management utility, then you have bigger problems than wifi. Kiwi also does a TON of other neat things, like configuration comparisons side by side.

Re:

[Shawndeisi]

The OTAP is going to be used only in a WLAN controller /lightweight AP environment. "central management" is a prerequisite to even start thinking about using OTAP.

Re:

[satcomjimmy]

True, I manage an enterprise Cisco lightweight network and this is simply a check box in the controller config, which is also OFF BY DEFUALT. Every AP that associates to a controller takes it's config from the controller, so it is one check box to fix for the uninformed network manager or a waste of time reading and responding to everyone's e-mails getting in a huff about all the hype over a "serious security design flaw" for a feature those of us who understand it never had enabled. There are several other

Re:

[hesaigo999ca]

It should have been selected as OFF by default though...and most will not think to go looking for this vulnerability, if they even know it exists...!

The only real security....

[8127972]

.... Is a wire from the computer to the network.

Re:

[Krneki]

.... Is a wire from the computer to the network.

There is no such thing as real security, the best you can hope for is secure enough, so no one wants to waste time with you.

Re:

[Archangel Michael]

Bingo.

I'm dealing with this at my work right now. We have WAPs set with WEP all over the place, and yes, I know WEP has been cracked for a while and is trivial to break. However trying to secure WAPs while the rest of our infrastructure is wide open is as stupid as putting a bars and locks on the windows while the doggy door is unsecured.

We're a school district, so I'm not worried about people hacking into the network via WAPs, especially when it would be easier to enter into an unoccupied classroom and plu

Re:

[flyingfsck]

Not quite - wires also radiate. Google for TEMPEST.

Re:

[Icegryphon]

Google'd Tempest, ZOMG I loved that game!

Re:

[Anonymous Coward]

O RLY?

"Power sockets can be used to eavesdrop on what people type on a computer."
http://news.bbc.co.uk/2/hi/technology/8147534.stm

In this case the hardwire is the problem.

Not an Exploit, A Slashvertizement

[Kaboom13]

If you actually read the article, you will realize this is a non-issue. Basically, if you install a new, non provisioned access point, it is vulnerable to being assigned to a fake controller. This won't give access to your network. It will give them control of a rogue AP, but that's about it. There is nothign here you couldn't do if you stuck an AP of your own somewhere nearby. The article gives no method for taking control of an existing provision access point, or gaining access to any data on the net

Re:

[sxedog]

I was about to call the Network and Security Manager here and ask him about our config until I read that last paragraph. My Marketing Shill Meter went through the roof. This isn't /. worthy.

This is why i disable

[fast turtle]

OTAP and UPNP from the beginning on any Linksys/Cisco hardware. Personally I see absolutely no reason even in a Home network to enable either of those features for just this possible reason. Sure it's a bit more effort to configure things using a wired connection. The main advantage is I don't have to worry about a badly implemented version of UPNP (lots of apps include it) that can screw MY internet connection up. Hell I don't even want the potential for someone to even use UPNP to configure my router so t

Re:

[scottv67]

Sadly, the vulnerability has nothing to do with your home network or your single Linksys wireless router. OTAP is a feature on the LWAPP (now CAPWAP) wireless controllers from Cisco that is used when installing new access points.