Wireless networks with open access points have become ubiquitous in the last few years as users have come to expect easy Internet access wherever they are. But as access has become more widely available the security of wireless networks has not come close to keeping pace, and as two talks at next Week’s Black Hat conference will show, some of the same issues that have haunted wireless networks for nearly a decade are still around.
Researchers at Core Security will demonstrate a technique at Black Hat that enables an attacker to force a specific Cisco wireless access point to broadcast packets in WEP mode–even when no WEP clients are present on the network–enabling the attacker to gain enough material to crack the WEP key and access the network. The attack is specifically designed to work against the Cisco Aironet 1200 Series access points and is a twist on existing attacks that have shown WEP to be an eminently defeatable protocol.
The problem arises when the access point is set to WPA migration mode, a setting that enables machines using either WEP or its stronger replacement WPA to connect to the wireless network. Using a variety of techniques, the Core researchers, Leandro Meiners and Diego Sor, were able to use a laptop with WEP enabled to force the Cisco access point to send back enough WEP frames that they eventually had enough WEP key material to crack the key and access the wireless network.
The researchers said that there is little Cisco can do about the problem, as it’s a function of the WEP protocol and the way that WPA migration mode works.
“It’s a configuration issue, so it’s not something that they can fix,” said Meiners. “Supporting both protocols makes the security as weak as the weakest protocol, so everything falls down. We’ve shown that having WPA migration mode enabled is the same as having WEP enabled. There’s no additional protection.”
It’s been just about nine years since the first practical attacks against WEP began appearing, and things went rapidly downhill from there. At Black Hat in 2001, Ian Goldberg, then of Zero-Knowledge Systems, talked about methods for cracking WEP, which was quite new at the time. And a couple of weeks later, Adi Shamir and others published a paper on weaknesses in the RC4 implementation in WEP. Soon enough, free tools for cracking WEP appeared online and the IEEE moved on to WPA and eventually WPA2 for wireless encryption.
Weaknesses in WEP and other encryption algorithms aren’t the only problems facing access point manufacturers, though. Also at Black Hat next week, a researcher will show off a variation of the DNS rebinding attack that can be used to compromise many of the wireless routers popular with home users today. The attack, developed by Craig Heffner of Seismic, enables a remote attacker to set up a page with a script that allows the attacker to connect the visitors wireless network via the wireless router. The attacker could then use one of several known techniques to try to compromise the router itself, creating a man-in-the-middle setup for the attacker and allowing him to see the victim’s Web traffic or redirect him.
DNS rebinding attacks are by no means new and there are some safeguards in place in most browsers to prevent them from happening. But Heffner claims to have found a way around those protections.
“The way that [those patches] are circumvented is actually fairly well
known,” Heffner told Andy Greenberg of Forbes. “It just hasn’t been put together like this