When researchers say they’ve found a vulnerability in WPA2 (WiFi Protected Access) security standard, wireless LAN administrators stand up and take notice. Md. Sohail Ahmad, a researcher with wireless security vendor Airtight Networks, presented a WPA2 vulnerability dubbed Hole 196 at Black Hat yesterday and DEFCON 18 this weekend.
Details on the vulnerability remain somewhat fuzzy, but the Wi-Fi Alliance says Hole 196 appears to be a wireless version of ARP spoofing, the exploit in Address Resolution Protocol that allows hackers to perpetrate man-in-the-middle attacks.
Matthew Gast, chairman of the Wi-Fi Alliance’s Security Task Group (and director of product management for Aerohive Networks), said Hole 196 is an exploit that only authorized network users can use to bypass WPA2 encryption.
An insider on the network can set up a hack to trick a client into perceiving the hacker’s client devices as an access point. The victim will send its data to the hacker, who can observe it while forwarding it on to the access point.
“Since this is a vulnerability that’s been around since the beginning of Ethernet, network admins are already accustomed to dealing with it,” Gast said.
Gast said network performance monitoring can detect the latency caused by the extra hops associated with the attack. Also, network admins can enable the client isolation filter found on most LAN infrastructure, which won’t be fooled by an ARP spoofing attack. An AP will look directly at the destination MAC address, recognize the problem and cut the connection. The victim’s client device will immediately experience a loss of connectivity. The user will call help desk and it’s only a matter of time before a network admin tracks down the MAC address of the hacker.