Flaw in Cisco WLAN opens up skyjacking risk
Researchers at AirMagnet, which makes intrusion-detection systems for WLANs, discovered a vulnerability that affects all lightweight Cisco wireless access points. They also detected an exploit, which could be used against networks that have the Over-the-Air-Provisioning (OTAP) feature turned on.
"We found [the flaw] in our labs," Wade Williamson, director of product management at AirMagnet, said on Monday. "We don't know about it being exploited in the wild."
Cisco access points generate an unencrypted multicast data frame that is sent over the air. This includes unencrypted data such as the MAC address and the IP address of the wireless controller, as well as some configuration options, Williamson said. The controller is used to manage the access points.
With that information, someone listening to the network could easily find the internal addresses of the WLAN controllers in the network and potentially target them with a denial-of-service attack, Williamson said.
"Someone out in the parking lot, or a neighbour, can look at the packets and see information about the controller on the wired side," he said. "This is giving anybody that's listening to the environment some pretty detailed information about the wired network that we want to keep protected."
If an access point has the OTAP enabled, the wireless LAN is also at risk of a "skyjack" exploit, Williamson said. With the OTAP feature enabled, a newly deployed Cisco access point will listen to the multicast data being broadcast in order to find the address of its nearest controller.
However, the access point could end up connecting to an outside controller if it hears multicast data from that network instead, and thus it would be under someone else's control, Williamson said.
Someone could skyjack a corporation's access point and "use the wireless LAN to create a wired path into your network," he added.
Cisco released an alert on Tuesday that describes the finding as a low-risk vulnerability that could allow unauthorized control of a wireless access point and that could allow an unauthenticated, remote attacker to cause a denial-of-service condition.
"Any clients attempting to register to the AP (access point) will be unable to access network resources, but the AP is still unable to authenticate wireless clients," the company said in a statement. "There is no risk of data loss or interception. Cisco believes the vulnerability is easily avoided or mitigated and has provided techniques for this purpose." Software updates and patches are not yet available, it added.
Cisco has 65 percent to 70 percent of the installed base for wireless LANs, according to Stan Schatt, security practice director at ABI Research. "What this really shows is that more and more companies have to have 7/24 monitoring of their LANs," Schatt said. "They can't just periodically walk around the facility with a laptop and check to see if there's a problem."
An attack on a wireless LAN would be particularly dangerous for hospitals, which are increasingly moving critical applications onto their networks for use by doctors and nurses with Wi-Fi-enabled handhelds, Schatt said. "A denial-of-service attack could impact mission-critical phone systems," he said.
To mitigate against any attacks, Cisco customers should disable the OTAP feature, AirMagnet suggested. They should then use a separate intrusion detection system to discover whether someone is snooping on the network, as well as to monitor that all access points on a network are authorized, it added.