Two days after news of the Vocera Wi-Fi VoIP communicator PEAP security bypass vulnerability, I received confirmation from Cisco that their model 7921 Wi-Fi VoIP phone is also vulnerable to the same issue where digital certificates aren't cryptographically verified. Both Cisco and Vocera have told me that they intend to fix future implementations of PEAP and do the necessary steps to ensure certificate authenticity. Cisco released the following statement.
"Cisco confirms that the Cisco wireless IP phone model 7921 does not currently validate server certificates when configured to use PEAP (MS-CHAPv2). The Cisco 7920 model does not support PEAP. Cisco is planning a long term solution to enable the option of client-side validation of server certificates with PEAP; however, we do not currently have a time line for when a software upgrade will be available. To work around the problem, administrators can configure EAP-TLS as an alternative to PEAP while ensuring mutual client-server authentication."
While EAP-TLS may be a workaround for this problem, it may not be suitable for everyone because of the administrative overhead. EAP-TLS authentication not only requires a certificate on the authentication server but the client as well. That means each wireless VoIP handset must be issued a digital certificate.
The other possible workaround I mentioned for the same Vocera vulnerability was to continue using PEAP authentication mode but use a very long and RANDOM 32-character alpha-numeric password for each handset. The 32-character password offers more than 2 to the 128th entropy making offline dictionary attacks infeasible. PEAP authentication normally lets you use a reasonably short password but you can't use it here because the outer layer of privacy afforded by PEAP is broken. The fact that Cisco and Vocera's PEAP implementations failed to check the digital certificates makes them as insecure as Cisco LEAP. Unfortunately, 32-character random passwords aren't practical and users often simply repeat a shorter password which means they're still easy to break.
A proper PEAP implementation offers similar levels of protection to that of SSL where the outer layer is so trusted that the user credentials are typically transmitted in the clear. PEAP uses a strong TLS outer layer of protection using asymmetric RSA key exchange and usually a weaker inner method of protection using CHAP-based authentication that relies on hashed challenge responses. But having those two layers of protection may have unfortunately led vendors like Cisco and Vocera to decide on a shortcut where they would opt out on the critical outer layer of protection believing that the inner layer is sufficient.
The vendors took this shortcut for better wireless roaming performance but the proper way to get even better roaming performance is to implement PMK caching in the Access Point infrastructure and NOT take shortcuts on cryptography. At least with the LEAP protocol, you knew there wasn't an outer layer of protection and you could at least try to factor that in when setting password policies. Having a broken PEAP authentication mechanism gives people a false sense of security which is even worse than just staying with LEAP.