Report: Cisco wireless LAN at risk from 'skyjack' attack

Report: Cisco wireless LAN at risk from 'skyjack' attack

Summary: Cisco Systems wireless local area network equipment used by many corporations around the world is at risk of being used in denial-of-service attacks and data theft, according to a report.

Cisco Systems wireless local area network equipment used by many corporations around the world is at risk of being used in denial-of-service attacks and data theft, according to a company that offers protection for WLANs.

Researchers at AirMagnet, which makes intrusion-detection systems for WLANs, discovered the vulnerability, which affects all lightweight Cisco wireless access points, as well as the exploit that could be used against networks that have the Over-the-Air-Provisioning (OTAP) feature turned on.

"We found it in our labs," Wade Williamson, director of product management at AirMagnet, said on Monday. "We don't know about it being exploited in the wild."

Basically, the Cisco access points generate an unencrypted multicast data frame that is sent over the air and includes unencrypted data like the MAC address and the IP address of the wireless controller, as well as some configuration options, he said. The controller is used to manage the access points.

With that information, someone listening to the network could easily find the internal addresses of the WLAN controllers in the network and potentially target them with a denial-of-service attack, Williamson said.

"Someone out in the parking lot or a neighbor can look at the packets and see information about the controller on the wired side," he said. "This is giving anybody that's listening to the environment some pretty detailed information about the wired network that we want to keep protected."

If an access point has the OTAP enabled, the wireless LAN is also at risk of a "skyjack" exploit, Williamson said. With the OTAP feature enabled, a newly deployed Cisco access point will listen to the multicast data being broadcast to find the address of its nearest controller.

However, the access point could end up connecting to an outside controller if it hears multicast data from that network instead, and thus it would be under someone else's control, he said.

Someone could skyjack a corporation's access point and "use the wireless LAN to create a wired path into your network", Williamson said.

AirMagnet has informed Cisco about the problems and Cisco is working on a fix, Williamson said.

"As a matter of policy, Cisco takes security vulnerabilities very seriously and we continue to take active measures to safeguard the security and reliability of our equipment," a Cisco spokesperson said.

"Our standard practice is to issue public Security Advisories or other appropriate communications that include corrective measures so customers can address any issues," he said. "For that reason we do not provide comment on specific vulnerabilities until they have been publicly reported, consistent with our well-established disclosure process."

Cisco has 65 per cent to 70 per cent of the install base for wireless LANs, according to Stan Schatt, security practice director at ABI Research.

"What this really shows is that more and more companies have to have 24/7 monitoring of their LANs," he said. "They can't just periodically walk around the facility with a laptop and check to see if there's a problem."

An attack on a wireless LAN would be particularly dangerous for hospitals, which are increasingly moving critical apps onto the network for use by doctors and nurses with wi-fi-enabled handhelds, Schatt said. "A denial-of-service attack could impact mission-critical phone systems," he said.

To mitigate against any attacks, Cisco customers should disable the OTAP feature and use a separate intrusion detection system that can detect whether someone is snooping on the network, as well as monitor that all access points on a network are authorized, AirMagnet said.

This article was originally posted on CNET News. from CNET

Topics: Networking, Cisco, Mobility, Security, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Cisco has proven to have...

    some of the most insecure products on the market. If hackers paid as much attention to Cisco as they do MS it would probably be worth their while. If Cisco were put under that much pressure I am certain they would fall. IOS has proven to be insecure and now it looks like their latest offerings are following suit. And all of this for a very premium price.

    Cisco would probably be a gold mine for hackers.
    • Does this include...

      How about the Linksys WRT54G? It is made with Cisco parts... That is strange though, I always thought Cisco to be incredibly secure, second only to Ambit. I guess I need to brush up my Cisco Certification, 'cause they must have lied to me! lol... Seriously, where did you get the info for Cisco's lack of security? Citation would be appreciated when you make a serious claim like that.
      • cisco is the most secure

        You can not beat Cisco in security when setup by a certified and trained professional. Unlike your home use linksys. cisco needs someone who knows what they are doing.. that is why they are designed for business and not homes.
  • RE: Report: Cisco wireless LAN at risk from 'skyjack' attack

    A good reason I use wired LAN

  • RE: Report: Cisco wireless LAN at risk from 'skyjack' attack

    This only affects Light weight AP's, not Linksys (linux based) or old style Autonomous (full IOS) access point IF OAP is left on.

    Most people I know turn it off after the initial install anyhow, which I believe is in line with Cisco?s best practice guide lines.