WPA2 flaw signals need for better security

Vulnerability in wireless protocol not hot-button issue but serves as warning to organizations that have not adopted defense-in-depth security strategy, notes observer.

The recently-disclosed vulnerability in the Wi-Fi Protected Access 2 (WPA2) protocol is not an issue critical enough to set vendors "scrambling to fix", but serves as a "wakeup call" to organizations that have not implemented a "defense-in-depth" security strategy around their data assets, according to a security observer.

The vulnerability, also known as Hole196, was presented at the Black Hat security conference last month by Airtight Networks wireless security researcher, Md. Sohail Ahmad. The flaw was given its moniker because it is documented in page 196 of the 2007 revision of the 1,232-page IEEE (Institute of Electrical and Electronics Engineers) 802.11 standard.

Sohail explained that an authorized insider can exploit Hole196 via, for example, Access Resolution Protocol (ARP) poisoning or man-in-the-middle attack, where the MAC (Media Access Control) address has been changed to the attacker's machine. This means the victims will then send data to the attacker's machine rather than an actual network gateway. He noted that the vulnerability was a concern given the potential for insider attacks within organizations.

Other networking vendors, however, have played down the risk.

Low risk of being exploited
Greg Bunt, Asia-Pacific enterprise architect at Juniper Networks, told ZDNet Asia in a phone interview that customers are generally "always concerned" about security-related issues and the recent flaw has certainly been talked about.

However, he pointed out that "bugs will appear in everything" and Hole196 is "not something we're going to see vendors around the world scrambling to fix". More than anything, Bunt said, it serves as a "wakeup call" to organizations that have not instituted a defense-in-depth strategy.

"It is an exploit in the architecture--the way wireless works. The risk is real [but] there's just a low propensity for that opportunity to be exploited, in all honesty," he said.

Aruba Networks also issued its own analysis of the security gap. Robbie Gill, the company's security researcher and engineer, noted in a blog post that the man-in-the-middle attack or ARP poisoning can be prevented by a feature called client isolation, which prohibits inter-client communication.

"If client isolation feature is enabled, this man-in-the-middle attack would not be possible as communication between victim and attacker via the access point would be prohibited, and the attacker would not be able to communicate with the victim even after the victim's ARP cache has been poisoned," Gill wrote. "At worst [it would result in] a denial-of-service attack as after the ARP poisoning, the victim's gateway ARP entry is pointing to the attacker's MAC address, with which no communication is possible."

A Cisco Systems spokesperson said in an e-mail to ZDNet Asia: "Cisco has assessed the latest information and determined that [the vulnerability] does not represent a significant threat to our customers or warrant a security advisory at this time. We are not seeing significant interest from our customers but will consider an official response if this changes."

Graham Titterington, principal analyst at Ovum, however, noted: "[The vulnerability] re-opens all the debate about the security of a wireless LAN (WLAN) network that we had a few years ago when the WEP (Wired Equivalent Privacy) protocol was widely used.

"The move to WPA2 appears not to have fixed the problem [of weak security]," he said in an e-mail.

Does standard need revision?
According to Titterington, the disclosed vulnerability warrants an update of the 802.11 standard as it endangers confidential information passing through WLAN networks. But, he noted that any changes to the standard will take time.

"We need a new iteration of the standard that fixes this flaw but this will take years to develop and roll out," he said. "In the meantime, organizations should be aware of the risks and consider encrypting sensitive data, independently of any encryption in the WLAN fabric, before it is transmitted across the WLAN. Regular scanning of the WLAN network, looking for any rogue access points, is another means of enhancing WLAN security."

Juniper Networks' Bunt noted that WPA is meant to be a more lightweight-type application. And while it was possible for the industry to provide means for a heightened level of encryption, there are tradeoffs.

"They come at the expense of more expensive cryptography, use of certificates or other technologies that maybe deplete the CPU and the battery of the end-station in a more intensive way than WPA," he explained.

Most organizations today understand there are now different types of data and hence, the need to treat the data in a way most relevant to its security level, Bunt added. "As [organizations] move from Internet-grade through to top-secret and beyond classification, they don't just have one security strategy--they will go for a defense-in-depth solution. Sometimes those defense-in-depth solutions [call for] discrete systems," he said.

As part of the defense-in-depth consideration, enterprises also recognize there is a higher potential for data to be intercepted via a wireless network than when users are connected to a physical network, he added. That has prompted many to go down the VPN (virtual private network) path, he noted.

"As we move forward, people are going to make the assumption that unwired networks--whether Wi-Fi or 3G or beyond--are less secure than a physical one, and as such will use encryption and endpoint assessment in order to make sure they're protected against those sorts of things," Bunt said. "That needs to continue to extend [beyond] a physical laptop but also to next-generation mobile devices [such as] Blackberry, Android, iPhone.

"I think people are prepared to live with this level of security and when they want to do things in a more secure manner, they are invoking SSL (Secure Sockets Layer) or IPsec (Internet Protocol security) to provide that [protection]."