14 DAY TRIAL // AirMagnet, a wireless security provider, has recently disclosed a vulnerability inside Cisco Access Point discovery procedure for WLANs. This allows attackers to sniff network details from existing network traffic thanks to unencrypted multicast frames or sky-jack a Cisco equipment every time an access point is connected to the network with the OTAP (Over-the-Air-Provisioning) service enabled.
Researchers discovered that access points were generating and transmitting unencrypted multicast data containing sensitive network information like MAC and IP address for the local WLAN controller, as well as some configuration options. According to AirMagnet experts, obtaining this information was easy, attackers only having to use some open source programs like NetStumbler to gain the necessary access.
Wade Williamson, Director of Product Management at AirMagnet, said for Cnet that “We found it in our labs. […] We don't know about it being exploited in the wild.” He went to add that anybody could “use the wireless LAN to create a wired path into your network,“ using this vulnerability.
Another way to break into a Cisco wireless connection is whenever a network access point is set to use the OTAP feature. All new Cisco access points introduced in a network will first scan and listen for multicast broadcasts in the WLAN to determine the location of its nearest controller. If an attacker injects wireless traffic inside a company's headquarters, the access point could get confused and connect to the wrong controller.
Using this technique, an external attacker could have a bridge-way inside a company's network and sniff private data without anyone detecting them.
AirMagnet informed Cisco, which started the necessary research activities to supply a fix for this problem. "As a matter of policy, Cisco takes security vulnerabilities very seriously and we continue to take active measures to safeguard the security and reliability of our equipment," a Cisco spokesperson said.
Cisco recommends that the OTAP feature be turned off until a patch is issued.