Can be used to spoof traffic and inject rogue requests

Jul 26, 2010 10:35 GMT  ·  By

A security researcher plans to demonstrate at the upcoming Black Hat security conference a vulnerability that can be used by a malicious user to launch Man-in-the-Middle attacks on a WPA2-protected WLAN. The flaw, dubbed 'Hole 196' is is described as a key loophole in the WPA2 wireless security protocol.

According to Md Sohail Ahmad, the wireless security researcher who plans to demonstrate how this vulnerability can be exploited at Black Hat Arsenal, explains that the has been documented before, but that it has received a lot less attention than it actually warrants. Mr. Ahmad is working for AirTight Networks, a provider of wireless intrusion prevention systems.

The vulnerability is apparently described in the last sentence of the last paragraph on page 196 of the 2007 IEEE 802.11 Revised Standard (PDF), hence its name. “Pairwise key support with TKIP or CCMP allows a receiving STA to detect MAC address spoofing and data forgery. The RSNA architecture binds the transmit and receive addresses to the pairwise key. If an attacker creates an MPDU with the spoofed TA, then the decapsulation procedure at the receiver will generate an error. GTKs do not have this property,” it reads.

GTKs, which stands for Group Temporal Keys, are used for protecting broadcast traffic on wireless networks employing the WPA2 protocol, especially WPA2-Enterprise. Exploitation of this GTK security shortcoming to spoof traffic or inject rogue data into packets traveling over the air, requires the attackers to be on the same network as their victims.

Therefore, this type of attack is most likely to be pulled off by insiders or hackers connected to wireless hotspots. This type of threat is not at all uncommon, recent surveys regarding attacks in enterprise environments having revealed that over 50% of them were the result of insiders.

"Unlike the TJX breach where data was stolen over unsecured Wi-Fi, this finding is concerning because organizations are relying on WPA2 for its strong encryption and authentication. Since there is no fallback in the 802.11 standard to address this hole, AirTight felt it was important to raise awareness around it. As any security best practice you need a layered approach because one size does not fit all,” Pravin Bhagwat, AirTight's CTO, commented.

You can follow the editor on Twitter @lconstantin