Is Cisco's WPA Migration Mode Leaving Wi-Fi Users at Risk?

By Sean Michael Kerner

July 28, 2010

Researchers at Black Hat this week warn about a potential threat in Cisco 1200-series wireless access points, but the enterprise networking giant downplays the danger.

LAS VEGAS -- When it comes to locking down wireless access points, few experts consider the WEP wireless security protocol to be secure, since it can be compromised easily with widely available tools. Yet despite WEP's known weaknesses, support for the discredited protocol remains available on some routers available from industry leader Cisco -- a fact that attackers could use to seize control of the routers, according to new warnings from a pair of researchers from Core Security.

At the Black Hat security conference this week, Core Security senior security consultants Leandro Meiners and Diego Sor are publicly disclosing details of what they describe as a new way that WEP support could endanger consumer and enterprise users of Cisco 1200-series wireless access points.

The issue stems from the access points' "migration mode" feature, which is aimed at making it simpler for customers to transition from WEP to the more secure WPA . Using the feature, both WEP and WPA endpoints can connect to the same Service Set Identifier (SSID) on a wireless access point.

But Meiners explained to InternetNews.com that the feature leaves room for an attack against a Cisco router if it's using WPA migration mode -- even when there were no WEP clients present on a network.

"We found that it was possible to attack the access point when it is configured in WPA migration mode," Meiners said. "It requires some tweaks from the ordinary way to attack a WEP access point."

Those tweaks are being made available at Black Hat through patches for the popular open source Aircrack tool. Meiners explained that the way the attack works is by getting the physical access point to send replies using WEP. Using the captured data, the patches for Aircrack are able to provide the WEP key, enabling an attacker to compromise the access point.

WEP remains risky

For its part, Cisco points its finger at the widely known, inherent dangers of WEP, and not at its own implementation.

"Based on the information provided, we believe the presentation focuses on known characteristics of WEP encryption rather than any perceived deficiency in a Cisco product," Cisco said in a statement sent to InternetNews.com.

Cisco also added that it already advises customers that they should implement stronger WPA2 wireless security as soon as they can.

"The 'WPA migration mode' feature was designed to be used only while organizations were in the transition between WEP and WPA infrastructure," the company said. "Once the migration is complete, we recommend customers should disable unneeded services as a best practice for securing network infrastructure."

If administrators don't heed that warning, however, they could be putting their organizations at risk by leaving their routers in WPA migration mode.

To combat the threat, Meiners suggested that instead of using migration mode, companies with a need for WEP can better protect themselves by creating two separate SSIDs -- one for WEP and one for WPA.

"If you have to allow WEP nodes to connect, don't allow the hybrid migration mode," Meiners said. "Instead, set up two separate SSIDs, so on the WEP SSID, you can restrict network access to a specific VLAN , since you know that network can be broken into."

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.