Is Cisco's WPA Migration Mode Leaving Wi-Fi Users at Risk?
July 28, 2010
Researchers at Black Hat this week warn about a potential threat in Cisco 1200-series wireless access points, but the enterprise networking giant downplays the danger.
LAS VEGAS -- When it comes to locking down wireless access points, few experts consider the WEP wireless security protocol to be secure, since it can be compromised easily with widely available tools. Yet despite WEP's known weaknesses, support for the discredited protocol remains available on some routers available from industry leader Cisco -- a fact that attackers could use to seize control of the routers, according to new warnings from a pair of researchers from Core Security.
At the Black Hat security conference this week, Core Security senior security consultants Leandro Meiners and Diego Sor are publicly disclosing details of what they describe as a new way that WEP support could endanger consumer and enterprise users of Cisco 1200-series wireless access points.
The issue stems from the access points' "migration mode" feature, which is aimed at making it simpler for customers to transition from WEP to the more secure WPA . Using the feature, both WEP and WPA endpoints can connect to the same Service Set Identifier (SSID) on a wireless access point.
"We found that it was possible to attack the access point when it is configured in WPA migration mode," Meiners said. "It requires some tweaks from the ordinary way to attack a WEP access point."
Those tweaks are being made available at Black Hat through patches for the popular open source Aircrack tool. Meiners explained that the way the attack works is by getting the physical access point to send replies using WEP. Using the captured data, the patches for Aircrack are able to provide the WEP key, enabling an attacker to compromise the access point.
WEP remains riskyFor its part, Cisco points its finger at the widely known, inherent dangers of WEP, and not at its own implementation.
"Based on the information provided, we believe the presentation focuses on known characteristics of WEP encryption rather than any perceived deficiency in a Cisco product," Cisco said in a statement sent to InternetNews.com.
Cisco also added that it already advises customers that they should implement stronger WPA2 wireless security as soon as they can.
"The 'WPA migration mode' feature was designed to be used only while organizations were in the transition between WEP and WPA infrastructure," the company said. "Once the migration is complete, we recommend customers should disable unneeded services as a best practice for securing network infrastructure."
If administrators don't heed that warning, however, they could be putting their organizations at risk by leaving their routers in WPA migration mode.
To combat the threat, Meiners suggested that instead of using migration mode, companies with a need for WEP can better protect themselves by creating two separate SSIDs -- one for WEP and one for WPA.
"If you have to allow WEP nodes to connect, don't allow the hybrid migration mode," Meiners said. "Instead, set up two separate SSIDs, so on the WEP SSID, you can restrict network access to a specific VLAN , since you know that network can be broken into."