Secure Your Network (and Clients) Against Hole 196

By Eric Geier

August 23, 2010

The "Hole 196" vulnerability affects Wi-Fi networks of all sorts, including those using robust Enterprise encryption. Here's how to protect your WLAN and keep your mobile fleet safe.

In the last month, there has been much publicity over a "new" vulnerability in WPA/WPA2 encryption (unofficially named "Hole 196") originating from AirTight Networks. Here I'll briefly describe the weakness, then share tips on how to protect yourself from attacks using this exploit, whether on your network or when using public networks.

I used the word new with quotes as this isn't technically a fresh vulnerability. The name "Hole 196" was coined because the vulnerability is hinted at on the last line of page 196 of the revised IEEE 802.11-2007 specification. This is the standard all Wi-Fi products are based on. AirTight Networks has merely brought light to the issue.

Understanding the Hole 196 vulnerability

First, it's important to understand that attacks using this vulnerability must be performed within the network. The culprit must already have network credentials and be successfully connected. Attacks can't be made against a corporate network by Joe Hacker in the parking lot, unless Joe somehow got the login information for the network. Attacks are more likely to come from a rouge employee or insider.

The Hole 196 vulnerability applies to both the Enterprise (802.1X) and Personal (PSK) modes of Wi-Fi Protected Access, however it's more significant to wireless networks using the Enterprise mode.

Another important note -- others refer to this as a WPA2 weakness, but it actually applies to both versions: WPA (TKIP) and WPA2 (AES).

To understand the vulnerability, you must realize one of the benefits of using the Enterprise mode of WPA/WPA2: Each user or connection receives its own encryption key. Thus, users can't decrypt the traffic of other users -- or so we thought. When using Personal mode, users connect with a single encryption key, thus they can by default read each other's traffic.

The Hole 196 vulnerability lets users on a network protected with the Enterprise mode decrypt packets from other users. It's not truly cracking the encryption. It's a man-in-the-middle attack using the ARP cache-poisoning technique, like we've seen on wired networks. The underlying issue is with the 802.11 protocol.

Keep in mind, this vulnerability also applies to public networks that secure their Wi-Fi hotspots with Enterprise encryption and 802.1X authentication. A hotspot user might snoop on unsuspecting users that thought their traffic was protected.

The bottom line is that an authorized user can capture the decrypted traffic of other users, send potentially harmful traffic (such as malware) to them disguised as one of the network's access points (APs), and/or perform denial-of-service attacks.

Protecting your network from the vulnerability

While we wait for vendors and standards to patch this security hole, here are a few things you can do to help mitigate the vulnerability on your private network:

  • Segregate access with VLANs and virtual SSIDs: Putting departments and groups on different virtual networks can help isolate the attacks to only the originating virtual network. Smaller businesses can use the DD-WRT firmware replacement to get the virtual LAN and multiple SSID support.
  • Enable client isolation: Some vendors include this proprietary feature on their APs and controllers, though with varying names for the feature. It stops user-to-user communication; therefore it helps prevent users from part (not all attacks) of this vulnerability.
  • Use VPN connections too: If you are really paranoid, you can tunnel each user's traffic through a VPN server. Thus if someone successfully eavesdroppers on another user, the culprit will just see a bunch of gibberish. If you don't already have a VPN solution, consider OpenVPN.

In the near future, you should:

  • Update AP firmware: Vendors may fix this issue by a simple software update, so make sure you keep your APs and other network components update-to-date.
  • Update your wireless IDS/IPS systems: Wireless intrusion detection systems (IDS) and intrusion prevention systems (IPS) have the ability to detect and alert you of these types of attacks. These solutions will likely be updated to detect Hole 196, so make sure you keep it updated. If you don't already have a wireless IDS/IPS system in place, consider it now.

Protecting yourself from the vulnerability on public networks

As briefly mentioned, the Hole 196 vulnerability also applies to secure public networks or Wi-Fi hotspots that use WPA/WPA2-Enterprise with 802.1X authentication. Since anyone can pay to connect, this might be where we see the most attacks of this kind. Like on a private network, a hacker might be able to capture your decrypted network/Internet traffic and possibly send you harmful traffic.

However, protecting your traffic isn't difficult. Tunnel into a VPN server and your real traffic can't be captured. If you don't have a VPN server at home or work, consider a commercial or free hosted service.

This isn't the only vulnerability

Remember, this is just one of many vulnerabilities of using wireless networks. I'll leave you with a couple more tips to keep you and your network safe:

  • When using the Personal (PSK) mode, use long, complex mixed character passphrases--shorter ones can be guessed by dictionary-based attacks.
  • When using the Enterprise mode with 802.1X, properly configure these three key PEAP or certificate settings in Windows, otherwise you'll be susceptible to man-in-the-middle attacks:
    • Check the Validate server certificate option and select the Trusted Root Certificate Authority from the list.
    • Check the Connect to these servers option and input the domain name or IP address of the RADIUS server.
    • Check Do not prompt user to authorize new servers or trusted certificate authorities.
  • Wi-Fi networks used by businesses or organizations should always be using the Enterprise mode, so access can be better controlled. Though it requires a RADIUS server, there are hosted solutions for smaller organizations.
  • Don't rely on disabling SSID broadcasting or MAC address filtering for security.

Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.