Wifi ‘Hole 196′ opens WPA2
July 26th, 2010 | by jim |It looks like a active attack of an underlying protocol vulnerability in WPA2 has just been announced, by Md. Sohail Ahmad of AirTight Networks. This represents a real risk to people relying on WPA2 (in any flavour) for their data communications security.
This affects WPA2 itself, and although full details won’t be announced for a few days it just serves as a reminder that the security landscape is constantly changing. Vulnerabilities are a fact of life, and upgrades to your security software are essential. If you cannot upgrade, you need to have another layer of protection.
Many people provide their wireless access points from dedicated hardware devices, for example the Linksys WRT54GL or increasingly directly from their ADSL modem. These devices are usually the simplest to configure and support, but they are probably the hardest to upgrade.
In a case such as this, its the whole protocol that has been declared faulty, allowing an attacker to bypass network encryption completely by demanding copies of each device’s PTKs (the transient encryption keys), and the only way around that is for every device on the wireless network to upgrade to a different protocol — and we don’t have one available right now. In practice I’d expect a “WPA3″ to come up, with the specific vulnerability around group keys to be mitigated in some way. This will be delivered to PCs through your operating system updates, but that’s no use if you can’t upgrade your access points; and even though it’s often technically possible to turn up a new firmware for an old device, most hardware vendors would prefer if you just went out and bought a new unit …
So your workaround is to consider your wireless network to be as open as the old hub-based wired networks, or possibly even as dangerous as the raw Internet. Use a firewall to prevent applications on your PC from using the network without your approval, and make sure that every protocol you use with private data is software encrypted; HTTPS (use the EFF’s HTTPS-Everywhere plugin for Firefox as a minimum), IMAPS|POPS for email … or perhaps run a VPN between wireless devices and the access point or server beyond.
In fact, for corporates it may make sense to require the use of a VPN over all wireless networks, after all they are already managing the PCs in question and can keep credentials/keys updated.
This isn’t a new message; this is an old message. The security problems of wireless are not new, and indeed aren’t even specific to wireless technology at all — it’s more an issue of the way that the security software is implemented in firmware, and is therefore difficult to manage by most users. There will be vulnerabilities in the software VPNs; but the fix/upgrade timescales for these will be far faster and more achievable.