Flaw in top wireless security protocol WPA2 uncovered

Disgruntled insiders could hack corporate wireless LAN

WPA2 flaw could be used to unlock corporate data

A researcher from leading wireless security firm Airtight Networks has uncovered a flaw in the Wi-Fi Protected Access 2 (WPA2) protocol.

The flaw could allow malicious insiders to hack corporate wireless LANs (WLANs) and steal business-critical information from wireless traffic.

Airtight Networks security wireless researcher Md Sohail Ahmad uncovered the flaw, demonstrating just how easy it is to hack into an encrypted wireless network without breaking the encryption key.

Airtight CTO Pravin Bhagwat said that the important vulnerability was buried on the last line of page 196 of the IEEE 802.11 Revised Standard published in 2007.

“That's the reason for the vulnerability's moniker – Hole196," explained Bhagwat.

“This finding is worrying because organisations rely on WPA2 for strong encryption and authentication. Since the 802.11 standard doesn’t address this problem, Airtight felt it was important to raise awareness around it," said Bhagwat.

Airtight said the flaw could be exploited using existing open source software. “The footprint of such insider attacks is limited to the wireless network; this makes them particularly stealthy because they don't require key cracking,” he added.

The Wi-Fi Protected Access (WPA and WPA2) protocols were developed by the Wi-Fi Alliance to secure wireless networks, and were developed after serious weaknesses were found in an earlier protocol, wired equivalent privacy (WEP).

WPA2 can use two key types: Pairwise Transient Key (PTK) and Group Temporal Key (GTK). PTK protects traffic unique to each user, whilst GTK protects broadcast data sent to multiple users on a wireless network.

PTKs can detect address spoofing and data forgery, while GTKs do not have this property.

All users have GTK for receiving broadcast traffic and, using the aforementioned open-source software, a hacker could use GTK to create a broadcast packet.

Clients receiving that packet would respond by automatically by sending their own private key information.

Using obtained private keys, malicious insiders could then decode others' traffic or create a denial-of-service attack on the wireless network.

Airtight said the only way to detect if a WLAN has been hacked using the Hole 196 flaw is by monitoring traffic over the air.

Airtight’s Ahmad will demonstrate the flaw at the Black Hat Arsenal and at Defcon18 security events in Las Vegas on 29 and 31 July respectively in a presentation entitled 'WPA Too?!'.