Last month the Wi-Fi Alliance started steps to put an end to WEP and TKIP. By January 2011 the Wi-Fi Alliance plans to disallow TKIP on access points, and disallowed its use on all WiFi devices by 2012. WEP unfortunately survives a bit longer, with the standard being banned on access points from 2013 and banned from all WiFi devices a year later. WPA2-Mixed mode which allows TKIP, will also go in 2014, leaving only WPA2-AES.
With that good news last month, bad news comes this month for the security of Wi-Fi standards.
AirTight Networks have uncovered a vulnerability that they call “Hole196” ( The 196 referring to the last line of Page 196 in the IEEE 802.11-2007 specification ), this is a vulnerability in the WPA2 security protocol that exposes WPA2-secured Wi-Fi networks to malicious insiders. With WPA2 being vastly adopted as the most robust option for many environments due to its resilience to brute force dictionary attacks, this vulnerability will effect both corporate and public networks significantly.
By exploiting the vulnerability, an insider can bypass WPA2 private key encryption and authentication to sniff and decrypt data from other authorized users as well as scan their devices for vulnerabilities, and potentially allow attackers to compromise users devices. AirTight researcher, Md. Sohail Ahmad, will be demonstrating this vulnerability at the Black Hat Arsenal (July 29th) and at DEFCON18 (July 31st) in a presentation entitled “WPA Too?!”.
The “WPA Too” presentation will demo the vulnerability and explain how it can be exploited by a malicious user to attack and compromise a legitimate user.
For the people not lucky enough to attend either security conference, AirTight will present a public Webinar on August 4 at 19:00 GMT to detail its findings.
Once the details of the vulnerability are disclosed it will be time to determine what steps and countermeasures can be used to protect wireless network infrastructure. But for now all that can really be done is to break out the VPN tunnels whenever using Wi-Fi. This can at least protect against your data being intercepted but there is still the potential for the attacker to disrupt the targets network traffic.
