ECEWIRE
Home News New Products Automotive Smart Home Smart Factory Artificial Intel Contact About

  Date: 27/08/2009

Airmagnet say Cisco's WLAN AP can be skyjacked

AirMagnet's engineers have identified security loophole in Cisco WLAN Access Points
Cisco's OTAP feature is the entry-point for intruders. The venerable Cisco's OTAP feature allow unconnected WiFi AP to listen to traffic from other nearby Cisco APs to quickly locate nearby controllers.
Airmagnet engineers have named this venerability has SkyJacking

The two elements of vulnerability are, unintentional exposure or leakage of information in all lightweight Cisco APs and a threat for APs to be incorrectly assigned to an outside Cisco controller either by accident or at the direction of a potential hacker.

Further explanation from Airmagnet goes like this:
In normal operation, Cisco APs generate an unencrypted multicast data frame that travels over the air and includes a variety of information in the clear. From these frames a hacker listening to the airwaves could determine the MAC address of the wireless controller that the AP is connected to, the IP address for that controller, and a variety of AP configuration options. These frames are always unencrypted regardless of the encryption scheme used in the network, and are always sent regardless of whether the OTAP feature is turned on or not. At the very least, this allows anyone listening to the network to easily find the internal addresses of the wireless LAN controllers in the network, and potentially target them for attack. All lightweight Cisco deployments are subject to this exposure.

Unlike the vulnerability, the SkyJack exploit requires the actual OTAP feature to be enabled. With that feature enabled, a newly deployed Cisco AP will listen to the above-mentioned Multicast Data Frame to determine the address of its nearest controller. The potential exists for the Cisco AP to "hear" multicast traffic from a neighboring network and incorrectly connect to a neighbor or otherwise unapproved Cisco controller. This ultimately could lead to an enterprise's access point connecting outside of the company to an outside controller, and therefore being under outside control. This same mechanism could be done intentionally by a hacker to purposely SkyJack APs and take control of an enterprise's access point.
Airmagnet website url is http://www.airmagnet.com

Home News New Products Contact About