WLANs Exposed by Hack

A wireless LAN hardware company is set to publicize a RADIUS server security hack that can thwart the recently ratified 802.11i protocol and any WLAN infrastructure that keeps encryption keys housed in access points rather than on a central switch.

Aruba Wireless Networks Inc. will bring its findings to the Internet Engineering Task Force meeting in San Diego next week, said Aruba officials.

Aruba stands to benefit from the vulnerability report because it develops wireless hardware that keeps encryption centralized on the switch rather than on access points, but officials said the vulnerability is critical for IT managers who think the new protocol will keep their WLANs secure all by itself.

“Weve collaborated with Microsoft [Corp.] and a bunch of other players to expose some vulnerabilities to wireless,” said Merv Andrade, chief technology officer of Aruba, in San Jose, Calif. “802.11i is only one cog in the security wheel. If youre not watching your back, you might be lulled into a false sense of security.” Microsoft officials did not respond to requests for comment.

/zimages/3/28571.gifFind out why Wireless Editor Carol Ellison says 802.11i security has its price.

The attack needs access to a companys internal network, to which a cracker would attach a rogue access point, perform ARP (Address Resolution Protocol) poisoning to sniff the traffic between the access point and the gateway, then send a deauthentication packet to a client. When the client reauthenticates, the access point sends a request to the RADIUS (Remote Authentication Dial-In User Service) server, which accepts the user and passes the encrypted keys to the access point. To get the RADIUS servers shared secret, a hacker can perform an offline dictionary attack on the server, using a tool such as Cain and Abel, according to Aruba officials.

“Centralized key management is really the right way to go to resolve a flaw with a weak protocol like RADIUS,” said Joshua Wright, deputy director of training at The SANS Institute, in Bethesda, Md., who is familiar with the attack. “Anybody who can visualize this vulnerability could quickly mount [an attack].”

Wright, who has worked as an IT manager and who oversaw the WLAN at Johnson & Wales University, in Providence, R.I., is known for the tools he developed to expose flaws in Cisco Systems Inc.s LEAP (Lightweight Extensible Authentication Protocol) security protocol.

Other security experts said that while the attack sounds viable, the fault lies with the RADIUS server and not with the wireless protocol. “I would not call this a wireless attack but a wired-based attack that attempts to gain wireless key material,” said Bill Arbaugh, an assistant professor of computer science at the University of Maryland, in College Park.

Beyond a focus on security, Aruba is looking to increase its channel partner strategy. Hewlett-Packard Co., of Palo Alto, Calif., is reselling the entire Aruba product line in North America and eventually will do the same globally, Aruba officials said. HP also provides consulting services and systems integration for Aruba products.

Meanwhile, Aruba competitor Airespace Inc. is working with channel partners as well, focusing on location technology and taking advantage of the RFID (radio-frequency identification) tagging trend. Sources close to the San Jose, Calif., company said Airespace is working on a worldwide partnership with IBM. Airespace will have a dedicated engineer at the Armonk, N.Y., company, and IBM will integrate Airespace technology into some of its products, sources said.

/zimages/3/28571.gifCheck out eWEEK.coms Mobile & Wireless Center at http://wireless.eweek.com for the latest news, reviews and analysis.

/zimages/3/77042.gif

Be sure to add our eWEEK.com mobile and wireless news feed to your RSS newsreader or My Yahoo page