Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

What Do We Do Now That All Wireless Security Protocols Are Busted?

Just like that, the last bastion of wireless security went in the toilet. By now, anyone in the wireless game has likely heard about the Hole 196 attack that renders WPA2--depending on your tolerance for the parameters of the exploit--useless. Sure, the Advanced Encryption Standard (AES) used in WPA2 is still sound enough to have the confidence of the US government for its beefiest encryption needs, but WPA2 itself now has a black eye. A big one.

AirTight Networks discovered the flaw and is shopping it around pretty much everywhere. It's hard to find an IT trade rag or blog that hasn't mentioned Hole 196, and it's getting play at the Black Hat and DEFCON conferences. But after the initial buzz subsides, my fellow WLAN administrators and I will continue to ponder the question "now what?" Given that the attack is not tremendously sophisticated and requires only an authorized network user to play simple games with spoofed packets and the shared group key component of WPA2, thinking that "it's such a difficult attack, we really don't have to worry about it" don't pass muster. Especially on PCI-DSS and other highly scrutinized networks that protect high-value targets. WPA2 is supposed to be like a magic forcefield that keeps everything we ever need to protect in the WLAN space safe. Now, we have a pretty big problem. It's sorta like going to your bank and seeing the key to the vault hanging behind the counter with a sign next to it that says "please do not touch."

My first thought after reading about Hole 196 was that perhaps VPN is the answer to WPA2's new dirty laundry. Back in the day, WEP was the laughingstock of the wireless world, and 802.11i and WPA/WPA2 were still on the drawing board. VPN was a pretty effective solution, but could be tough to implement, and it required distributing client code to all users and then getting it set up properly. Then there were roaming issues, integration questions depending on what your central credential store was, and the fact that not all VPN vendors supported all operating systems. At least some of those sticking points are still relevant, and so perhaps VPN for the WLAN is not the answer, or not the complete answer.

Enterprise WPA1 has long since been broken. Pre-share versions of WPA1 and WPA2 do not scale and also have been exploited. MAC address filtering in big networks can be daunting and cracking MAC filters is one of the first tricks taught in wireless security classes. VPN is an iffy fit, and proprietary solutions like AirFortress might work well for certain government and military applications, but are impractical and prohibitively expensive for the typical wireless network. Thankfully, increasingly more applications are secure, so even if the WPA2 outer candy shell is cracked, the bad guy still can't get to the good stuff in the middle. However, just as many applications are not secure, so application security itself isn't the answer either.

The truth is that there is no answer at this point. I have yet to get a read on what the PCI and other finance types, HIPPA, and other high-visibility WLAN users are going to do in response to AirTight's findings. How will Aruba, Cisco, Meraki and the rest of the WLAN solutions market respond? WPA2 made us all feel good about using wireless for the most sensitive of data, and there certainly is no going back to the wire at this point. We're in a collective pickle right now--all of us---and how to fix it is not clear.

  • 1