An even more dangerous scenario could involve outright remote “skyjacking” of the controls to the corporate network, said James Quin, senior research analyst for Info-Tech Research Group in London, Ont.
He said if companies determine their networks are using Cisco wireless APs, they should take immediate action to avoid falling victim to an attack.
Affected access points
“It looks like this is a design flaw in products Cisco acquired when it purchased Airespace in 2005,” said Quin. He said the problem probably stems from recently activated APs.
Cisco said the vulnerability affects Cisco Lightweight Access Point 1100 and 1200 series.
But the vulnerbaility is not critical, said Cisco.
Any clients attempting to register to the AP will be unable to access network resources, but the AP is still unable to authenticate wireless clients. There is no risk of data loss or interception, the company said.
“Cisco believes the vulnerability is easily avoided or mitigated and has provided techniques for this purpose,” the Cisco statement said.
Access points broadcast information about network controllers they communicate with. A newly activated AP listens to such broadcasts by other APs and determines which controller to connect to.
However, the information sent out by existing APs are not encrypted and can easily be intercepted or “sniffed” by hackers using free sniffing tools such as NetStumbler.
“With this intercepted information, a hacker can target a controller and launch a DoS attack by flooding it with a barrage of information,” Quin noted.
He said the impact to a business would be anything from annoyance to severely limited wireless network functionality.
The skyjacking scenario would be a more serious threat, the analyst said.
An attacker can potentially grab control of a new AP and command it to connect to a controller outside the company thereby creating a backdoor to the corporate network.
“This could allow remote attackers free access to the corporate network, by bypassing the business’ security control,” the analyst said.
“Anyone using these particular Cisco wireless APs could be vulnerable,” cautioned Quin. “As we saw with the TJX breach, an improperly secured Wi-Fi network can be a serious problem,” Quin said.
The vulnerability in the wireless APs was first reported Tuesday by AirMagnet Inc., a wireless network security company based in Sunnyvale, Calif.
AirMagnet discovered the issue when a customer asked for help after getting repeated alarms about unencrypted broadcast traffic on its wireless network.
All of that traffic should have been encrypted and the company was preparing for a stringent audit, said Wade Williamson, director of product management at AirMagnet.
How to prevent an attack
If a network is using the flawed APs, administrators need to turn off the automatic provisioning feature that allows the APs to automatically connect to the closest controller, advised Quin of Info-Tech.
“This will immediately eliminate the skyjacking issue,” Quin said.
Careful placement of the controllers and APs throughout the building so broadcast ranges do not significantly exceed the building area can minimize the possibility of a DoS attack, he said.
“Beyond this, the best users can do is pay attention to updates and patches from Cisco.”
Cisco rates the vulnerability as unlikely to be used. It notes that to exploit the hole, an attacker would have to be able to deploy a Cisco controller within radio range of a newly installed AP.
Companies can avoid skyjacking by configuring their access points with a preferred controller list, Cisco said. That bypasses the over-the-air provisioning process that could result in an AP connecting to an outside controller.
Cisco said that even if an AP did connect to an unauthorized controller, workers would then be unable to connect to that AP. That would prevent a hacker from intercepting their communication.
But Williamson of AirMagnet said a breach could even happen accidentally.
The Cisco AP might hear broadcasts from a legitimate neighboring network and mistakenly connect to that network, he said. Or a hacker could create that same scenario intentionally in order to take control of the AP, he said.
A hacker on the outside with control of that AP could see all the traffic connecting over that AP, and would also be able to access the affected company’s entire network, Williamson said.
With files from Nancy Gohring