The last sentence on page 196 of the 802.11 spec creates a furor.
Wi-Fi has a long history of security vulnerabilities and resulting fixes. WEP, TKIP, WPA, and the current standard of WPA2 have brought the technology closer to being secure. Indeed, the pervasiveness of Wi-Fi has changed everything—from how we design computer networks, to where we enjoy our coffee breaks, to how we buy and read our books. Travel in any foreign land, and the first question you'll find yourself asking the natives is "Where is the nearest Wi-Fi?"
But a WPA2 flaw discovered last summer—called Hole196—has many network security specialists scratching their heads. What is it? Should we be concerned? How can it be plugged?
Unfortunately, not even the IEEE, which created the specification for 802.11 Wi-Fi, has a clear idea.
Wi-Fi Security History
Most of us know that Wi-Fi is based upon the IEEE specification called 802.11. That spec defines the radio frequencies used by Wi-Fi, the functional requirements of the electrical circuitry, and the protocols that enable devices to communicate without connecting cables. Many of us will remember the snafus associated with the original Wired Equivalent Privacy (WEP) security scheme: a scheme so easy to break that it threatened the acceptance of Wi-Fi by businesses and consumers.
Wi-Fi has come a long way since those early days. Wi-Fi security was strengthened from WEP—through firmware upgrades of routers—to WPA. WPA, which stands for Wi-Fi Protected Access, provided a new link-layer security level called Temporal Key Integrity Protocol (TKIP). It also optionally provided the data encryption algorithm called Advanced Encryption Standard (AES), used by the U.S. Government. In addition, WPA came with two protocol mechanisms for authentication of devices: WPA Personal, which permits a pre-shared network key, and WPA Enterprise, which requires the use of a separate server to assign and manage network keys associated with a device's MAC address.
WPA also made available other authentication extensions implemented by different vendors, such as Extensible Authentication Protocol (EAP), Lightweight Extensible Authentication Protocol (LEAP), and Protected Extensible Authentication Protocol (PEAP). And though EAP, LEAP, and PEAP are acronyms that sound like characters in a Tolkien novel, all of the security elements of WPA significantly strengthened Wi-Fi's acceptance in the business community. Consequently, as these technologies were accepted and implemented, they were incorporated into newer versions of Wi-Fi hardware.
It was through this evolutionary process that WPA became the basis of a second version called Wi-Fi Protected Access version 2 (WPA2) in 2007. WPA2 is the standard we use today. It resides in the hardware and firmware of the Wi-Fi routers that are sold throughout the world.
Network Authentication and Encryption
So what is Hole196? How does it make WAP2 vulnerable? To understand the complexities, you must remember that there are two separate processes in the 802.11 spec: authentication and encryption.
Authentication is the process of letting a device attach to the Wi-Fi network, based upon the authentication protocol that has been implemented. For instance, if a Wi-Fi router is using WAP Personal, the connecting Wi-Fi device must provide a key to gain access to the network. This key, which can be pre-shared, authenticates the wireless device and permits it to receive and transmit packets of information.
Authentication also enables the device to gain access to the AES encryption services of the network. Each authenticated device receives a set of encryption keys so that it may understand the network data that it receives. One key, which is unique to each device, is called the Pairwise Transient Key (PTK) and is used to encrypt unicast (one-way) traffic communication. The other key is called a Group Temporal Key (GTK) and is used to protect broadcast data sent from the Access Point (AP) to multiple devices in the network.
What Is Hole196?
The vulnerability of Hole196 in WPA2 was identified last July by Md Sohail Ahmad at AirTight Networks, buried on the last line of page 196 of the 1,232-page IEEE 802.11 Standard. That's how it obtained the moniker Hole196. In essence, the vulnerability exposed by Hole196 looks like this:
The Pairwise Transient Key (PTK) of the WPA2 protocol can detect address spoofing and data forgery. But the Group Temporal Key (GTK) doesn't have that capability. In the standard behavior, only an Access Point (AP) is supposed to transmit group-addressed data traffic encrypted using the GTK, and each connected device is supposed to decrypt that traffic using the GTK. However, nothing in the standard would theoretically prevent a malicious authorized device from injecting spoofed GTK-encrypted packets!
In short, by exploiting this vulnerability, an insider (authorized user) could theoretically sniff and decrypt data from other authorized users, as well as scan their Wi-Fi devices for added vulnerabilities, install malware, and possibly compromise those devices.
How Hole196 Could Be Exploited
So, how would this vulnerability be exploited? In theory:
- A Wi-Fi device obtains access to the Wi-Fi network through the defined authentication processes—AES Personal, AES Enterprise, EAP, LEAP, PEAP, or some other sanctioned authentication.
- Once on the Wi-Fi network, the device receives the GTK and could then poison the MAC address of the node's Access Point, while pretending to be—or spoofing—the Access Point itself. This kind of disruption is called Address Resolution Protocol (ARP) poisoning.
- The other devices on the network would not be able to detect the spoof, so they would then send their PTKs to the spoofing address—the exploiting Wi-Fi device.
- The spoofed device could then communicate with all other devices on the node, while inserting malicious code in the data stream destined for those devices.
- Or the exploit could theoretically use the PTK to attempt to decrypt the data that the other devices are receiving from the host.
- Or the exploit could start a Denial of Service (DoS) attack, preventing any other device from accessing the host system.
This kind of exploit is known on wired networks as a man-in-the-middle exploit. And though wired networks have developed mechanisms to detect man-in-the-middle attacks and prevent the spoof, Wi-Fi networks have some limitations. Consequently, AirTight Networks makes two cogent points:
- There are no anti-spoofing mechanisms established for authenticated devices in the native WAP2 protocol.
- The entire exploit would be untraceable because it transpires in the air, beyond the reach of the network mechanisms themselves, in the Wi-Fi radio spectrum.
In essence, as soon as the network is interrupted or shut down to be investigated by network administrators, the exploit would disappear from view, while the malware injected in the data stream itself would have theoretically already reached its targets in other Wi-Fi devices.
AirTight Networks has said that a Hole196 exploit can be written within 10 lines of code, inserted into the protocol stack of a Wi-Fi device, and then activated at random without detection by a wired Intrusion Detection/Intrusion Protection System (IDS/IPS).
How Bad Is Hole196?
AirTight Networks demonstrated a Hole196 exploit at DEF CON 18 hacker's convention last July, and that demonstration created a lot controversy. Some network security analysts pooh-poohed the exploit for two reasons:
- Hole196 doesn't break authentication processes at all, meaning that the exploit would have to be initiated by someone who already has legitimate access to the Wi-Fi network.
- Hole196 doesn't crack the encryption protocol of AES itself, but merely steals the PTK of another user to attempt to gain access to the data.
These critics say that AirTight Networks was merely using Hole196 as a publicity stunt for DEF CON.
But some other analysts are a little less cavalier about Hole196 and have countered that the great majority of network spying incidents are actually the results of internal security breaches within the organization itself. These breaches are conducted by individuals who already have network credentials. If the vulnerability does truly exist, they say, it represents a threat that should be addressed.
But how? Engineers point out that WPA2 is really just an extension of WPA version 1. Likewise, the protocol mechanisms in WPA2 did not change much from WPA; only the hardware requirements and the priorities and preeminence of the AES encryption protocol changed.
Most importantly, according to these engineers, Hole196 doesn't point to a patchable area of the 802.11 specification, but represents a threat to the entire engineered 802.11 architecture. To patch Hole196, the 802.11 spec itself would have to be rewritten. If 802.11 is rewritten, the entire hardware infrastructure of Wi-Fi itself would have to be replaced, representing millions—if not billions—of lost infrastructure dollars.
No wonder Hole196 is so controversial.
Mitigating Hole196 Vulnerabilities
At this writing, there have been no reported exploits identified from the potential vulnerability claimed by Hole196. (But then, with an untraceable exploit, how could anyone say for certain?) Nonetheless, some network administrators have begun examining ways to mitigate the potential. What follows are several precautions that network administrators could institute on their Wi-Fi networks:
- Segregate access with VLANs and virtual SSIDs: Put departments and groups on different virtual networks to help isolate a potential attack to only the originating virtual network.
- Enable client isolation: Some Access Point (AP) vendors include a proprietary feature on their APs and controllers that prevents user-to-user communication across Wi-Fi. Implementing client isolation (under various proprietary names) can help protect users from part of the Hole196 vulnerability.
- Use VPN connections: With the implementation of Virtual Private Networking (VPN), each user's traffic must pass through a VPN server. Thus, if someone successfully eavesdrops on another user, the culprit will just see a bunch of gibberish.
- Update AP firmware: AP vendors may yet figure out a means to plug the Hole196 vulnerability via an AP firmware update, so make certain you keep your APs and other network components up-to-date.
- Update your wireless IDS/IPS: Some wireless Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) do have a means to detect and alert you to some of these kinds of man-in-the-middle attacks. Over the next months, some of these solutions will likely be updated to detect exploits created by the Hole196 vulnerability, so make sure you keep these systems updated. If you don't already have a wireless IDS/IPS in place, consider it now.
Should You Be Concerned About Hole196?
Wi-Fi networks obviously abound throughout the world, and the technology has become one of the basic pieces of our communication infrastructure. Wi-Fi security fixes have transformed the niche Wi-Fi technology into a communication mainstay. We all use it—in our homes, in our airports, and in our public places. Many of our businesses rely upon it. The Hole196 vulnerability isn't going to change the preeminence of Wi-Fi: it will only help propel the evolution of its security technology.
Yet the tale of the Hole196 vulnerability should also be a reminder to us that all of our engineered technologies are imperfect and transient. Hole196 is a vulnerability that seems to have been created by a kind of neglect. It is a vulnerability that existed in a specification that stretches back to the roots of the IEEE 802.11 specification and was carried forward unnoticed until it was uncovered this past summer.
The Hole196 vulnerability is as arcane as any vulnerability can get: PTKs can detect address spoofing and data forgery; "GTKs do not have this property." That statement, found on page 196 of 1,232-page IEEE 802.11 standard, is the crux of the issue.
Should we take it seriously? Understanding it may be a measure of our skills as network administrators. Mitigating the threat is obviously something we should consider. Finding a remedy is certainly something that our Wi-Fi vendors are exploring. But actually fixing it?
There are probably a thousand other security issues that are more pressing and a million other threats that could potentially be more devastating. Yet Hole196 does in fact exist. And whether or not we fall into it, or how we treat other new vulnerabilities that we discover along the way, could be one of the defining factors of the future of Wi-Fi technology.