AirMagnet warns of wireless vulnerability in Cisco's over-the-air-provisioning feature in its wireless access points

The AirMagnet intrusion research team has uncovered a new wireless vulnerability and potential exploit associated with Cisco wireless LAN infrastructure.

Full details will be demonstrated by AirMagnet during its four city ‘Top 10 WLAN Vulnerabilities' seminar series in September, but it claimed that the vulnerability involves Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points (APs).

The potential exploit, which has been dubbed ‘SkyJack' by AirMagnet, creates a situation whereby control of a Cisco AP can be obtained, whether intentionally or unintentionally, to gain access to a customer's wireless LAN.

In normal operation, a Cisco AP generates an unencrypted multicast data frame that travels over the air and includes a variety of information in the clear. From these frames, a hacker listening to the airwaves could determine the MAC address of the wireless controller that the AP is connected to, the IP address for that controller and a variety of AP configuration options.

These frames are always unencrypted regardless of the encryption scheme used in the network, and are always sent regardless of whether the OTAP feature is turned on or not. At the very least, this allows anyone listening to the network to easily find the internal addresses of the wireless LAN controllers in the network, and potentially target them for attack.

AirMagnet claimed that all lightweight Cisco deployments are subject to this exposure. However unlike the vulnerability, the SkyJack exploit requires the actual OTAP feature to be enabled, as with that feature enabled a newly deployed Cisco AP will listen to Multicast Data Frame to determine the address of its nearest controller.

The potential exists for the Cisco AP to ‘hear' multicast traffic from a neighbouring network and incorrectly connect to a neighbour or otherwise unapproved Cisco controller. This ultimately could lead to an enterprise's access point connecting outside of the company to an outside controller, and therefore being under outside control. This same mechanism could be done intentionally by a hacker to purposely SkyJack APs and take control of an enterprise's access point.

It has informed Cisco of this vulnerability and potential exploit, and claimed that it is taking appropriate actions. It recommended that Cisco customers should be advised not to run the OTAP feature, as it could actively put new sensors in danger of being SkyJacked.

AirMagnet also recommended customers to leverage a dedicated independent IDS system, such as AirMagnet Enterprise, which is capable of detecting wireless snooping with hacking tools to alert staff to the potential of an impending exploit.

Furthermore, networking professionals should use such a monitoring system to validate that all corporate APs detected over the air are actually represented at the WLAN controller – as any corporate AP that is not associated to a controller could be a serious security risk.

Sign up to our newsletters