Reflections on “hole196″

Last week at BlackHat, AirTight Networks security analyst Md Sohail Ahmad presented his findings on a vulnerability dubbed "hole196". Affecting WPA/WPA2 Enterprise networks, this issue allows an authenticated user to manipulate other clients on the network to establish ARP spoofing attacks, to impersonate data frames from the AP or to create a DoS attack against other users. This is all through leveraging a key shared among all of the authorized clients in a wireless LAN known as the Group Temporal Key (GTK). The "hole196" bit refers to page 196 of the IEEE 802.11-2007 specification indicating that the GTK does not prevent packet forgery attacks (from an insider).

The BlackHat presentation slides were distributed on the BlackHat conference CD, and since the slides lack any kind of a copyright notice, I think it's OK for me to mirror them here.

Initially, this flaw had some people concerned, since an early article published by Network World and Joanie Wexler indicated:

Clients who receive the message see the client as the gateway and "respond with PTKs", which are private and which the insider can decrypt, Ahmad explains.

If this attack could get a client to reveal their PTK, even requiring that the attack start from an insider perspective, then I'd be coding up an exploit tool instead of writing this post. This, however, appears to be a misquote by Wexler, or a misunderstanding by Ahmad. No-one has clarified this quote as far as I have seen.

The truth behind this issue is that, well, it's a non-issue for most organizations. Instead of mounting an ARP spoofing attack to implement a man-in-the-middle (which a wired IDS could detect), it can be done using this technique within the encrypted wireless network, evading network IDS detection. The best way to detect this attack is through a wireless IDS, of which AirTight is a leading vendor ("Yay, Capitalism!").

When significant wireless attacks emerge, I call my customers to remind them that I do get let out of my cave every now and then, and to help them understand their exposure to the attack. I don't believe "hole196" falls into the category of significant wireless attack, so it's back to the cave I go.

For a 2nd perspective, and an excellent technical write-up, please see Glenn Fleishman's article over at Ars Technica. In the meantime, contact me with any questions/concerns/comments.

-Josh

August 3, 2010   Posted in: 802.11, Uncategorized

2 Responses

  1. mdsohailahmad - August 3, 2010

    Hi Josh,

    A clarification was posted by us on July 26.

    By Anon (not verified) on Mon, 07/26/2010 – 9:34pm.
    “I think the phrase “respond with PTKs” needs some clarification. When clients receive the spoofed (GTK-encrypted) packets from the insider, they will send all their data traffic encrypted using their own private keys or PTKs to the AP with the insider’s MAC address as the destination (gateway). The AP forwards all the data traffic to the insider, but now encrypting the traffic in the insider’s PTK. As a result, the insider is able to decrypt all data traffic from other authorized users in the network. So the attacker won’t need anyone else’s PTK to decrypt their traffic.”

    An FAQ on “Hole196″ was posted on Aug 01, 2010 (Two days back) at http://airtightnetworks.com/wpa2-hole196

    Hope this helps everyone who takes insider attack seriously.

    Thanks
    Sohail

  2. Joshua Wright - August 3, 2010

    I think this is a very telling line from the AirTight Networks FAQ on “hole196″:

    “The subtle point (that many people seem to miss) about exploiting the GTK in WPA2 for launching an ARP Spoofing attack is that the footprint of the attack is only in the air and the payload is encrypted. So no wire-side security solution is ever going to catch this attack over WPA2, nor will existing APs will see anything abnormal.”

    The significant risk through hole196 is that an attacker could evade wired IDS systems and mount an ARP spoofing attack by manipulating the wireless network itself. I find that interesting, but it does not represent a significant increase in exposure compared to what most organizations have on their LAN today.

    Thanks to Sohail for the additional reference and clarification on the Network World quote.

    -Josh

Leave a Reply

You must be logged in to post a comment.