Secure Your Network (and Clients) Against Hole 196

Monday Aug 23rd 2010 by Eric Geier

The "Hole 196" vulnerability affects Wi-Fi networks of all sorts, including those using robust Enterprise encryption. Here's how to protect your WLAN and keep your mobile fleet safe.

In the last month, there has been much publicity over a "new" vulnerability in WPA/WPA2 encryption (unofficially named "Hole 196") originating from AirTight Networks. Here I'll briefly describe the weakness, then share tips on how to protect yourself from attacks using this exploit, whether on your network or when using public networks.

I used the word new with quotes as this isn't technically a fresh vulnerability. The name "Hole 196" was coined because the vulnerability is hinted at on the last line of page 196 of the revised IEEE 802.11-2007 specification. This is the standard all Wi-Fi products are based on. AirTight Networks has merely brought light to the issue.

Understanding the Hole 196 vulnerability

First, it's important to understand that attacks using this vulnerability must be performed within the network. The culprit must already have network credentials and be successfully connected. Attacks can't be made against a corporate network by Joe Hacker in the parking lot, unless Joe somehow got the login information for the network. Attacks are more likely to come from a rouge employee or insider.

The Hole 196 vulnerability applies to both the Enterprise (802.1X) and Personal (PSK) modes of Wi-Fi Protected Access, however it's more significant to wireless networks using the Enterprise mode.

Another important note -- others refer to this as a WPA2 weakness, but it actually applies to both versions: WPA (TKIP) and WPA2 (AES).

To understand the vulnerability, you must realize one of the benefits of using the Enterprise mode of WPA/WPA2: Each user or connection receives its own encryption key. Thus, users can't decrypt the traffic of other users -- or so we thought. When using Personal mode, users connect with a single encryption key, thus they can by default read each other's traffic.

The Hole 196 vulnerability lets users on a network protected with the Enterprise mode decrypt packets from other users. It's not truly cracking the encryption. It's a man-in-the-middle attack using the ARP cache-poisoning technique, like we've seen on wired networks. The underlying issue is with the 802.11 protocol.

Keep in mind, this vulnerability also applies to public networks that secure their Wi-Fi hotspots with Enterprise encryption and 802.1X authentication. A hotspot user might snoop on unsuspecting users that thought their traffic was protected.

The bottom line is that an authorized user can capture the decrypted traffic of other users, send potentially harmful traffic (such as malware) to them disguised as one of the network's access points (APs), and/or perform denial-of-service attacks.

Protecting your network from the vulnerability

While we wait for vendors and standards to patch this security hole, here are a few things you can do to help mitigate the vulnerability on your private network:

In the near future, you should:

Protecting yourself from the vulnerability on public networks

As briefly mentioned, the Hole 196 vulnerability also applies to secure public networks or Wi-Fi hotspots that use WPA/WPA2-Enterprise with 802.1X authentication. Since anyone can pay to connect, this might be where we see the most attacks of this kind. Like on a private network, a hacker might be able to capture your decrypted network/Internet traffic and possibly send you harmful traffic.

However, protecting your traffic isn't difficult. Tunnel into a VPN server and your real traffic can't be captured. If you don't have a VPN server at home or work, consider a commercial or free hosted service.

This isn't the only vulnerability

Remember, this is just one of many vulnerabilities of using wireless networks. I'll leave you with a couple more tips to keep you and your network safe:

Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.

Mobile Site | Full Site
Copyright 2018 © QuinStreet Inc. All Rights Reserved