The wireless intrusion prevention provider publicized the WPA2 vulnerability late last week and plans on demonstrating the concept at the upcoming Black Hat and DEF CON conferences this week in Las Vegas.
AirTight’s Md Sohail Ahmad discovered the WPA2 exploit, which the company said is located on the last line of page 196 of the IEEE 802.11 Revised Standard, which prompted the firm to dub it ‘Hole 196’.
Ajay Gupta, writing in his blog for Infosecurity, said that until now, WPA2 security (AES encryption, with 802.1x authentication) was thought to be one of the most secure WiFi security deployments, owing to the strength of WPA2 against brute-force dictionary attacks. The tech lead of engineering for AirTight added although WPA2 is immune from the TKIP vulnerability affecting WPA configurations, both are susceptible to Hole 196.
“Exploiting the 'Hole 196' vulnerability is simple and easy”, Gupta wrote. “Hence, the vulnerability can lead to practical insider attacks (launched by disgruntled employees or Cyberspies) when compared with the WPA TKIP vulnerability, which was largely of theoretical interest and difficult to exploit for launching any practical attacks.”
According to Ahmad, the Hole 196 vulnerability “allows authorized users to bypass private key encryption and authentication”, making networks particularly vulnerable to insider threats. The WPA2 exploit, claimed AirTight Networks, can be implemented via current open-source software and can only be detected by monitoring over air network traffic.
"Unlike the TJX breach where data was stolen over unsecured WiFi, this finding is concerning because organizations are relying on WPA2 for its strong encryption and authentication”, said Pravin Bhagwat, CTO for AirTight, in a press release statement. “Since there is no fallback in the 802.11 standard to address this hole, AirTight felt it was important to raise awareness around it.”