Cisco wireless LAN vulnerability could open 'back door'

AirMagnet, a developer of wireless LAN security products, discovered the problem

Some wireless access points from Cisco Systems have a vulnerability that could allow a hacker to redirect traffic outside the enterprise or potentially gain access to an entire corporate network, a security company said.

At the root of the problem is the way that new Cisco APs are added to a network, according to AirMagnet, a wireless network security company that discovered the problem and planned to report its findings Tuesday.

Existing APs broadcast information about the nearby network controller they communicate with. That way, when an enterprise hangs a new AP, that AP listens to information broadcast by other APs and knows which controller to connect to.

However, the existing APs broadcast that information, including the controller's IP address and MAC (Media Access Control) address, unencrypted. Sniffing that information out of the air is relatively simple and can be done with free tools like NetStumbler, said Wade Williamson, director of product management at AirMagnet.

Armed with the information that the APs broadcast, a person could target a controller with a denial of service attack, for example, and take down a section of the network, Williamson said. But the attacker would likely have to be physically on-site to do that, he said.

The bigger potential is that a person could "skyjack" a new AP by getting the AP to connect to a controller that is outside of the enterprise. That would become "the mother of all rogue APs," Williamson said. "You could almost create a back door using a wireless AP." Rogue APs are typically those that employees connect to a corporate network without permission.

It could even happen accidentally. The Cisco AP might hear broadcasts from a legitimate neighboring network and mistakenly connect to that network, he said. Or a hacker could create that same scenario intentionally in order to take control of the AP, he said.

A hacker on the outside with control of that AP could see all the traffic connecting over that AP, but also has the potential to access the enterprise's full network, Williamson said.

The vulnerability affects all of Cisco's "lightweight" APs, meaning the kind that work in conjunction with a controller, he said. That includes most of the APs Cisco has released since it acquired Airespace in 2005, he said.

Cisco spokesman Ed Tan said AirMagnet has alerted the company to the problem and that Cisco is investigating. Cisco said it takes security vulnerabilities "very seriously."

"Our standard practice is to issue public Security Advisories or other appropriate communications that include corrective measures so customers can address any issues," the company said in a statement. "For that reason we do not provide comment on specific vulnerabilities until they have been publicly reported -- consistent with our well-established disclosure process."

Although the vulnerability could cause serious consequences, exploiting it wouldn't be easy. A hacker would have to be nearby when an enterprise happened to be hanging a new AP that was looking to connect to the network.

Enterprises using Cisco APs can prevent the skyjacking situation from occurring by turning off the over-the-air provisioning feature that allows the AP to automatically connect to the nearest controller. But even when that feature is turned off, the existing APs broadcast the details about the controller unencrypted, so a hacker could still collect that information, Williamson said.

AirMagnet discovered the issue when a customer asked for help after getting repeated alarms about unencrypted broadcast traffic on its wireless network. All of that traffic should have been encrypted and the company was preparing for a stringent audit, Williamson said. As AirMagnet dug deeper, it discovered the source of the unencrypted information, he said.

He expects Cisco to come up with a way for customers to shut off the broadcasts or obscure them.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags exploits and vulnerabilitiesWLANairmagnetsecurityciscoaccess pointswireless security

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Nancy Gohring

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?