Misconfigured Cisco gear could lead to Wi-Fi breach

Core Security warned users to turn off a WPA migration mode feature for security reasons

Users of a popular Cisco Systems wireless access point may be setting themselves up for trouble if they leave a WPA wireless migration feature enabled, according to researchers at Core Security Technologies.

The issue has to do with Cisco's Aironet 1200 Series Access Point, which is used to power centrally managed wireless LANs. The Aironet 1200 can be set to a WPA (Wi-Fi Protected Access) migration mode, in which it provides wireless access for devices that use either the insecure WEP (Wired Equivalent Privacy) protocol or the more secure WPA standard.

This gives companies a way to gradually move from WEP to WPA without immediately buying all-new, WPA-capable equipment. But while auditing the network of a customer who used the product, Core researchers discovered that even networks that had stopped using WEP devices could still be vulnerable, so long as the Aironet's migration mode was enabled.

Researchers were able to force the access point to issue WEP broadcast packets, which they then used to crack the encryption key and gain access to the network.

This isn't due to a bug in the device, but Core believes Cisco customers may not realize they are still vulnerable to an attack even after they've stopped using WEP clients.

Core researchers devised this attack after being asked to audit a customer's network, according to Leandro Meiners, a senior security consultant with the company. "What we thought was, when there were only WPA stations, it should be as secure as WPA, and we found that this is not the case," he said.

Meiners and his fellow researcher, Diego Sor, will present their findings at the Black Hat security conference, to be held in Las Vegas next month.

In an e-mailed statement, Cisco said the Core research focuses "on known characteristics of WEP encryption rather than any perceived deficiency in a Cisco product."

"It is our consistent advice to customers that they should implement the highest level of security available -- in this case, WPA2," Cisco said.

Meiners and Sor suspect that there may be other companies out there that have completed their WPA migration but not yet turned off the WPA migration mode on the access points.

Meiners said those companies would have been better off using separate access points for WPA and WEP clients. "You know that one of those access points is at risk and you can take precautions," he said. "The problem here is that you might not be aware of the situation."

Tags networking hardwareCisco SystemssecurityNetworkingwirelessCore Security TechnologiesWLANs / Wi-Fi

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?