The AirMagnet Intrusion Research Team has uncovered a new wireless vulnerability and potential exploit associated with Cisco wireless LAN infrastructure.
The vulnerability involves Cisco’s Over-the-Air-Provisioning (OTAP) feature found in its wireless access points (APs). The potential exploit, dubbed SkyJack by AirMagnet, creates a situation whereby control of a Cisco AP can be obtained, whether intentionally or unintentionally, to gain access to a customer’s wireless LAN.
The Cisco OTAP feature allows a Cisco AP that is not connected to a Cisco controller to listen to traffic from other nearby Cisco APs and use that information to quickly locate a nearby WLAN controller to associate to. During this process, two elements of this vulnerability emerge. First, there is an unintentional exposure or leakage of information in all lightweight Cisco APs. Second, while the OTAP feature is enabled, there is the potential for APs to be incorrectly assigned to an outside Cisco controller (aka SkyJacked) either by accident or at the direction of a potential hacker.
In normal operation, Cisco APs generate an unencrypted multicast data frame that travels over the air and includes a variety of information in the clear. From these frames a hacker listening to the airwaves could determine the MAC address of the wireless controller that the AP is connected to, the IP address for that controller, and a variety of AP configuration options. These frames are always unencrypted regardless of the encryption scheme used in the network, and are always sent regardless of whether the OTAP feature is turned on or not. At the very least, this allows anyone listening to the network to easily find the internal addresses of the wireless LAN controllers in the network, and potentially target them for attack. All lightweight Cisco deployments are subject to this exposure.
Unlike the vulnerability, the SkyJack exploit requires the actual OTAP feature to be enabled. With that feature enabled, a newly deployed Cisco AP will listen to the above-mentioned Multicast Data Frame to determine the address of its nearest controller. The potential exists for the Cisco AP to “hear” multicast traffic from a neighboring network and incorrectly connect to a neighbor or otherwise unapproved Cisco controller. This ultimately could lead to an enterprise’s access point connecting outside of the company to an outside controller, and therefore being under outside control. This same mechanism could be done intentionally by a hacker to purposely SkyJack APs and take control of an enterprise’s access point.
Cisco has been informed of this vulnerability and potential exploit.
AirMagnet recommends that Cisco customers should be advised not to run the OTAP feature, as it could actively put new sensors in danger of being SkyJacked. Customers should also leverage a dedicated independent IDS system, like AirMagnet Enterprise – capable of detecting wireless snooping with hacking tools to alert staff to the potential of an impending exploit. Furthermore, networking professionals should use such a monitoring system to validate that all corporate APs detected over the air are actually represented at the WLAN controller – as any corporate AP that is not associated to a controller could be a serious security risk.