Dark Reading

A flaw in the provisioning system used by Cisco wireless LANs could allow attackers to collect data about users' wired networks or even gain access to WLAN-attached systems, researchers said today.

Researchers at AirMagnet's Intrusion Research Team say they have uncovered a security vulnerability in Cisco's Over-The-Air-Provisioning (OTAP), a feature that helps users deploy wireless access points (APs). The potential exploit -- which AirMagnet has dubbed SkyJack -- makes it possible for others to gain control of a Cisco AP, intentionally or unintentionally.

The Cisco OTAP feature allows a Cisco AP to "listen" to traffic from nearby Cisco APs and use that information to quickly locate a nearby WLAN controller on the network. However, this feature may cause unintentional exposure or leakage of network information in all lightweight Cisco APs, AirMagnet says.

If the OTAP feature is not turned off, it is possible for APs to be incorrectly assigned to an outside Cisco controller -- a.k.a. SkyJacked -- either by accident or at the direction of a potential hacker, AirMagnet says.

"We haven't seen any definite exploits yet, but the feature has been available for some time," says Wade Williamson, director of product management at AirMagnet. "We can envision a situation where an attacker could set up a rogue AP in an empty office near a bank, and collect data for a long period of time."

Under OTAP, Cisco APs generate an unencrypted multicast data frame that travels over the air and includes a variety of information in the clear, AirMagnet says. From these frames, a hacker listening to the airwaves could determine the MAC address of the wireless controller that the AP is connected to, the IP address for that controller, and a variety of AP configuration options. The hacker could even collect information on wired devices attached to the WLAN, Williamson says.

The Cisco OTAP frames are always unencrypted, regardless of the encryption scheme used in the network (e.g., WPA), and are always sent, regardless of whether the OTAP feature is turned on, AirMagnet says.

"At the very least, this allows anyone listening to the network to easily find the internal addresses of the wireless LAN controllers in the network and potentially target them for attack," AirMagnet says. All lightweight Cisco deployments are subject to this exposure.

If the OTAP feature is turned on, a newly deployed Cisco AP will listen to the multicast data frame to determine the address of its nearest controller, AirMagnet explains. This means that a Cisco AP may "hear" multicast traffic from a neighboring network and incorrectly connect to a neighbor or an unapproved Cisco controller.

This same mechanism could be exploited intentionally by a hacker to SkyJack APs and take control of an enterprise's access point, AirMagnet says. "You could gain access to the network over a semi-permanent connection and collect data over a long period of time," Williamson says.

AirMagnet has informed Cisco about this vulnerability and potential exploit, and Cisco is working on a fix, Williamson says. In the meantime, AirMagnet recommends that Cisco customers turn off the OTAP feature because it could actively put new sensors in danger of being SkyJacked.

The vulnerability also points up the advantages of having a wireless network monitoring system, such as AirMagnet's, Williamson says. "With wireless, you need to be able to detect activity on the edges of the network in ways that you didn't have to do with wired networks," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.