Archive for August, 2009

Cisco AP Skyjacking

August 26th, 2009

This latest vulnerability on Cisco WLAN (AP Skyjacking) points out the importance for customers to deploy overlay WIPS to have a zero day response capabilities in place. Making changes to your WLAN controller, APs, and firewalls takes time and new vulnerabilities like this will continue to surface. 

A dangerous exploit that can be carried out using this vulnerability is for a hacker to route an enterprise customer’s Cisco AP to WLC deployed out in the Internet and change the Guest SSID to map to an internal enterprise VLAN (using REAP mode supported on Cisco APs); see below for Pravin’s comments. 

AirTight is the only WIPS vendor who can detect this dangerous exploit (i.e. Guest SSID mapped to incorrect VLAN) and prevent this scenario.  Using AirTight WIPS, you can map WLAN SSID-to-VLAN security policy (i.e. wireless-to-wired security policy mapping)  thus allowing you to detect this misconfiguration and prevent a hacker from exploiting this. Using Cisco WLC+WCS+MSE or other third-party WIDS/WIPS, this scenario will go undetected for sometime thus allowing the hacker access into the customer’s enterprise network.  

Customers should pay immediate attention to this vulnerability and change their default settings on their Cisco APs (i.e. out of the box configuration) and put zero day response strategy for vulnerabilities like this in the future.

Wireless security , ,

Is skyjacking a mere DoS threat against Cisco WLAN?

August 26th, 2009

Skyjacking vulnerability which allows Cisco LAP to be diverted to connect to rogue controller by manipulating OTAP could be more dangerous than what has been clarified by Cisco in its advisory. The advisory says that “An exploit could prevent the device from functioning properly, resulting in a DoS condition. There is no risk of data loss or interception by the rogue access point or Wireless LAN Controller.”


As a matter of fact, it should be possible to convert Authorized Cisco LAP into a wired rogue AP using skyjacking. After Cisco LAP is trapped into skyjacking (for example, made to connect to a controller hosted on the net), it is possible to convert it to Cisco REAP mode and make it bridge traffic locally between Enterprise wired subnet and wireless.


Just a thought – won’t blocking LWAPP discovery port on enterprise firewall protect you from this threat?


Stay tuned for more updates as we dig deeper into this.

Wireless security , , , , , , ,

Cell Phone Jamming in Prisons – Could it be done?

August 18th, 2009

I recently read a statement put out by Senator Kay Bailey Hutchison urging support for her bill, ” The Safe Prisons Communications Act creates a framework for the FCC to test and approve jamming equipment and to review applications from corrections facilities seeking to install cell phone jammers. Most importantly, to ensure the integrity of wireless networks for public safety and commercial wireless providers, and minimize any chance of interference, the legislation outlines the coordinated efforts from all stakeholders, including prisons and the telecommunication providers.”

According to Hutchison cell phones are used within the prison walls to coordinate crimes outside the wall, including murders, intimidation and fraud. The idea struck me as one that could be a slippery slope but one could hardly argue that prisoners have a “right” to cell phones – or do they. I would love to hear comments on this one.

Wireless security , ,

CNN – Security experts warn of dangers of rogue Wi-Fi hotspots

August 11th, 2009

Security experts warn of dangers of rogue Wi-Fi hotspots

Story Highlights from CNN International

  • Security experts warn Wi-Fi users to be more vigilant against hackers
  • Experts say it’s difficult to distinguish between legitimate and rogue networks
  • Wi-Fi Alliance says spread of Wi-Fi hasn’t led to an ‘epidemic’ of hacking
  • Users urged to protect their networks, use VPN for sensitive data

LONDON, England (CNN) — You’re sitting in an airport lounge and seize the chance to check your e-mails before your flight departs. You log on and are tempted by a wireless Internet provider offering free Internet access. So, do you take it?

Security experts warn that hackers may be masquerading as free public Wi-Fi providers to gain access to the laptops of unsuspecting travelers. Read more…

Wireless security , ,

SSLstrip: Even Careful Users Can Be Trapped by Wireless Honeypots

August 9th, 2009

Moxie Marlinspike presented SSLstrip at Blackhat early this year. The author made observation as to how most people initiate access to secure (HTTPS) websites using insecure connection (HTTP) which creates opportunity for the man-in-the-middle (MITM) attacker to get into the middle of the connection without flashing certificate mismatch message on the user’s machine. It is also possible to display a fake lock icon on the browser. This is unnerving because even those scrupulous users who pay heed to the certificate mismatch warnings can no more avoid MITM attacks by just doing that.

This exploit is also particularly interesting for wireless security because of the ease with which it is possible to get in as MITM over Wi-Fi link using Honeypot (Evil Twin) tools. Once the MITM is established with the victim over Wi-Fi, exploits such as SSLstrip can make the job of the attacker all the more easier as even the scrupulous user will not suspect anything amiss as there won’t be certificate mismatch warning plus there will be a lock icon displayed next to the URL in the browser.

Useful links on information on SSLstrip:


Wireless security , , , , ,

WiFish Finder: WiFi Honeypot vulnerability assessment made simple

August 2nd, 2009

What % of WiFi laptop users in your organization are vulnerable to WiFishing attacks? The odds are very high that you don’t have an exact answer.


WiFish Finder is a tool for assessing whether WiFi devices active in the air are vulnerable to ‘Wi-Fishing’ attacks. Assessment is performed through a combination of passive traffic sniffing and active probing techniques. Most WiFi clients keep a memory of networks (SSIDs) they have connected to in the past. Wi-Fish Finder first builds a list of probed networks and then using a set of clever techniques also determines security setting of each probed network. A client is a fishing target if it is actively seeking to connect to an OPEN or a WEP network. Clients only willing to connect to WPA or WPA2 networks are not completely safe either!


To find out why – you’r welcome to try out WiFish Finder a vulnerability assessment tool built by Sohail and Prabhash, members of security research team at AirTight Networks. Sohail is presenting WiFish Finder at DefCon 2009 today. Demo version of this tool (Version 1.0) can be downloaded from


Sohail is also planning to release WiFish Finder Ver 2.0 with speed, usability and feature enhancements (such as PEAP vulnerability detection) upon his return from Las Vegas. To download full featured version of WiFish Finder and for tips on protecting your laptop from Wi-Fishing attacks, visit URL will be operational in 4-5 days.


What % of WiFi laptop users in your organization are vulnerable to WiFishing attacks? Well, you only have to wait another 4-5 days to find out the answer!


-*- Pravin -*-

Wireless security , , , , , , , , ,