Is skyjacking a mere DoS threat against Cisco WLAN?


Skyjacking vulnerability which allows Cisco LAP to be diverted to connect to rogue controller by manipulating OTAP could be more dangerous than what has been clarified by Cisco in its advisory. The advisory says that “An exploit could prevent the device from functioning properly, resulting in a DoS condition. There is no risk of data loss or interception by the rogue access point or Wireless LAN Controller.”


As a matter of fact, it should be possible to convert Authorized Cisco LAP into a wired rogue AP using skyjacking. After Cisco LAP is trapped into skyjacking (for example, made to connect to a controller hosted on the net), it is possible to convert it to Cisco REAP mode and make it bridge traffic locally between Enterprise wired subnet and wireless.


Just a thought – won’t blocking LWAPP discovery port on enterprise firewall protect you from this threat?


Stay tuned for more updates as we dig deeper into this.

Pravin Bhagwat

Pravin Bhagwat is a wireless networking pioneer and an accomplished researcher. He brings 13 years of leading edge research and development experience in wireless and mobile networking and leads technology development and research at AirTight Networks.


  1. says

    Dear Matt,
    I hope you agree on the fact that OTAP vulnerability is *NOT* just a DoS and all deployments having OTAP feature enabled are extremely vulnerable to Skyjacking Attack.

    According to a document available on the web at following link

    “OTAP enabled on the controller indicates to the controller whether or not to respond to discovery requests with the OTAP bit set. It does not prevent the LAPs already joined to the controller from the transmission of the management IP address of the controller in the clear in RRM neighbor packets.”

    OTAP is one of the mechanisms of WLC discovery. If you have OTAP disabled, your WLC would not register all those LAPs which have discovered the IP address of WLC only through OTAP process. Further, disabling OTAP on WLC does not disable OTAP on LAPs or prevent them from using OTAP process for WLC discovery. Hence, all WLC + LAP based deployments are vulnerable to Skyjacking attack no matter whether OTAP is enabled or disabled by default.

Leave a Reply

Your email address will not be published. Required fields are marked *