WPA2 finds itself in a “hole”! Vulnerable to insider attacks!


WPA2_Hole196Wi-Fi security has experienced a lot of churn over the last decade. As protocols like WEP and TKIP fell by the wayside, WPA2 emerged as the “Last Wi-Fi Security Protocol Standing.” Wi-Fi Alliance recently announced its plan to phase out WEP and TKIP, promoting WPA2 as the go-to security standard.

With solid protection in the form of AES encryption and 802.1x based authentication, there was no reason to look beyond. WPA2 did its job well keeping the bad guys outside, out of the network. And traditionally that has always been the focus of Wi-Fi security.

But…! Yes,  but…as AirTight Networks security researcher, Md. Sohail Ahmad, found out WPA2 has a hard shell on the outside, but a soft underbelly inside. In other words, WPA2 is vulnerable to insider attacks! And interestingly this zero-day vulnerability, now referred to as “Hole196“,  has been buried in the standard (on page 196, if you didn’t guess it! :) ) all these years, but overlooked. Exploiting this vulnerability, a malicious insider (authorized user) can decrypt WPA2-encrypted over the air data from other authorized users in the network with his own private key. No key cracking or brute force is required!

If you are going to be in Las Vegas next week, you can watch a live demo of exploits built on top of the WPA2 Hole196 vulnerability at the Black Hat Arsenal on July 29 (13:30-18:00), and attend a talk titled “WPA Too!” that deconstructs the Hole196 vulnerability and the exploits, at Defcon18 on July 31 (15:00-15:50).

You can also register for a live public Webinar (on August 4, 11am Pacific Time) by AirTight Networks to understand the risks from zero-day vulnerabilities such as WPA2 Hole196 and what steps can be taken to mitigate the risks. You can also find more information on this topic here.

Insider attacks continue to be the most common and most costly threat to enterprise networks.  No wonder insider attacks have been widely studied in wired networks over the years, and security technologies have been built specifically addressing the risks from malicious insiders. Wired network security has also evolved to have multiple layers of security to catch zero-day vulnerabilities. And I guess it’s time to apply the same wisdom of a multi-layered defense to Wi-Fi networks because one size does not fit all…and Wi-Fi security is no exception.

Kaustubh Phanse

Kaustubh Phanse

Kaustubh Phanse joined AirTight as the Principal Wireless Architect in 2007 before growing into the role of Chief Evangelist. He brings over 10 years of R&D experience in the fields of computer networks, wireless communication and mobile computing.


  1. Douglas Smith says

    Client Isolation plus IP subnetting: MITM->DOS

    Client isolation (PSPF) cannot prevent the attack if the attacker adds an ethernet node to redirect traffic to.

    If the hackers ethernet NIC is on a different IP subnet, then the ARP poisoning redirect will not result in packets being forwarded to the hackers ethernet NIC as it will be on an unreachable ethernet segment. The attack will become a denial-of-service rather than man-in-the-middle.

    Do you agree that the combination of client isolation and IP subnetting could be used to partially address the Hole196 ARP poisoning attack?

    • Kaustubh Phanse says

      Hi Douglas,

      You are absolutely right!

      Wi-Fi client isolation alone is not of much use because it can be bypassed if the attacker poisons the cache of the victim with the attacker’s Ethernet NIC MAC address.

      As you have rightly suggested, if the Wi-Fi APs are put on a separate VLAN then the victim’s data cannot reach the attacker’s machine (which will be on a VLAN different from the AP). In that case, the ARP poisoning attack will end up as a denial of service and man in the middle will not be successful.


Leave a Reply

Your email address will not be published. Required fields are marked *