Two generations of Cisco wireless LAN equipment contain a range of vulnerabilities, researchers have told the Black Hat security conference.
Enno Rey and Daniel Mende from German testing firm ERNW demonstrated how to hack into two separate generations of Cisco Wi-Fi kit. They said that the flaws were fairly easy to find and exploit.
In a presentation called 'Hacking Cisco Enterprise WLANs' on Wednesday, the researchers demonstrated an attack aimed at Cisco's first generation equipment Cisco Structured Wireless Aware Network (Swan).
The researchers said it was possible to launch denial of service attacks and to sniff encrypted traffic on Swan by exploiting weaknesses in Cisco's Wireless LAN Context Control Protocol (WLCCP). The protocol defines how information is sent between wireless access points.
Swan access points transfer keys between them to facilitate roaming. Rey said that Leap — the authentication protocol used in Cisco's equipment — was weak, meaning that the cryptography used to hide the keys could be broken.
In addition, attacks could be made against Swan wireless components, said the researchers, including the insertion of rogue access points, the removal of physical components from the network, or attacks via the management interfaces.
"The main message is: please be aware that if you deploy [Swan] solutions, there will be some holes and extra efforts needed to run them securely," said Rey.
The researchers also demontrated an attack against third generation Cisco Unified Wireless Network (CUWN) equipment.
The researcher said that Cisco equipment based on CUWN uses cryptography that is more secure than Swan. However, CUWN is vulnerable through its management web interfaces, particularly where the interface runs SNMP (simple network management protocol). Default SNMP passwords that are widely known, said the researcher, while SNMP itself is based on HTTPS, which is vulnerable to cross-site scripting attacks.
Rey urged enterprises to ensure management access to their wireless network was restricted. "They must take special care of isolating and restricting management access. This is the Achilles heel," he said.
The security researcher said that Cisco is not the only vendor grappling with these issues. "All of these [vendors'] solutions have skeletons in the closet," he said. "This is not so much about Cisco bashing."
Cisco had not responded to a request for comment at the time of writing.
Talkback
The link in this article, "cryptography used to hide the keys could be broken.", points to a completely unrelated wireless security issue. The link referenses the ability to crack TKIP encrypion in limited circumstances over the RF channel. The correct exposure in SWAN is the ability to crack the MSCHAP hashed credential found in LEAP authentication. Here is a link to an article about this exposure. http://news.cnet.com/Cisco-fixes-latest-WLAN-flaw/2100-1035_3-5191681.html While Cisco says they fixed LEAP by releasing EAP-FAST, the SWAN architecture does not implement EAP-FAST for device authentication.
The HTTPS part doesn't make sense to me. SNMP uses UDP, HTTP/HTTPS uses TCP.