WPA2 Exposed with 'Hole 196' Vulnerability

Until now, the WPA security version known as ‘WPA2 (AES encryption) with 802.1x authentication’ was considered as one of most secure WiFi deployments by most wireless security experts. This is due to the resilience of this version to brute force dictionary attacks that can possibly cause intrusion into WPA/WPA2 PSK deployments.

Also, the version is free from the TKIP vulnerability that is present on WPA TKIP deployments and can be used to launch potential attacks. However, with the newly discovered “Hole 196” vulnerability, this version now too is exposed to practical security problems. 

“Hole 196” is the name of WPA2 vulnerability that will be showcased by AirTight Networks researchers in the coming Black Hat and Defcon security conferences in Las Vegas. The vulnerability is, in fact, buried on the last line on page 196 of the 1232-page IEEE 802.11 Standard (Revision, 2007). And that’s why AirTight Networks named the vulnerability as “Hole 196.”

“Hole 196” vulnerability can lead to a potentially fatal insider attack, where an insider can bypass the WPA2 private key encryption and authentication to scan the authorized devices for vulnerabilities, install malware on these and steal personal or confidential corporate information from the devices. Although specifically mentioned for WPA2, the vulnerability applies to the WPA version also, irrespective of the authentication method used.  

Exploiting the 'Hole 196' vulnerability is simple and easy. Hence, the vulnerability can lead to practical insider attacks (launched by disgruntled employees or Cyberspies) when compared with the WPA TKIP vulnerability, which was largely of theoretical interest and difficult to exploit for launching any practical attacks.

To learn more about the “Hole 196” vulnerability, you need to wait for the live demo of the same entitled "WPA Too?!", which is scheduled at BlackHat Arsenal on July 29 and at Defcon 18 on July 31 in Las Vegas.

Comment on this blog