Hole 196 WPA2 Vulnerability – Who Cares?
Network World recently posted an article stating that a researcher at Air Tight Security found a vulnerability in WPA2 Enterprise encryption. They are referring to the vulnerability as hole 196 because the vulnerability was discovered on page 196 of the 802.11 IEEE standard. Keep in mind that WPA2 is regarded as the most secure Wireless encryption method available today. So this is big, big news. Right? Well, maybe not.
If you read the details of the exploit, you find out that in order for the it to work, the bad guy must be authenticated and authorized on the WPA2 network to begin with. Once authorized, the user can then use exploits to decrypt and/or inject malicious packets into other users “secure” wireless traffic. So the person must first be authenticated which means you must trust them at least a little bit. The other thing is that, WPA2 was never really meant to be the end-all, be all in encryption. People lose sight of why it’s around.
These types of wireless security exploits make for good news because they get business managers all in a panic because they don’t understand what WPA2 and all wireless encryption methods are for. Wireless encryption is implemented so the wireless connection from your end device (laptop, iPad, etc) is AS secure as a wired connection. Up until now, the wireless part of a WPA2 connection was far MORE secure. Remember, once the data is dumped off onto a wired connection, the vast majority of the time wired traffic is not encrypted at the network level unless you are tunneling it using something like IPSec or GRE. So with this new vulnerability, your internal users can possibly sniff and manipulate traffic…just like they can now on your wired connection. Is this new vulnerability a problem? Well, it’s not good, but it’s also no the end of the world like some will tell you.
This sort of thing happens often with network engineers. Often times when I sit in design meetings, the topic of end-to-end encryption comes up for an application that runs in clear-text over the network. Everyone wants crazy-complex point-to-point encryption solutions to be built for their applications at the network level. My response has always been, “If you want securely encrypted applications, why don’t you look at securing the applications? Have your applications developers ever heard of SSH or SSL?”. The point being, don’t focus on encryption methods such as WPA2 to “secure” your data. Secure the data at the application level first and then we’ll talk.