

WPA2 vulnerable to insider attacks - mdsohailahmad
http://blog.airtightnetworks.com/wpa2-finds-itself-in-a-hole-vulnerable-to-insider-attacks/
WPA2 Hole196 Vulnerability<p>The "Hole 196" vulnerability present in WPA2 can be practically exploited by a malicious insider using existing open source software as the basis. And the footprint of such insider attacks is limited to the air, making them among the stealthiest of insider attacks known requiring no key cracking and no brute force The only way to detect this is by monitoring traffic over the air.<p>Live demos planned at Blackhat and Defcon.<p>For more details:<p>http://www.airtightnetworks.com/WPA2-Hole196<p>http://blog.airtightnetworks.com/wpa2-finds-itself-in-a-hole-vulnerable-to-insider-attacks/<p>-Sohail Ahmad
======
dedward
I'm not sure anyone really ever considered an inside user on a wifi network,
however it's encrypted, any different than a user on a regular wired lan...
you can sniff their traffic and spoof arp, and all that wonderful stuff....
being on the same broadcast domain necessitates that the machines can speak to
each other.....

What's the big news here? Was wpa2 supposed to not only provide wire-
equivalent security but also prevent arp-spoofing and every other type of
switch wrangling?

EDIT: I see the significance of this from an internal security point of view -
but the choice to use WPA2 is primarily motivated by preventing outsiders from
obtaining network keys and gaining access to your network, not preventing
insiders from snooping on each other - that's a much different problem.

------
westi
So if I read this right it makes a WPA2 wireless network like a hub based
rather than switch based wired Ethernet network.

Which is what I always treat them as anyway.

~~~
chopsueyar
I always thought WPA2 used separate air molecules for each client.

------
pilif
once you are inside the network, all bets are off anyways. Once I'm inside the
network, I can ARP-spoof the gateway and get to all traffic anyways - no
additional decryption needed.

While this might be a nasty oversight in the spec, for all intents and
purposes, it is IMHO irrelevant as there are way easier methods to get at the
data of other users in the network.

~~~
watty
ARP-spoofing can be detected although I'm not sure how many networks actively
do this. Being able to decrypt all internal packets passively is a big deal.

~~~
dedward
It's a big deal - but most places that concerned about security, the ones that
worry heavily about arp-spoofing and detection probably don't allow wireless
in the first place..... at least that's been my experience.

~~~
azim
ARP spoofing actually in practice not easy to do. Enterprise class switches
can snoop DHCP traffic and prevent forged ARP packets.

