Mixed-mode Cisco routers could lead to WiFi breach
Aironet 1200 Series Point users must turn off WPA migration mode feature
By Robert McMillan | Published: 10:16, 29 June 2010
Users of a popular Cisco Systems wireless access point may be setting themselves up for trouble if they leave a WPA wireless migration feature enabled, according to researchers at Core Security Technologies.
The issue has to do with Cisco's Aironet 1200 Series Access Point, which is used to power centrally managed wireless LANs. The Aironet 1200 can be set to a WPA (WiFi Protected Access) migration mode, in which it provides wireless access for devices that use either the insecure WEP (Wired Equivalent Privacy) protocol or the more secure WPA standard.
This gives companies a way to gradually move from WEP to WPA without immediately buying all-new, WPA-capable equipment. But while auditing the network of a customer who used the product, Core researchers discovered that even networks that had stopped using WEP devices could still be vulnerable, so long as the Aironet's migration mode was enabled.
Related Articles on Techworld
Researchers were able to force the access point to issue WEP broadcast packets, which they then used to crack the encryption key and gain access to the network.
This isn't due to a bug in the device, but Core believes Cisco customers may not realise they are still vulnerable to an attack even after they've stopped using WEP clients.
Core researchers devised this attack after being asked to audit a customer's network, according to Leandro Meiners, a senior security consultant with the company. "What we thought was, when there were only WPA stations, it should be as secure as WPA, and we found that this is not the case," he said.
Meiners and his fellow researcher, Diego Sor, will present their findings at the Black Hat security conference, to be held in Las Vegas next month.
In an emailed statement, Cisco said the Core research focuses "on known characteristics of WEP encryption rather than any perceived deficiency in a Cisco product."
"It is our consistent advice to customers that they should implement the highest level of security available - in this case, WPA2," Cisco said.
Meiners and Sor suspect that there may be other companies out there that have completed their WPA migration but not yet turned off the WPA migration mode on the access points.
Meiners said those companies would have been better off using separate access points for WPA and WEP clients. "You know that one of those access points is at risk and you can take precautions," he said. "The problem here is that you might not be aware of the situation."