SlideShare a Scribd company logo

WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies

AirTight Networks
AirTight Networks

This paper presents a vulnerability, called Hole1961, in the WPA2 protocol that makes all implementations of WPA- and WPA2-secured Wi-Fi networks (regardless of the authentication and encryption used) vulnerable to insider attacks. It discusses ways in which a malicious insider can exploit Hole196 to attack other authorized Wi-Fi users in a WPA2-secured wireless LAN (WLAN). It also explores remediation strategies at various levels that organizations can implement to mitigate this threat.

Technology
1 of 7
AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com © 2010 AirTight Networks, Inc. All rights reserved.
AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies Executive Summary A Wi-Fi Protected Access version 2 (WPA2), with AES encryption and 802.1x based authentication, is considered the most secure configuration for Wi-Fi networks, and recommended as the “go-to” Wi-Fi security protocol by the Wi-Fi Alliance. Naturally, more organizations are relying on WPA2 to protect their enterprise Wi-Fi networks. WPA2 is also being increasingly adopted to secure guest Wi-Fi networks as well as Wi-Fi Hotspots and municipal Wi-Fi networks that were traditionally implemented over Open Wi-Fi. This paper presents a vulnerability, called Hole1961, in the WPA2 protocol that makes all implementations of WPA- and WPA2-secured Wi-Fi networks (regardless of the authentication and encryption used) vulnerable to insider attacks. It discusses ways in which a malicious insider can exploit Hole196 to attack other authorized Wi-Fi users in a WPA2-secured wireless LAN (WLAN). It also explores remediation strategies at various levels that organizations can implement to mitigate this threat. 1 The moniker ‘Hole196’ refers to the page number in the IEEE 802.11 Standard (Revision, 2007) where the vulnerability is buried. © 2010 AirTight Networks, Inc. All rights reserved. 2
AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies Background In the WPA2 protocol standard two types of keys are used for data encryption: the Pairwise Transient Key (PTK) and the Group Temporal Key (GTK). Each client associated to a WPA2- secured access point (AP) receives a unique PTK that is used for securing over-the-air unicast data traffic between that client and the AP. A GTK, however, is shared by all clients associated with the AP; the GTK is used to secure over-the-air broadcast or multicast data traffic sent by the AP. In other words, a PTK is a “two-way” private key and can be used by a client or the AP to encrypt and decrypt unicast data traffic. While the GTK is a “one-way” shared key that is to be used only by the AP for encrypting broadcast or multicast traffic and that is to be used by clients only for decrypting the broadcast or multicast traffic they receive from the AP. Hole196 Vulnerability in WPA2 The GTK can be misused by a malicious insider (authorized user) in a WPA2 network. For instance, an insider can spoof the MAC address of the AP and inject a GTK-encrypted packet with broadcast destination address. An insider can leverage such spoofed GTK-encrypted packets to launch several attacks such as ARP Poisoning (Man-in-the-Middle). In the ARP Poisoning attack based on Hole196, the malicious insider uses the GTK- encrypted packets to advertise itself as the gateway to other authorized Wi-Fi clients, in turn tricking them into redirecting their data to the insider via the AP. The authorized clients that receive the spoofed GTK packet, send their data traffic, encrypted using their respective PTKs, to the AP. The AP then forwards that data, encrypted with the insider’s PTK, to the insider’s machine where the data can now be decrypted. Thus, the insider is able to bypass inter-user data privacy and see private data traffic from other authorized Wi-Fi users in the network. Note this attack is neither a brute force attack on the authentication nor does it involve cracking the private keys (PTKs) of other users in the network. In fact, the attacker does © 2010 AirTight Networks, Inc. All rights reserved. 3
AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies not require the PTKs of other users because the AP is tricked into doing all the work — decrypting the data from victim clients and then forwarding the data to the attacker by encrypting it in the attacker’s PTK! Wired LAN WPA2 secured AP Victim’s data encrypted Victim’s data encrypted with Attacker’s PTK with Victim’s PTK 3 2 4 1 I am the Gateway Victim Attacker (Encrypted with GTK) 1. Attacker broadcasts a fake ARP message to poison the ARP table of other Wi-Fi clients in the WPA2 network, mapping the IP address of the actual gateway to the MAC address of the attacker’s device. 2. Victim sends all its PTK-encrypted traffic data traffic to the AP with the Attacker’s device MAC address as the destination (gateway) 3. AP forwards Victim’s data to the Attacker encrypting it in the Attacker’s PTK. Using his own PTK, the Attacker can decrypt private data from the Victim. 4. The Attacker then forwards the data traffic to the actual gateway so that the attack is transparent to the Victim who continues the communication as normal. The same old ARP poisoning! So what’s new? ARP poisoning is a classic attack that could be already launched on the Ethernet or even through a WPA2-secured AP. However, in this old way of launching the attack, the AP forwards the spoofed ARP messages on the wireless as well as the wired network. The messages that go on the wire are in the clear (unencrypted). Wired network security has evolved over the years to the point that wired IDS/IPS and even network switches can readily catch and block this attack on the wire today. But launching an ARP poisoning attack using spoofed GTK-encrypted frames limits the footprint of the attack only to the air and the payload is encrypted. So no wire-side security solution is ever going to catch this attack over WPA2, nor will existing APs see anything abnormal. So unless a wireless intrusion prevention system (WIPS) is in place that scans the airspace and detects the anomalous behavior exhibited by the attacker over the air, this attack cannot be detected. © 2010 AirTight Networks, Inc. All rights reserved. 4
AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies Old style ARP poisoning Stealth-mode ARP poisoning The footprint of the attack is on the wire The footprint of the attack (using and wireless GTK-encrypted packets) is limited to the air Wired LAN Attack can be detected Wired LAN and blocked on the wire Devices on the wire (e.g., wired (e.g., using wired IDS/IPS IDS/IPS, WLAN controller) have or WLAN controller) no visibility into the attack Spoofed ARP message Spoofed ARP message (Encrypted with GTK) Attacker Victim Attacker Victim In short, the WPA2 GTK vulnerability enables a malicious insider to launch classic attacks like ARP poisoning, while staying hidden, making it among the stealthiest insider threats. And given the sophisticated hacking tools (e.g., SSLStrip) that are freely available and can be used on top of this exploit, this is a significant risk for security sensitive organizations (e.g., government, finance, and retail) that have to protect national security and cardholder data from insider threats and espionage. Denial of Service (DoS) A malicious insider can misuse the replay protection framework in WPA2 to launch a DoS attack on other authorized Wi-Fi devices in a WPA2 network. For instance, the attacker could broadcast a GTK-encrypted packet with a packet number (PN) much higher than the current PN counter for GTK messages. All clients receiving that message will update their PN counter to the large number advertised by the attacker. After that, all legitimate broadcast messages coming from the AP will be dropped by the victimized clients resulting in a denial of service. Applications that rely on broadcast and multicast messages (e.g., ARP updates) will stop working. Higher layer exploits A malicious insider could choose to include other malicious payloads inside the spoofed GTK-encrypted packets. For instance, a malicious insider could launch a targeted IP layer attack by including a payload with the IP address of a specific target Wi-Fi user device in the WPA2 network. Other Wi-Fi devices would drop this packet at the IP level. Using this technique, several TCP/UDP and application layer exploits are possible, e.g., TCP reset, TCP indirection, DNS manipulation, port scanning, malware injection, privilege escalation, etc. © 2010 AirTight Networks, Inc. All rights reserved. 5
AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies IP packet encapsulated into a group addressed IEEE 802.11 data frame Remediation Strategies Client isolation Many WLAN controllers and APs have a “client isolation” feature (also known as PSPF). Using this data communication between two Wi-Fi clients associated to the same AP (or APs controlled by the same controller) can be disabled. While an insider could still send out spoofed GTK-encrypted broadcast packets directly to other clients in the network, he will no longer be able to receive data traffic from a victim if both are associated to the same AP or to APs controlled by the same WLAN controller. But, client isolation is a “first aid” solution and should not be relied on as the ultimate solution because a variant of the ARP poisoning and man-in-the-middle attack can bypass client isolation. For instance, the attacker could poison the victim such that the data traffic from the victim is redirected to a fake gateway over the wire (by using the Ethernet MAC address of the Attacker’s Wi-Fi laptop that is also plugged into the Ethernet LAN or by using a separate machine on the wired network). Further, other attacks (e.g., DoS, malware injection) can be launched using just Step 1 (injecting spoofed GTK-encrypted broadcast packets), which will bypass client isolation. Note that client isolation is a proprietary feature and the implementation is likely to vary among WLAN vendors. Further, it may not always be practical to use client isolation, for instance, if certain enterprise applications running over Wi-Fi (e.g., VoIP over WiFi) require Wi-Fi clients to communicate with one another via the AP. Fix in the WLAN infrastructure The WLAN AP vendors can circumvent the Hole196 vulnerability by stopping the use of a shared group key (GTK). In most controller-based WLAN architectures today, the APs do not transmit broadcast traffic over the air and instead the WLAN controller maintains an ARP table. In other words, the GTK does not get used. However, according to current WPA2 protocol standard, a GTK needs to be assigned by the AP to each client during the association (four-way handshake) process. AP vendors can implement a patch to their AP software to assign a unique, randomly generated GTK to each client instead of sharing the same GTK among all clients. Using unique GTKs will neutralize the Hole196 vulnerability. © 2010 AirTight Networks, Inc. All rights reserved. 6
AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies And there will be no cost associated with this change in terms of reduced data About throughput, unless broadcast traffic is sent by the AP over the air using unique GTKs. AirTight Networks AirTight Networks is the global In the long term, this approach of deprecating the use of a shared GTK can also be leader in wireless security and adopted in the IEEE 802.11 standard. compliance solutions providing customers best-of-breed technology to automatically WIPS as an additional layer of defense detect, classify, locate and A wireless intrusion prevention system (WIPS) provides a protective layer of defense block all current and emerging and a faster path for managing emerging threats and vulnerabilities until appropriate wireless threats. AirTight offers fixes are implemented in the infrastructure. AirTight® Networks’ SpectraGuard® both the industry’s leading Enterprise WIPS has successfully protected organizations against Wi-Fi vulnerabilities wireless intrusion prevention (such as WEP cracking, WPA-TKIP vulnerability, and Cisco Skyjacking) in the past, and system (WIPS) and the world’s the Hole 196 vulnerability is no exception. first wireless vulnerability management (WVM) security- AirTight’s SpectraGuard Enterprise WIPS is built on top of basic building blocks such as-a-service (SaaS). AirTight’s as MAC spoofing detection, packet-based anomaly detection, and device behavioral award-winning solutions are analysis that have in the past provided security frameworks, including WEPGuard™, used by customers globally in WPAGuard™ and VLAN Policy Mapping™ to protect organizations from vulnerabilities the financial, government, retail, in Wi-Fi security protocols. A combination of the same building blocks can detect manufacturing, transportation, and locate attacks based on WPA2-Hole196 vulnerability and close the window of education, health care, telecom, exposure until a WPA2 protocol fix is provided in the standard or in the interim, by and technology industries. WLAN infrastructure vendors. AirTight owns the seminal patents for wireless intrusion prevention technology with 18 U.S. patents granted or allowed, Concluding Remarks two international patents The ‘Hole196’ vulnerability exposes all WPA and WPA2 networks, regardless of the granted (UK and Australia), and authentication (e.g., 802.1x, PSK, dynamic PSK) and encryption (e.g., TKIP, AES), to more than 20 additional patents insider attacks. A malicious insider can exploit ‘Hole196’ to bypass inter-user data pending. AirTight Networks privacy in WPA and WPA2 and decrypt data traffic from other authorized Wi-Fi clients is a privately held company in the network. A variety of classic attacks such as ARP poisoning, man in the middle, based in Mountain View, CA. For denial of service, malware injection, etc., can be launched. more information please visit www.airtightnetworks.com Enterprises can consider using remediation strategies based on client isolation and endpoint security software, but the effectiveness of these solutions is limited. WLAN AirTight Networks and the AirTight infrastructure vendors can provide a proprietary solution by means of a software Networks logo are trademarks; patch or upgrade to their AP software so that APs provide unique GTKs to its AirTight and SpectraGuard are associated clients. This will neutralize the ‘Hole196’ vulnerability without breaking the registered trademarks of AirTight interoperability with Wi-Fi clients. Networks, Inc. All other trademarks are the property of their respective While the vulnerability gets fixed, a wireless intrusion prevention system (WIPS) such owners. as SpectraGuard Enterprise can provide an additional layer of defense for protecting enterprise networks 24/7 not only from exploits based on Hole196, but also from other wireless threats such as Rogue APs, soft APs, mis-configurations, and Wi-Fi client misbehavior. The Global Leader in Wireless Security Solutions AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043 T +1.877.424.7844 T 650.961.1111 F 650.961.1169 www.airtightnetworks.com info@airtightnetworks.com © 2010 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and AirTight and SpectraGuard are registered trademarks of AirTight Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice.

Recommended

IoT based attendance system
IoT based attendance systemIoT based attendance system
IoT based attendance systemIRJET Journal
 
Internet of Things (IoT) Based Smart Security & Home Automation System.
Internet of Things (IoT) Based Smart Security & Home Automation System.Internet of Things (IoT) Based Smart Security & Home Automation System.
Internet of Things (IoT) Based Smart Security & Home Automation System.sayed78
 
wireless electronics notice board using GSM
wireless electronics notice board using GSMwireless electronics notice board using GSM
wireless electronics notice board using GSMRahul Kumar
 
Finger print based door access system
Finger print based door access systemFinger print based door access system
Finger print based door access systemAkshay Govekar
 
Home automation using arduino
Home automation using arduinoHome automation using arduino
Home automation using arduinoIkram Arshad
 
Iot attendance system using fingerprint module
Iot attendance system using fingerprint module Iot attendance system using fingerprint module
Iot attendance system using fingerprint module AjinkyaMore29
 
Technical Seminar ppt.pptx
Technical Seminar ppt.pptxTechnical Seminar ppt.pptx
Technical Seminar ppt.pptxKarunGowda3
 
Raspberry-Pi
Raspberry-PiRaspberry-Pi
Raspberry-PiRehan Fazal
 

Recommended

IoT based attendance system
IoT based attendance systemIoT based attendance system
IoT based attendance systemIRJET Journal
 
Internet of Things (IoT) Based Smart Security & Home Automation System.
Internet of Things (IoT) Based Smart Security & Home Automation System.Internet of Things (IoT) Based Smart Security & Home Automation System.
Internet of Things (IoT) Based Smart Security & Home Automation System.sayed78
 
wireless electronics notice board using GSM
wireless electronics notice board using GSMwireless electronics notice board using GSM
wireless electronics notice board using GSMRahul Kumar
 
Finger print based door access system
Finger print based door access systemFinger print based door access system
Finger print based door access systemAkshay Govekar
 
Home automation using arduino
Home automation using arduinoHome automation using arduino
Home automation using arduinoIkram Arshad
 
Iot attendance system using fingerprint module
Iot attendance system using fingerprint module Iot attendance system using fingerprint module
Iot attendance system using fingerprint module AjinkyaMore29
 
Technical Seminar ppt.pptx
Technical Seminar ppt.pptxTechnical Seminar ppt.pptx
Technical Seminar ppt.pptxKarunGowda3
 
Raspberry-Pi
Raspberry-PiRaspberry-Pi
Raspberry-PiRehan Fazal
 
Smoke Detection System
Smoke Detection SystemSmoke Detection System
Smoke Detection SystemAhsanullah University of Science & Technology
 
E notice board project report
E notice board project reportE notice board project report
E notice board project reportamit chaudhary
 
Main project report on GSM BASED WIRELESS NOTICE BOARD
Main project report on GSM BASED WIRELESS NOTICE BOARD Main project report on GSM BASED WIRELESS NOTICE BOARD
Main project report on GSM BASED WIRELESS NOTICE BOARD Ganesh Gani
 
PROJECT REPORT ON Home automation using by Bluetooth
PROJECT REPORT ON Home automation using by Bluetooth PROJECT REPORT ON Home automation using by Bluetooth
PROJECT REPORT ON Home automation using by BluetoothAakashkumar276
 
Bidirectional Visitor counter Project Proposal
Bidirectional Visitor counter Project ProposalBidirectional Visitor counter Project Proposal
Bidirectional Visitor counter Project ProposalArsalan Ahmad
 
Gsm Based Automated Irrigation irrigation system
Gsm Based Automated Irrigation irrigation systemGsm Based Automated Irrigation irrigation system
Gsm Based Automated Irrigation irrigation systemSantanu Mukhopadhyay
 
Bluetooth Home Automation
Bluetooth Home AutomationBluetooth Home Automation
Bluetooth Home AutomationApoorv Gupta
 
74ls390
74ls39074ls390
74ls390kiennguyen1991
 
Presentation Smart Home With Home Automation
Presentation Smart Home With Home AutomationPresentation Smart Home With Home Automation
Presentation Smart Home With Home AutomationArifur Rahman
 
Smart Village
Smart VillageSmart Village
Smart VillageSai Bhaskar Reddy Nakka
 
Smart street light system
Smart street light systemSmart street light system
Smart street light systemKuriakose Mathew
 
GSM BASED GAS LEAKAGE DETECTION SYSTEM
GSM BASED GAS LEAKAGE DETECTION SYSTEMGSM BASED GAS LEAKAGE DETECTION SYSTEM
GSM BASED GAS LEAKAGE DETECTION SYSTEMInternational Journal of Technical Research & Application
 
Hand Gesture controlled Robotic Arm | Android | Arduino
Hand Gesture controlled Robotic Arm | Android | ArduinoHand Gesture controlled Robotic Arm | Android | Arduino
Hand Gesture controlled Robotic Arm | Android | ArduinoParvez Hafeez
 
HAND GESTURE CONTROLLED WHEEL CHAIR
HAND GESTURE CONTROLLED WHEEL CHAIRHAND GESTURE CONTROLLED WHEEL CHAIR
HAND GESTURE CONTROLLED WHEEL CHAIRNoufal Nechiyan
 
Fingerprint base security system
Fingerprint base security systemFingerprint base security system
Fingerprint base security systempraful borad
 
wireless notice board
wireless notice board wireless notice board
wireless notice boardAnmol Purohit
 
Smart street light detector
Smart street light detectorSmart street light detector
Smart street light detectorsiddharth bhatt
 
Arduino obstacle avoidance robot
Arduino obstacle avoidance robotArduino obstacle avoidance robot
Arduino obstacle avoidance robotSteven Radigan
 
FPGA Based Digital Logic Circuits Operation for Beginners
FPGA Based Digital Logic Circuits Operation for BeginnersFPGA Based Digital Logic Circuits Operation for Beginners
FPGA Based Digital Logic Circuits Operation for Beginnersijtsrd
 
gsm based home automation
gsm based home automationgsm based home automation
gsm based home automationRohit Sinha
 
Wpa too-hole196-defcon18-presentation
Wpa too-hole196-defcon18-presentationWpa too-hole196-defcon18-presentation
Wpa too-hole196-defcon18-presentationMd Sohail Ahmad
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsAirTight Networks
 

More Related Content

What's hot

E notice board project report
E notice board project reportE notice board project report
E notice board project reportamit chaudhary
 
Main project report on GSM BASED WIRELESS NOTICE BOARD
Main project report on GSM BASED WIRELESS NOTICE BOARD Main project report on GSM BASED WIRELESS NOTICE BOARD
Main project report on GSM BASED WIRELESS NOTICE BOARD Ganesh Gani
 
PROJECT REPORT ON Home automation using by Bluetooth
PROJECT REPORT ON Home automation using by Bluetooth PROJECT REPORT ON Home automation using by Bluetooth
PROJECT REPORT ON Home automation using by BluetoothAakashkumar276
 
Bidirectional Visitor counter Project Proposal
Bidirectional Visitor counter Project ProposalBidirectional Visitor counter Project Proposal
Bidirectional Visitor counter Project ProposalArsalan Ahmad
 
Gsm Based Automated Irrigation irrigation system
Gsm Based Automated Irrigation irrigation systemGsm Based Automated Irrigation irrigation system
Gsm Based Automated Irrigation irrigation systemSantanu Mukhopadhyay
 
Bluetooth Home Automation
Bluetooth Home AutomationBluetooth Home Automation
Bluetooth Home AutomationApoorv Gupta
 
Presentation Smart Home With Home Automation
Presentation Smart Home With Home AutomationPresentation Smart Home With Home Automation
Presentation Smart Home With Home AutomationArifur Rahman
 
Hand Gesture controlled Robotic Arm | Android | Arduino
Hand Gesture controlled Robotic Arm | Android | ArduinoHand Gesture controlled Robotic Arm | Android | Arduino
Hand Gesture controlled Robotic Arm | Android | ArduinoParvez Hafeez
 
HAND GESTURE CONTROLLED WHEEL CHAIR
HAND GESTURE CONTROLLED WHEEL CHAIRHAND GESTURE CONTROLLED WHEEL CHAIR
HAND GESTURE CONTROLLED WHEEL CHAIRNoufal Nechiyan
 
Fingerprint base security system
Fingerprint base security systemFingerprint base security system
Fingerprint base security systempraful borad
 
wireless notice board
wireless notice board wireless notice board
wireless notice boardAnmol Purohit
 
Smart street light detector
Smart street light detectorSmart street light detector
Smart street light detectorsiddharth bhatt
 
Arduino obstacle avoidance robot
Arduino obstacle avoidance robotArduino obstacle avoidance robot
Arduino obstacle avoidance robotSteven Radigan
 
FPGA Based Digital Logic Circuits Operation for Beginners
FPGA Based Digital Logic Circuits Operation for BeginnersFPGA Based Digital Logic Circuits Operation for Beginners
FPGA Based Digital Logic Circuits Operation for Beginnersijtsrd
 
gsm based home automation
gsm based home automationgsm based home automation
gsm based home automationRohit Sinha
 

What's hot (20)

Smoke Detection System
Smoke Detection SystemSmoke Detection System
Smoke Detection System
 
E notice board project report
E notice board project reportE notice board project report
E notice board project report
 
Main project report on GSM BASED WIRELESS NOTICE BOARD
Main project report on GSM BASED WIRELESS NOTICE BOARD Main project report on GSM BASED WIRELESS NOTICE BOARD
Main project report on GSM BASED WIRELESS NOTICE BOARD
 
PROJECT REPORT ON Home automation using by Bluetooth
PROJECT REPORT ON Home automation using by Bluetooth PROJECT REPORT ON Home automation using by Bluetooth
PROJECT REPORT ON Home automation using by Bluetooth
 
Bidirectional Visitor counter Project Proposal
Bidirectional Visitor counter Project ProposalBidirectional Visitor counter Project Proposal
Bidirectional Visitor counter Project Proposal
 
Gsm Based Automated Irrigation irrigation system
Gsm Based Automated Irrigation irrigation systemGsm Based Automated Irrigation irrigation system
Gsm Based Automated Irrigation irrigation system
 
Bluetooth Home Automation
Bluetooth Home AutomationBluetooth Home Automation
Bluetooth Home Automation
 
74ls390
74ls39074ls390
74ls390
 
Presentation Smart Home With Home Automation
Presentation Smart Home With Home AutomationPresentation Smart Home With Home Automation
Presentation Smart Home With Home Automation
 
Smart Village
Smart VillageSmart Village
Smart Village
 
Smart street light system
Smart street light systemSmart street light system
Smart street light system
 
GSM BASED GAS LEAKAGE DETECTION SYSTEM
GSM BASED GAS LEAKAGE DETECTION SYSTEMGSM BASED GAS LEAKAGE DETECTION SYSTEM
GSM BASED GAS LEAKAGE DETECTION SYSTEM
 
Hand Gesture controlled Robotic Arm | Android | Arduino
Hand Gesture controlled Robotic Arm | Android | ArduinoHand Gesture controlled Robotic Arm | Android | Arduino
Hand Gesture controlled Robotic Arm | Android | Arduino
 
HAND GESTURE CONTROLLED WHEEL CHAIR
HAND GESTURE CONTROLLED WHEEL CHAIRHAND GESTURE CONTROLLED WHEEL CHAIR
HAND GESTURE CONTROLLED WHEEL CHAIR
 
Fingerprint base security system
Fingerprint base security systemFingerprint base security system
Fingerprint base security system
 
wireless notice board
wireless notice board wireless notice board
wireless notice board
 
Smart street light detector
Smart street light detectorSmart street light detector
Smart street light detector
 
Arduino obstacle avoidance robot
Arduino obstacle avoidance robotArduino obstacle avoidance robot
Arduino obstacle avoidance robot
 
FPGA Based Digital Logic Circuits Operation for Beginners
FPGA Based Digital Logic Circuits Operation for BeginnersFPGA Based Digital Logic Circuits Operation for Beginners
FPGA Based Digital Logic Circuits Operation for Beginners
 
gsm based home automation
gsm based home automationgsm based home automation
gsm based home automation
 

Similar to WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies

Wpa too-hole196-defcon18-presentation
Wpa too-hole196-defcon18-presentationWpa too-hole196-defcon18-presentation
Wpa too-hole196-defcon18-presentationMd Sohail Ahmad
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsAirTight Networks
 
Wpa2 psk security measure
Wpa2 psk security measureWpa2 psk security measure
Wpa2 psk security measureShivam Singh
 
4 wifi security
4 wifi security4 wifi security
4 wifi securityal-sari7
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Ajin Abraham
 
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...Dr. Amarjeet Singh
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?Tom Isaacson
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Fábio Afonso
 
Skyriver Communications – Fixed Wireless Security
Skyriver Communications – Fixed Wireless SecuritySkyriver Communications – Fixed Wireless Security
Skyriver Communications – Fixed Wireless SecuritySkyriver04
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Scienceinventy
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Viable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedViable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedIRJET Journal
 

Similar to WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies (20)

Wpa too-hole196-defcon18-presentation
Wpa too-hole196-defcon18-presentationWpa too-hole196-defcon18-presentation
Wpa too-hole196-defcon18-presentation
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQs
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
609 618
609 618609 618
609 618
 
Wpa2 psk security measure
Wpa2 psk security measureWpa2 psk security measure
Wpa2 psk security measure
 
4 wifi security
4 wifi security4 wifi security
4 wifi security
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
 
WPA/WPA2 TKIP Exploit
WPA/WPA2 TKIP ExploitWPA/WPA2 TKIP Exploit
WPA/WPA2 TKIP Exploit
 
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
 
Comprehensive Guide On Network Security
Comprehensive Guide On Network SecurityComprehensive Guide On Network Security
Comprehensive Guide On Network Security
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacks
 
WPA 3
WPA 3WPA 3
WPA 3
 
WPA3 - What is it good for?
WPA3 - What is it good for?WPA3 - What is it good for?
WPA3 - What is it good for?
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2
 
Skyriver Communications – Fixed Wireless Security
Skyriver Communications – Fixed Wireless SecuritySkyriver Communications – Fixed Wireless Security
Skyriver Communications – Fixed Wireless Security
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Science
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
Viable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedViable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be Jeopardized
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hacking
 

More from AirTight Networks

Is 11ac Right for Your Network?
Is 11ac Right for Your Network?Is 11ac Right for Your Network?
Is 11ac Right for Your Network?AirTight Networks
 
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014AirTight Networks
 
Wi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfWi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfAirTight Networks
 
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight Networks
 
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration AirTight Networks
 
AirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks
 
AirTight social wifi solution brief
AirTight social wifi solution briefAirTight social wifi solution brief
AirTight social wifi solution briefAirTight Networks
 
Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013AirTight Networks
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...AirTight Networks
 
Survey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecuritySurvey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecurityAirTight Networks
 
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Networks
 
Non WiFi interference combat guide 1
Non WiFi interference combat guide 1Non WiFi interference combat guide 1
Non WiFi interference combat guide 1AirTight Networks
 
Conquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseConquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseAirTight Networks
 
Windows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseWindows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseAirTight Networks
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsAirTight Networks
 
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresSkyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresAirTight Networks
 
Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsAirTight Networks
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseAirTight Networks
 

More from AirTight Networks (20)

Is 11ac Right for Your Network?
Is 11ac Right for Your Network?Is 11ac Right for Your Network?
Is 11ac Right for Your Network?
 
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
 
Wi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfWi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise Thyself
 
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
 
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
 
AirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSP
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6
 
AirTight social wifi solution brief
AirTight social wifi solution briefAirTight social wifi solution brief
AirTight social wifi solution brief
 
Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
 
Survey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecuritySurvey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise Security
 
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
 
Non WiFi interference combat guide 1
Non WiFi interference combat guide 1Non WiFi interference combat guide 1
Non WiFi interference combat guide 1
 
Conquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseConquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the Enterprise
 
Windows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseWindows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the Enterprise
 
802.11w Tutorial
802.11w Tutorial802.11w Tutorial
802.11w Tutorial
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutions
 
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresSkyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
 
Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—Recommendations
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your Enterprise
 

Recently uploaded

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Recently uploaded (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 

WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies

  • 1. AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com © 2010 AirTight Networks, Inc. All rights reserved.
  • 2. AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies Executive Summary A Wi-Fi Protected Access version 2 (WPA2), with AES encryption and 802.1x based authentication, is considered the most secure configuration for Wi-Fi networks, and recommended as the “go-to” Wi-Fi security protocol by the Wi-Fi Alliance. Naturally, more organizations are relying on WPA2 to protect their enterprise Wi-Fi networks. WPA2 is also being increasingly adopted to secure guest Wi-Fi networks as well as Wi-Fi Hotspots and municipal Wi-Fi networks that were traditionally implemented over Open Wi-Fi. This paper presents a vulnerability, called Hole1961, in the WPA2 protocol that makes all implementations of WPA- and WPA2-secured Wi-Fi networks (regardless of the authentication and encryption used) vulnerable to insider attacks. It discusses ways in which a malicious insider can exploit Hole196 to attack other authorized Wi-Fi users in a WPA2-secured wireless LAN (WLAN). It also explores remediation strategies at various levels that organizations can implement to mitigate this threat. 1 The moniker ‘Hole196’ refers to the page number in the IEEE 802.11 Standard (Revision, 2007) where the vulnerability is buried. © 2010 AirTight Networks, Inc. All rights reserved. 2
  • 3. AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies Background In the WPA2 protocol standard two types of keys are used for data encryption: the Pairwise Transient Key (PTK) and the Group Temporal Key (GTK). Each client associated to a WPA2- secured access point (AP) receives a unique PTK that is used for securing over-the-air unicast data traffic between that client and the AP. A GTK, however, is shared by all clients associated with the AP; the GTK is used to secure over-the-air broadcast or multicast data traffic sent by the AP. In other words, a PTK is a “two-way” private key and can be used by a client or the AP to encrypt and decrypt unicast data traffic. While the GTK is a “one-way” shared key that is to be used only by the AP for encrypting broadcast or multicast traffic and that is to be used by clients only for decrypting the broadcast or multicast traffic they receive from the AP. Hole196 Vulnerability in WPA2 The GTK can be misused by a malicious insider (authorized user) in a WPA2 network. For instance, an insider can spoof the MAC address of the AP and inject a GTK-encrypted packet with broadcast destination address. An insider can leverage such spoofed GTK-encrypted packets to launch several attacks such as ARP Poisoning (Man-in-the-Middle). In the ARP Poisoning attack based on Hole196, the malicious insider uses the GTK- encrypted packets to advertise itself as the gateway to other authorized Wi-Fi clients, in turn tricking them into redirecting their data to the insider via the AP. The authorized clients that receive the spoofed GTK packet, send their data traffic, encrypted using their respective PTKs, to the AP. The AP then forwards that data, encrypted with the insider’s PTK, to the insider’s machine where the data can now be decrypted. Thus, the insider is able to bypass inter-user data privacy and see private data traffic from other authorized Wi-Fi users in the network. Note this attack is neither a brute force attack on the authentication nor does it involve cracking the private keys (PTKs) of other users in the network. In fact, the attacker does © 2010 AirTight Networks, Inc. All rights reserved. 3
  • 4. AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies not require the PTKs of other users because the AP is tricked into doing all the work — decrypting the data from victim clients and then forwarding the data to the attacker by encrypting it in the attacker’s PTK! Wired LAN WPA2 secured AP Victim’s data encrypted Victim’s data encrypted with Attacker’s PTK with Victim’s PTK 3 2 4 1 I am the Gateway Victim Attacker (Encrypted with GTK) 1. Attacker broadcasts a fake ARP message to poison the ARP table of other Wi-Fi clients in the WPA2 network, mapping the IP address of the actual gateway to the MAC address of the attacker’s device. 2. Victim sends all its PTK-encrypted traffic data traffic to the AP with the Attacker’s device MAC address as the destination (gateway) 3. AP forwards Victim’s data to the Attacker encrypting it in the Attacker’s PTK. Using his own PTK, the Attacker can decrypt private data from the Victim. 4. The Attacker then forwards the data traffic to the actual gateway so that the attack is transparent to the Victim who continues the communication as normal. The same old ARP poisoning! So what’s new? ARP poisoning is a classic attack that could be already launched on the Ethernet or even through a WPA2-secured AP. However, in this old way of launching the attack, the AP forwards the spoofed ARP messages on the wireless as well as the wired network. The messages that go on the wire are in the clear (unencrypted). Wired network security has evolved over the years to the point that wired IDS/IPS and even network switches can readily catch and block this attack on the wire today. But launching an ARP poisoning attack using spoofed GTK-encrypted frames limits the footprint of the attack only to the air and the payload is encrypted. So no wire-side security solution is ever going to catch this attack over WPA2, nor will existing APs see anything abnormal. So unless a wireless intrusion prevention system (WIPS) is in place that scans the airspace and detects the anomalous behavior exhibited by the attacker over the air, this attack cannot be detected. © 2010 AirTight Networks, Inc. All rights reserved. 4
  • 5. AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies Old style ARP poisoning Stealth-mode ARP poisoning The footprint of the attack is on the wire The footprint of the attack (using and wireless GTK-encrypted packets) is limited to the air Wired LAN Attack can be detected Wired LAN and blocked on the wire Devices on the wire (e.g., wired (e.g., using wired IDS/IPS IDS/IPS, WLAN controller) have or WLAN controller) no visibility into the attack Spoofed ARP message Spoofed ARP message (Encrypted with GTK) Attacker Victim Attacker Victim In short, the WPA2 GTK vulnerability enables a malicious insider to launch classic attacks like ARP poisoning, while staying hidden, making it among the stealthiest insider threats. And given the sophisticated hacking tools (e.g., SSLStrip) that are freely available and can be used on top of this exploit, this is a significant risk for security sensitive organizations (e.g., government, finance, and retail) that have to protect national security and cardholder data from insider threats and espionage. Denial of Service (DoS) A malicious insider can misuse the replay protection framework in WPA2 to launch a DoS attack on other authorized Wi-Fi devices in a WPA2 network. For instance, the attacker could broadcast a GTK-encrypted packet with a packet number (PN) much higher than the current PN counter for GTK messages. All clients receiving that message will update their PN counter to the large number advertised by the attacker. After that, all legitimate broadcast messages coming from the AP will be dropped by the victimized clients resulting in a denial of service. Applications that rely on broadcast and multicast messages (e.g., ARP updates) will stop working. Higher layer exploits A malicious insider could choose to include other malicious payloads inside the spoofed GTK-encrypted packets. For instance, a malicious insider could launch a targeted IP layer attack by including a payload with the IP address of a specific target Wi-Fi user device in the WPA2 network. Other Wi-Fi devices would drop this packet at the IP level. Using this technique, several TCP/UDP and application layer exploits are possible, e.g., TCP reset, TCP indirection, DNS manipulation, port scanning, malware injection, privilege escalation, etc. © 2010 AirTight Networks, Inc. All rights reserved. 5
  • 6. AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies IP packet encapsulated into a group addressed IEEE 802.11 data frame Remediation Strategies Client isolation Many WLAN controllers and APs have a “client isolation” feature (also known as PSPF). Using this data communication between two Wi-Fi clients associated to the same AP (or APs controlled by the same controller) can be disabled. While an insider could still send out spoofed GTK-encrypted broadcast packets directly to other clients in the network, he will no longer be able to receive data traffic from a victim if both are associated to the same AP or to APs controlled by the same WLAN controller. But, client isolation is a “first aid” solution and should not be relied on as the ultimate solution because a variant of the ARP poisoning and man-in-the-middle attack can bypass client isolation. For instance, the attacker could poison the victim such that the data traffic from the victim is redirected to a fake gateway over the wire (by using the Ethernet MAC address of the Attacker’s Wi-Fi laptop that is also plugged into the Ethernet LAN or by using a separate machine on the wired network). Further, other attacks (e.g., DoS, malware injection) can be launched using just Step 1 (injecting spoofed GTK-encrypted broadcast packets), which will bypass client isolation. Note that client isolation is a proprietary feature and the implementation is likely to vary among WLAN vendors. Further, it may not always be practical to use client isolation, for instance, if certain enterprise applications running over Wi-Fi (e.g., VoIP over WiFi) require Wi-Fi clients to communicate with one another via the AP. Fix in the WLAN infrastructure The WLAN AP vendors can circumvent the Hole196 vulnerability by stopping the use of a shared group key (GTK). In most controller-based WLAN architectures today, the APs do not transmit broadcast traffic over the air and instead the WLAN controller maintains an ARP table. In other words, the GTK does not get used. However, according to current WPA2 protocol standard, a GTK needs to be assigned by the AP to each client during the association (four-way handshake) process. AP vendors can implement a patch to their AP software to assign a unique, randomly generated GTK to each client instead of sharing the same GTK among all clients. Using unique GTKs will neutralize the Hole196 vulnerability. © 2010 AirTight Networks, Inc. All rights reserved. 6
  • 7. AirTight Networks WHITEPAPER WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies And there will be no cost associated with this change in terms of reduced data About throughput, unless broadcast traffic is sent by the AP over the air using unique GTKs. AirTight Networks AirTight Networks is the global In the long term, this approach of deprecating the use of a shared GTK can also be leader in wireless security and adopted in the IEEE 802.11 standard. compliance solutions providing customers best-of-breed technology to automatically WIPS as an additional layer of defense detect, classify, locate and A wireless intrusion prevention system (WIPS) provides a protective layer of defense block all current and emerging and a faster path for managing emerging threats and vulnerabilities until appropriate wireless threats. AirTight offers fixes are implemented in the infrastructure. AirTight® Networks’ SpectraGuard® both the industry’s leading Enterprise WIPS has successfully protected organizations against Wi-Fi vulnerabilities wireless intrusion prevention (such as WEP cracking, WPA-TKIP vulnerability, and Cisco Skyjacking) in the past, and system (WIPS) and the world’s the Hole 196 vulnerability is no exception. first wireless vulnerability management (WVM) security- AirTight’s SpectraGuard Enterprise WIPS is built on top of basic building blocks such as-a-service (SaaS). AirTight’s as MAC spoofing detection, packet-based anomaly detection, and device behavioral award-winning solutions are analysis that have in the past provided security frameworks, including WEPGuard™, used by customers globally in WPAGuard™ and VLAN Policy Mapping™ to protect organizations from vulnerabilities the financial, government, retail, in Wi-Fi security protocols. A combination of the same building blocks can detect manufacturing, transportation, and locate attacks based on WPA2-Hole196 vulnerability and close the window of education, health care, telecom, exposure until a WPA2 protocol fix is provided in the standard or in the interim, by and technology industries. WLAN infrastructure vendors. AirTight owns the seminal patents for wireless intrusion prevention technology with 18 U.S. patents granted or allowed, Concluding Remarks two international patents The ‘Hole196’ vulnerability exposes all WPA and WPA2 networks, regardless of the granted (UK and Australia), and authentication (e.g., 802.1x, PSK, dynamic PSK) and encryption (e.g., TKIP, AES), to more than 20 additional patents insider attacks. A malicious insider can exploit ‘Hole196’ to bypass inter-user data pending. AirTight Networks privacy in WPA and WPA2 and decrypt data traffic from other authorized Wi-Fi clients is a privately held company in the network. A variety of classic attacks such as ARP poisoning, man in the middle, based in Mountain View, CA. For denial of service, malware injection, etc., can be launched. more information please visit www.airtightnetworks.com Enterprises can consider using remediation strategies based on client isolation and endpoint security software, but the effectiveness of these solutions is limited. WLAN AirTight Networks and the AirTight infrastructure vendors can provide a proprietary solution by means of a software Networks logo are trademarks; patch or upgrade to their AP software so that APs provide unique GTKs to its AirTight and SpectraGuard are associated clients. This will neutralize the ‘Hole196’ vulnerability without breaking the registered trademarks of AirTight interoperability with Wi-Fi clients. Networks, Inc. All other trademarks are the property of their respective While the vulnerability gets fixed, a wireless intrusion prevention system (WIPS) such owners. as SpectraGuard Enterprise can provide an additional layer of defense for protecting enterprise networks 24/7 not only from exploits based on Hole196, but also from other wireless threats such as Rogue APs, soft APs, mis-configurations, and Wi-Fi client misbehavior. The Global Leader in Wireless Security Solutions AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043 T +1.877.424.7844 T 650.961.1111 F 650.961.1169 www.airtightnetworks.com info@airtightnetworks.com © 2010 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and AirTight and SpectraGuard are registered trademarks of AirTight Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice.