Hole 196 Attack: Major Security Threat?
In July and August 2010, a Wi-Fi security firm named AirTight garnered press by announcing that an AirTight researcher had found a vulnerability in WPA2. AirTight dubbed the vulnerability “Hole 196” to refer to the page of the IEEE 802.11 Standard (Revision 2007) on which the weakness is mentioned. According to an AirTight white paper, a Wi-Fi client device that is authorized to be on a network can exploit the vulnerability to decrypt intercepted transmitted data, inject malicious traffic into the network, and compromise other authorized devices. AirTight demonstrated a “Hole 196” attack at Black Hat and DEFCON.
The 802.11-2007 standard stipulates that an access point (AP) can use a common shared key, called a group temporal key (GTK), to encrypt the broadcast traffic sent to all clients that are associated to that AP. As stated on page 196 of 802.11-2007, a client cannot detect address spoofing and data forgery for packets encrypted with a GTK.
After associating to an AP as an authorized user, a hacker’s device initiates a “Hole 196” attack by using the GTK to encrypt a spoofed broadcast packet, called an ARP poison packet. Because an AP sends but does not receive broadcast messages, the AP does not examine the spoofed packet and does not see that the packet has the AP’s MAC address as the transmitter’s address. Upon receiving the spoofed packet, the target accepts it and updates its ARP table, thereby redirecting its transmitted packets to the hacker instead of the intended gateway. When the target sends packets, the real AP decrypts them before forwarding them to the hacker. The hacker becomes an undetected “man in the middle”, snooping data packets from the target before forwarding those packets to the intended gateway.
| Steps in “Hole 196” Attack
The “Hole 196” attack is an ARP-poisoning attack. Hackers can attempt similar ARP-poisoning attacks on Ethernet networks, but advanced Ethernet switches identify and block ARP poison packets, thereby preventing the attacks. An advanced AP with similar protections could identify and block ARP poison packets, too, but in a Wi-Fi scenario the hacker can bypass the AP and transmit the ARP poison packet directly to the target while making it appear that the packet came from the AP.
The ability of a hacker to bypass an AP also prevents client isolation from preventing the attack. Client isolation is a non-standard means by which a Wi-Fi infrastructure prevents two client devices from communicating with one another through an AP. Cisco, the dominant supplier of enterprise-grade Wi-Fi infrastructure, offers a client isolation mechanism called publicly secure packet forwarding (PSPF). But PSPF, like other client isolation techniques, cannot prevent a hacker from bypassing an AP and sending a poison ARP packet directly to another client.
By combining client isolation with a second measure, you can convert the “Hole 196” attack from a man-in-the-middle attack to a denial-of-service attack. The second measure is to put Ethernet nodes on a different IP subnet or VLAN than Wi-Fi clients. When the hacker tries to redirect the target's packets to the hacker’s Ethernet node, the hijacked MAC address will be unreachable, so the hijacked packets will never reach the hacker's Ethernet node. Airtight agrees that the combination of client isolation and IP subnetting is an effective counter to the “Hole 196” attack.
WPA2-Enterprise provides authentication and encryption at Layer 2, the link layer between clients and the infrastructure. Security measures at higher layers, such as the use of a virtual private network (VPN) or secure sockets layer (SSL) for certain types of applications and data, augment WPA2-Enterprise and provide additional assurance of network access control and privacy. The potential downsides of additional security layers are lower data transfer rates and additional load on each client device.