Here’s the summary of the issue as described by industry security experts:
Security experts at AirTight Networks have discovered a hole in the WPA2 Wi-Fi security protocol. The security hole was named as Hole 196 after the number of the relevant page in the IEEE 802.11 (2007) standard document. At the bottom of page 196, the IEEE standard introduces the keys used by WPA2: the PTK (Pairwise Transient Key), which is unique for every Wi-Fi client and used for unicast traffic, and the GTK (Group Temporal Key) used for broadcasts. While data forgeries and spoofed mac addresses can be detected with the PTK, the GTK does not offer this functionality.
The AirTight experts say that this is the crux of the matter, because it allows a client to generate arbitrary broadcast packets which other clients respond to with information about their secret PTKs which can be decrypted by attackers. AirTight reportedly only needed to add 10 extra lines of code to the freely available open source Madwifi driver to make a PC with an off-the-shelf Wi-Fi client card spoof the MAC address of the Access Point and pretend to be the gateway for sending out traffic. Attackers could exploit this to cause damage on the network, for instance via denial-of-service (DoS) attacks. The experts say that the only factor mitigating the attack potential is that attackers need to be internal, authorised Wi-Fi users. They do not anticipate that a patch will become available because “Hole 196″ is written into the standard.
via The H-Security
Why everyone other than Meru cares
So this boils down to a simple issue that doesn’t matter when you consider Meru’s architecture is virtualized.
Basically, each client has a “Unicast” key (or a key based on a unique ID) and a “Broadcast” key that is set on a per BSSID basis and is common to every client associated with that BSSID. This is the crux of the issue. It is possible for a nefarious client to exploit that broadcast key to damage the network or potentially steal information.
In a microcell architecture, the AP acts as an Ethernet hub and everyone associates with that AP is associated with the same BSSID and is now vulnerable to the “Hole 196” vulnerability.
The question is – if the vulnerability is in the broadcast, how do you stop broadcasts on a wireless network from using the same shared key to all users when the APs act like hubs? The answer is to virtualize and make the AP act more like a switch.
Why you are safer with Meru
Since connections to Meru are controlled via Virtual Port each station has a unique BSSID generated and controlled by System Director. This means that each client now has a unique broadcast key for WPA2. This is the element of virtualization makes it impossible for a nefarious client to spoof the AP’s MAC address and exploit the broadcast key to launch security attacks (because there are no other clients with the same broadcast key and therefore no one will be exposed to the attack).
So the nefarious client will use the broadcast key based on the BSSID that Meru’s Virtual Port generates thinking its going out to everyone. In reality, the actual broadcast is not seen by anyone other than the Meru system and the attacker never has access directly to the other clients.
Conclusion
Whether or not this is an issue that will bring down the house remains to be seen. Either way the answer is again virtualization makes wireless act like an Ethernet Switch while microcell continues to remain oblivious to the limitations of Ethernet Hubs.
It will be interesting to see what Airtight has to say about this…
Universities are experiencing significant growth rates of Wi-Fi devices on their campus networks. Some estimate that students bring 3-4 Wi-Fi devices to campus with them. So it should be no surprise what the top priority is for prospective freshman selecting a college or university. Yep, you guessed it, Wi-Fi connectivity and performance. According to a recent report by Converge, http://www.convergemag.com/classtech/More-Technology-in-College.html 77% ranked Wireless LAN as their top priority. Wireless LAN is no longer nice to have, it is a MUST HAVE to attract students; it is a competitive tool for higher education.
However, some universities with microcell networks are finding it difficult to support the increased client density. A recent article in ComputerWorld uses a case study of an Aruba Networks customer, Brandeis University to explain why Adaptive Radio Management (ARM) falls short in supporting dense user environments and challenges the IT department faces with high client density deployments in a university setting.
While ARM attempts to avoid co-channel interference automatically between access points by changing RF power levels, setting AP channels, and moving clients from one RF band to another, the networks’ problems are exacerbated as density increases, creating a more unstable and unmanageable network. The automatic tools are proved useless and IT teams must revert to manual intervention. The fundamental reason behind this is that co-channel interference is unavoidable. You can’t use the same mechanisms used to avoid external interference (like a microwave oven, for example) and just adapt it for co-channel interference. That is a fundamentally flawed strategy that fails when put to the test in large networks and is crushed by high density situations. The problem is that this scheme works for smaller scale low density networks causing a false sense of security among users. People are banking on this simple statement “it works fine until it doesn’t” and when it doesn’t, it falls off a cliff!
As the number of Wi-Fi clients per square foot increases, microcell’s approach is to shrink the cell size, add more access points and reduce RF power even further to minimize the nasty affects of co-channel interference. They clearly have a number if significant challenges with this approach such as 1) lowering RF power at the AP reduces signal-to-noise levels for clients, creating spotty coverage and intermittent connections, 2) clients will see more access points to choose from and bounce between them, 3) client power is not managed and client transmissions could easily disrupt performance in adjacent cells, and 4) unfortunately RF signals don’t stop at nice boundaries leading to increased co-channel interference due to the physical proximity of access points being closer.
Schools, universities and colleges that are evaluating new wireless LANs should be aware of the scaling limitations with microcell networks. Once it is installed and deployed, how do they scale capacity? Will scaling be linear? What happens once they used the entire RF spectrum for basic coverage and have no reserved capacity? Can they get the 5-8 years of investment out of the network? Given the density challenges, Brandeis has learned the answer is no.
by jepstein on June 15, 2010
Steve Jobs is a master at showmanship–not just in his presentations, but with the products his company, Apple, creates. A goal that was seen in the original Macintosh but taken to near completion with the iPhone and iPad, Apple has sought to completely own the user experience, integrating various parts together into a seamless package where every detail has a purpose. And his successes have shown that this vision is right; it’s the user experience that matters, not what cool features this component or that can do. [click to continue…]
