Researchers at wireless security company AirTight Networks have uncovered a vulnerability in the widely used WPA2 security protocol, part of the 802.11 standard. The vulnerability, termed "Hole 196", which can be exploited by attackers already authenticated to the network, allows decryption of data sent by other users across the network.
Wireless encryption uses two keys to protect the communications, firstly a Pairwise Transient Key (PTK), unique to each client, and used to protect traffic between that client and the access point, and secondly, a Group Temporal Key (GTK) that is known to all clients on the network, and used to encrypt broadcast traffic (traffic sent to all clients connected to the network).
The attack does not rely on brute-forcing, or breaking of the AES encryption used to protect the communications. The vulnerability arises when a malicious client uses the GTK to send spoofed packets to another user on the network. GTKs do not have the ability to detect spoofed packets, an ability which does exist in PTKs.
Researcher Md Sohail Ahmad, who discovered the vulnerability, says it took around 10 lines of code added to open source driver software, and an off-the-shelf wireless adaptor in order to implement the exploit. By spoofing the MAC address of the access point, clients who receive the malicious packets, believe the sender to be the gateway, and respond using their PTK, which the attacker can then decrypt.
Exploiting the vulnerability is limited to users already authorised to the network, which mitigates the risk, but security studies repeatedly indicate security breaches from inside continue to be the biggest source of loss to businesses.
WPA2 is the latest encryption protocol available for wireless networking, and as yet, there is no successor ready to take its place in order to resolve this issue, it remains to be seen what the security community can devise to work around the problem in the protocol.