A flaw in the Cisco WLAN operation was announced in late Aug 2009 that allows a hacker to "skyjack" or take control of a Cisco lightweight access point. The vulnerability is rooted in the over-the-air-provisioning (OTAP) feature used by Cisco lightweight access points to discover and connect to a Cisco WLAN controller. This webinar presentation will deconstruct the skyjacking vulnerability - explaining why the vulnerability occurs in Cisco WLANs, which Cisco access points are affected, how skyjacking can be exploited to launch potent attacks, and what are the best practices to proactively protect your enterprise network against such zero-day vulnerabilities and attacks.

1. Webinar held on 02 Sept, 2009
*Webinar Press Release URL : http://digg.com/d3130SK
! " !

2. In the News
Cisco wireless LAN vulnerability could
open ‘back door’
Cisco wireless LANs at risk of attack,
‘skyjacking’
Newly discovered vulnerability could
threaten Cisco wireless LANs

3. What Cisco says
Severity = Mild
“No risk of data loss or interception”
“Could allow an attacker to cause a
denial of service (DoS) condition”
It’s not a big deal!

4. Hmm…
How severe is the exploit?
What exactly is skyjacking?
?
?
Do I need to worry about it?
?

5. What you will learn today
The risk from skyjacking vulnerability is much bigger
than stated
How to assess if you are vulnerable
Countermeasures for skyjacking and other zero-day
attacks

6. Five ways a LAP can discover WLCs
Subnet-level broadcast
Configured
Over-the-air provisioning (OTAP)
DNS
DHCP

7. Three criteria a LAP uses to select a WLC
Step 1 Primary, Secondary, Tertiary
Step 2 Master mode
Step 3 Maximum excess capacity

8. Over-the-air provisioning (OTAP)

9. OTAP exploited for “skyjacking”

10. Skyjacked LAP denies service to
wireless users

12. Secure WLAN enterprise access
Before
SSID Security VLAN Comment
Corp WPA2 20 Internal to corporate network
AP Physically 30 Internal to corporate network
Connected To

13. Authorized LAP skyjacked – DoS
Before
SSID Security VLAN Comment DoS
Corp WPA2 20 Internal to corporate network
AP Physically 30 Internal to corporate network
Connected To

14. Authorized LAP turned into Open Rogue AP
Before
Rogue on
SSID Security VLAN Comment Network
Corp OPEN 30 Internal to corporate network
AP Physically 30 Internal to corporate network
Connected To

15. Camouflaged Rogue LAP:
a backdoor to your
enterprise network!

16. Wolf in Sheep Clothing
Before
Rogue on
SSID Security VLAN Comment Network
Corp WPA2 30 Internal to corporate network
AP Physically 30 Internal to corporate network
Connected To

17. Wolf in Sheep Clothing – Scenario 2
Before
SSID Security VLAN Comment
DoS
Corp WPA2 20 Internal to corporate network
Guest OPEN 30 Internal to corporate network
Rogue on
AP Physically 30 Internal to corporate network Network
Connected To

18. SpectraGuard® Enterprise WLAN policy set-up
Guest WLAN SSID
Allowed Subnet (VLAN)
for Guest SSID

19. Normal WLAN operation
Device list displayed on SpectraGuard Enterprise console
Authorized SSIDs are seen in “Green” color and are
detected with VLAN identifier to which they connect

20. Skyjacking on guest access
1 Change in the VLAN is detected
SSID marked as “misconfigured”
2
(Background changes to amber)
Automatic Prevention started
3 ( Shield icon appears )

21. Summary
AirTight’s unique wireless-
Type of Skyjacking attack Only over-air wired correlation based
Open rogue
threat detection threat detection
Authorized SSID as Open
Rogue AP
WPA2 rogue
Authorized SSID as
“Privileged” Rogue AP X
(Wolf in Sheep clothing)
Open guest Guest access as Open
rogue Rogue AP
(Wolf in Sheep clothing –
X
scenario 2)

22. AirTight’s SpectraGuard Enterprise
The only WIPS that can provide zero-day protection
against the most potent form of skyjacking attack
Thanks to patented marker packet technology for
accurate wired connectivity detection and unique
VLAN Policy Mapping™ architecture

23. Which LAPs can be skyjacked?
Type of Cisco LAP Vulnerable?
LAPs using auto discovery Yes
Configured with “preferred” WLCs
? (primary, secondary, tertiary)
Mostly No
Configured with locally significant
No
certificates (LSC)

24. Countermeasures
Turn off OTAP on WLC Ineffective!
Manually configure LAPs with preferred Primarily HA and load
WLCs (primary, secondary, tertiary) balancing feature
Manually configure LAPs with LSCs Impractical
Block outgoing traffic from UDP ports Not a common
12222 and 12223 on your firewall practice

25. Practical difficulties:
Do you know
If all LAPs are configured with primary,
secondary and tertiary WLC?
If all LAPs are indeed connected to
configured WLCs?
If your outgoing UDP ports on the firewall are blocked? Did you test it
today?
How many VLANs do you have authorized for wireless access?
Are all SSIDs mapped to the correct VLANs?
When was the last time your LAPs rebooted?
When was the last time your WLC taken down for maintenance?
If all your APs are compliant with your security policies? How do you
know?

26. One mistake and you
could be exposed!

27. Adding second, independent layer of
WIPS protection
Zero-day attacks
Misconfigurations Undesirable
connections
Zero-day attacks
Undesirable
Misconfigurations connections
Designed for
security
Designed for
WLAN access

28. AirTight’s SpectraGuard product
family
Complete Wireless Intrusion Prevention Industry’s Only Wireless Security Service
Wireless Security for Mobile Users WLAN Coverage & Security Planning

29. About AirTight Networks
For more information on wireless security
risks, best practices, and solutions, visit:
http://www.airtightnetworks.com
The Global Leader in Wireless
Security and Compliance
Visit our blog to read the root cause
analysis of
“Skyjacking: What Went Wrong?”
http://blog.airtightnetworks.com