Packet6

San Francisco Bay Area Wi-Fi Professional Services

Archives for October 2017

What’s New In Cisco WLC 8.5.105.0?

by Leave a Comment

Cisco 1542i Outdoor Access PointOver the weekend of October 21st 2017, Cisco released wireless LAN controller (WLC) and lightweight access points version 8.5.105.0. We take a look at what is new with Cisco WLC and why we should consider upgrading.

One thing to note is that this release is a repost of 8.5.103.0. Most notably it resolves the AP / Infrastructure vulnerability to the KRACK attack. Cisco had some challenges getting this release out after the vulnerability was published. Over the weekend they had posted an update and then pulled it back.

I have upgraded a few controllers to 8.5.105.0 without any issue.

Here are a few features that stuck out to me in the release notes:

New AP support for Aironet 1540 series, 1815m and 1815t

Of course with newer access points you must be running the latest version of code. I’ve been able to see the Aironet 1540 in person and it’s a small outdoor AP that fits even our aesthetic requirements. The other two I haven’t had experience with it.

Place Aironet 1540, 1560, and 18xx APs into monitor mode

This is a welcomed feature. Monitor mode is used to collect RF channel info that is used with rogue detection, wIPS, and CleanAir. The following Aironet APs that will be capable of going into monitor mode:

  • 1540 series
  • 1560 series
  • 1810 OfficeExtend
  • 1810W
  • 1815
  • 1850
  • 1830

Cisco Spectrum Expert-Remote Sensor on Wave 2 APs

Another great feature. Check out our previous blog post on using Chanalyzer CleanAir accessory. While placing APs into Spectrum Expert mode doesn’t allow it to service clients, it does become a tremendous troubleshooting tool when needed.

New AP Commands

  • show controllers dot11radio 1 antenna – displays last seen power (per antenna RSSI) with the radio port as input.
  • show controllers dot11radio 1 client mac-address – Displays info on what the client is doing (rate selection and streams). Also displays non-zero RX, TX, or TX-Retries (cumulative) for each rate, stream, or width combination

Support for Client-Aware Flexible Radio Assignment

Client-Aware FRA will be supported on Aironet 2800 and 3800 APs. What this allows you to do is set a utilization threshold to turn a monitor mode radio to a client serving 5 GHz radio and vice versa.

The two features are called Client select and Client reset. The default percentage value is 50% and 5% respectively.

  • View FRA assignment settings using the show advanced fra command

Software-Defined Access Wireless

This is for those wanting to enable SD-Access for wireless. We have yet to try SD-Access.

  • Enterprise Fabric

Identity PSK

Identity PSK allows you to configure a unique pre-shared key for devices to join a PSK network. Think about devices that are unable to join 802.1X networks but you don’t want to share one key across all devices. This is useful for IoT devices.

  • Provide devices with unique pre-shared keys to join a WPA-PSK network.

Conclusion

Look out for future updates on the features we’ve listed above. We will be testing the features out and sharing our experiences. Version 8.5.105.0 is the TAC recommended AireOS build for those needing 8.5 features.

Vulnerabilities in WPA2 Wi-Fi with KRACK Attack

by Leave a Comment

The KRACK Attack targets a weakness in the WPA2 key management making secure Wi-Fi networks weak.

KRACK attack logoStatistics gathered by Wigle, show that 60% of Wi-Fi networks are secured by WPA2.  WPA2 is the most widely used method to encrypt Wi-Fi traffic. It’s used in homes and in enterprise networks.  WPA2 is implemented using a pre-shared key or by using 802.1X authentication with an EAP protocol. The KRACK Attack vulnerability is widespread as it affects a flaw within WPA2 key management.

On October 16th, 2017 the KRACK Attack vulnerability was discovered by a security researcher at KU Leuven, Mathy Vanhoef. He is a PhD in computer science and has published many research papers and presentations on the topic of security. Take a read here: http://www.mathyvanhoef.com/p/publications.html. Check out the details of KRACK Attack written by Mathy Vanhoef at http://krackattacks.com.

What Is The KRACK Attack?

The KRACK Attack targets a weakness in WPA2 key management using key reinstallation attacks. An attacker, within range of a victim, can read information which is thought to be encrypted and secure. The ramifications include sensitive information that can be stolen if not transported in a secure method and the possibility of injecting/manipulating data into websites as the attacker performs a Man-In-The-Middle attack.

The KRACK Attack does not affect specific devices but targets the 802.11i amendment which defines the use and operation of WPA2 and key management. Any device utilizing WPA2 is affected.

KRACK Attack specifically targets the 4-Way Handshake process by manipulating and replaying cryptographic messages.

How Does The KRACK Attack Work?

An attacker needs to be in proximity to its victim. While Wi-Fi signals travel quite a distance, the attacker would need to be able to be fairly close in order to perform a Man-In-The-Middle Attack (MiTM). A Man-In-The-Middle attack is required to successfully pull of the KRACK Attack by the attacker. A MiTM attack is when an attacker makes the victim’s traffic go through the attacker before getting to its final destination.

The attacker will spoof a real access point and trick a client into joining the rogue access point but allows Wi-Fi authentication to complete. To pull off the KRACK attack, the attacker will replay a message within the 4-Way Handshake. The flaw here is that the victim’s device will accept the replay of one of these messages when it should not. Thus allowing the attacker to use a previously used key. A key should only be used once and this is the flaw KRACK attack targets.

Is There A Fix?

Yes there is a fix! First of all, there are 10 total vulnerabilities. 9 of the vulnerabilities target the client side. What this means is any client device using WPA2, which is any modern device, will need to be updated. Whether that is iOS, Android, IoT devices, laptops, etc. They all need to be updated by the vendor. Some vendors have already issued updates to fix this issue.

1 vulnerability targets the Wi-Fi infrastructure and major vendors have already begun releasing updates to patch this security issue.

The technical fix to KRACK Attack is to prevent the reuse nonce values. Devices must not accept previously used keys. A workaround on the infrastructure side, such as controller-based wireless LAN controllers or cloud-managed controllers is to disable 802.11r.

Vendors who have released updates (not a full list):

Security

Patch management of devices and infrastructure is critical. Occasional patching keeps you on top of security updates. Vendors keep release notes with their patches which IT can review and implement in a timely fashion.

The key to a successful security plan is to take a layered approach. A firewall is not the only thing you need to secure your network.

Should I abandon WPA2?

No. There are updates being applied to devices and infrastructure hardware to address KRACK Attack.

Should I change my WPA2 password?

Changing your WPA2 password does not resolve the issue as KRACK Attack focuses on key management within WPA2.

Keep your devices updated regularly to stay on top of security patches. This will help protect your network against malicious hackers who try to use these attacks as soon as they are released.

Questions?

Do you have any questions or concerns about the security of your Wi-Fi network? If so, reach out to us using the contact form below.