Security researchers have discovered a potential denial of service or information stealing flaw affecting Cisco's wireless networking kit. The snappily-monikered skyjacking flaw affects lightweight Cisco wireless access points or networks running Over-the-Air-Provisioning (OTAP). With OTAP enabled, newly connected Cisco access …
"flaw in the wireless network of TJX stores"
Wasn't that "flaw" that they sent everything unencrypted over-the-air? or am I thinking of something else?
In Cisco's defence...
...there’s a reason OTAP is off by default, doesn’t work on brand-new AP’s, and doesn’t work on AP’s that are already associated with a controller!
Any ‘stolen’ APs would be flagged as missing on the Corporate WCS and would then be detected as a Rogue AP by WCS / WLC / MSE (WIPS), and if the Corporate has setup the network / WCS properly, the system will flag the exact switch and switchport the Rogue is connected to, allowing the switchport to be shutdown and also allowing WiFi Containment to be launched too. Failing all of that, this is also why Users should use mutual-authentication methods like PEAP (done properly!), EAP-TLS & EAP-FAST; if mutual authentication is enforced then the Clients won’t join the Stolen AP, even if they are spoofing the ESSID.
Also quite like the way they can write a whole page of scaremongering but they admit they’ve not actually found a way of implementing the exploit :o)
Anyway, just my 2p… It’s an interesting approach, but ultimately this shouldn’t pose any 'real' problems unless the network & clients are setup poorly.
Why would you?
Once you have properly provisioned your network, why would you leave OTAP switched on? It is an open invitation for someone else to re-provision everything.
I can understand why
you would want the initial OTAP stream to be unencrypted (for organizations using an internal CA). But surely the initial provisioning should force the AP to require encryption / digital signing for all further updates.
.... or does Cisco not provide this as a feature? If not then a big FAIL on their part.