Cisco Wireless LANs at risk from 'skyjacking' flaw Security researchers have discovered a potential denial of service or information stealing flaw affecting Cisco's wireless networking kit. The snappily-monikered skyjacking flaw affects lightweight Cisco wireless access points or networks running Over-the-Air-Provisioning (OTAP). With OTAP enabled, newly connected Cisco …
...there’s a reason OTAP is off by default, doesn’t work on brand-new AP’s, and doesn’t work on AP’s that are already associated with a controller!
Any ‘stolen’ APs would be flagged as missing on the Corporate WCS and would then be detected as a Rogue AP by WCS / WLC / MSE (WIPS), and if the Corporate has setup the network / WCS properly, the system will flag the exact switch and switchport the Rogue is connected to, allowing the switchport to be shutdown and also allowing WiFi Containment to be launched too. Failing all of that, this is also why Users should use mutual-authentication methods like PEAP (done properly!), EAP-TLS & EAP-FAST; if mutual authentication is enforced then the Clients won’t join the Stolen AP, even if they are spoofing the ESSID.
Also quite like the way they can write a whole page of scaremongering but they admit they’ve not actually found a way of implementing the exploit :o)
Anyway, just my 2p… It’s an interesting approach, but ultimately this shouldn’t pose any 'real' problems unless the network & clients are setup poorly.
you would want the initial OTAP stream to be unencrypted (for organizations using an internal CA). But surely the initial provisioning should force the AP to require encryption / digital signing for all further updates.
.... or does Cisco not provide this as a feature? If not then a big FAIL on their part.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
