Some wireless access points from Cisco Systems have a vulnerability that could allow a hacker to redirect traffic outside the enterprise or potentially gain access to an entire corporate network, a security company said.
At the root of the problem is the way that new Cisco APs are added to a network, according to AirMagnet, a wireless network security company that discovered the problem and planned to report its findings.
Existing APs broadcast information about the nearby network controller they communicate with. That way, when an enterprise hangs a new AP, that AP listens to information broadcast by other APs and knows which controller to connect to.
However, the existing APs broadcast that information, including the controller's IP address and MAC (Media Access Control) address, unencrypted. Sniffing that information out of the air is relatively simple and can be done with free tools like NetStumbler, said Wade Williamson, director of product management at AirMagnet.
Armed with the information that the APs broadcast, a person could target a controller with a denial of service attack, for example, and take down a section of the network, Williamson said. But the attacker would likely have to be physically on-site to do that, he said.
The bigger potential is that a person could “skyjack” a new AP by getting the AP to connect to a controller that is outside of the enterprise. That would become “the mother of all rogue APs,” Williamson said. “You could almost create a back door using a wireless AP.” Rogue APs are typically those that employees connect to a corporate network without permission.
It could even happen accidentally. The Cisco AP might hear broadcasts from a legitimate neighboring network and mistakenly connect to that network, he said. Or a hacker could create that same scenario intentionally in order to take control of the AP, he said.
A hacker on the outside with control of that AP could see all the traffic connecting over that AP, but also has the potential to access the enterprise's full network, Williamson said.
The vulnerability affects all of Cisco's “lightweight” APs, meaning the kind that work in conjunction with a controller, he said. That includes most of the APs Cisco has released since it acquired Airespace in 2005, he said.