Cisco access points support WPA migration mode, which enables both WPA and WEP clients to associate to an access point using the same Service Set Identifier (SSID). Cisco warns (inside a Q&A document1) about the dangers by stating “that security will operate at the least-secure level common to all devices” and “as a result, a passive WEP key attack could be launched against WEP users”. The scenario where WEP clients are connected is a serious risk; besides “a passive WEP key attack”, an active WEP cracking attack against a connected WEP client station (i.e. not the access point) could be launched, leveraging the WEP key in minutes.
We focused on analyzing the consequences of having this feature enabled when no WEP clients are present; for example after the migration to WPA has been carried out but this feature has been left enabled. According to Cisco’s statement we should be operating “at the least-secure level common to all devices”, meaning WPA; however, we found that it is possible for an attacker to crack the WEP key under this scenario (i.e. no WEP clients) and connect to the network. This is accomplished by mounting an active attack against the access point with migration mode enabled (and no WEP clients) to recover the WEP key; once recovered, it is possible to connect to the access point using this key (as it is operating in WPA migration mode) and access the network.
Furthermore, Cisco also offers an additional security setting “broadcast key rotation” that according to the documentation2 “in WPA migration mode, this feature significantly improves the security of key-management capable clients when there are no static-WEP clients associated to the access point”. We also found that this setting could be trivially bypassed.
The obvious solution is to disable WPA migration mode; thus disabling support for legacy WEP stations. We further discuss mitigation strategies and suggest alternative configurations that support legacy WEP stations in a more secure manner.
1. Cisco Wi-Fi Protected Access, WPA2 AND IEEE 802.11I (http://www.cisco.com/en/US/customer/netsol/ns339/ns395/ns176/ns178/netqa0900aecd801e3e59.html)
2. Cisco IOS Software Configuration Guide for Cisco Aironet Access Points (http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b.html)
In the next three videos we have built demonstrations of the attack procedures to target an access point in WPA Migration Mode under different scenarios.
In the first video we show how to attack an access point configured with WPA Migration Mode when there are no WEP stations using the access point.
The second video shows how to bypass the "broadcast key rotation", a security feature developed by Cisco that according to them in "WPA migration mode, this feature significantly improves the security of key-management capable clients when there are no static-WEP clients associated to the access point".
The third video shows how to attack an access point in WPA Migration Mode that also has PSPF (Public Secure Packet Forwarding) enabled.