Cisco over-the-air-provisioning skyjacking exploit

Published: 2009-08-26
Last Updated: 2009-08-26 02:40:26 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Cisco issued a security advisory for its  1100 and 1200 Series access lightweight points. The advisory is based on work done by wifi IDS firm AirMagnet. The problem is pretty common and basic: How do you establish a secure connection over an insecure medium in order to configure a device. A new device will not have any encryption keys installed yet. We first need to establish some basic configuration options in order to enable encryption and exchange keys.

This is of course in particular tricky over wireless as you do not control the medium. Cisco uses an Over-The-Air-Provisioning (OTAP) protocol that uses multicast data to find a controller. During this initialization phase, a rogue controller could respond and send a bad configuration to the access point, disabling the device.

It should not be possible to setup a rogue access point using the actual networks encryption keys, as they are not known to the attacker. But it is a first step to possibly get a foothold in an environment.

Cisco provides an advisory here: . The quick summary: Establish basic configuration options like encryption keys and preferred controller lists before deploying the device.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: cisco skyjacking wifi
1 comment(s)


it's possible to steal fresh LAP with "rogue" WLC this way. it happened in our lab sometimes

Diary Archives