Researchers at a security firm on Tuesday disclosed a vulnerability within the Cisco wireless framework that could offer intruders a gaping entryway into an organization's network.
The AirMagnet Intrusion Research Team said it discovered an exploit, known as "skyjacking," which could enable someone -- either on purpose or by accident -- to take control of a wireless access point (AP) and point it to an outside Cisco controller.
"Access points do not normally get connected to the wrong controller," Wade Williamson, AirMagnet's director of product management, told SCMagazineUS.com on Monday. "If [one does], you have a big problem. We've uncovered a way where, by accident or design, an access point could get connected to the wrong controller or a controller that's not in its network."
By doing that, attackers could assume control of a legitimate access point, which not only gives them visibility into relayed data but also could open the gates into an organization's wired network.
"You've taken an approved AP and turned it rogue," Williamson said. "At this point, you've got the keys to the castle. You have an authorized wireless connection into a wired network. Not only would you be able to see everything that access point does but, more importantly, you'll have accessed your way into the wired part of that network...So you've got a full breach."
Researchers at AirMagnet, which has been acquired by Fluke Networks, also detected another problem in the Cisco network. Leveraging Cisco's Over-the-Air Provisioning feature, engineers found that data belonging to wireless controllers, such as IP and media access control (MAC) addresses, is inadvertently broadcast unencrypted.
With that information, attackers can target these devices, which support large numbers of access points, with attacks such as denial-of-service attempts, Williamson said. In addition, intruders can use the data to learn more about a company's network topology.
"You can start to figure out where things are," he said.
Cisco was notified of the issues and is working on a fix, Williamson said. In lieu of a patch, the leakage component of the vulnerability could be mitigated by users turning off the Over-the-Air Provisioning feature. But the threat of rogue access points can only be controlled through wireless monitoring.
Cisco on Tuesday issued an alert, describing the vulnerability as low-risk and easily prevented.
"This vulnerability is characterized as low-risk because of the difficult inherent in its exploitation and the number of easily implemented mitigation techniques," Cisco spokesman Ed Tan said in an email.