Aruba Creates Security Stir
Aruba claims that very few enterprises that have implemented Radius services are really secure and that if a hacker can connect an 802.11 access point to a corporate wired network, they may be able to grab Radius packets and use tools to perform a "dictionary attack" to discover the secret Radius "key" used between a Radius client and server. "Weak implementations [e.g., simple key words] allow cracking to be accomplished in a matter of hours, or days at the most," Aruba claims.
"Once broken, an attacker can use this information to conduct further attacks that include breaking 802.11i key exchanges and eavesdropping of wireless communication through interception of wireless encryption keys," according to a security paper on Aruba's site [ed note: link now defunct]. On the face of it, the Radius hack seems similar to other dictionary attacks already outlined by Aruba (see Look Before You LEAP). But other vendors are in a huff over what they see as Aruba exploiting known weaknesses in Radius wired security to try and spread fear, uncertainty, and doubt about wireless security.
"This is something that people have known about for a while," says Dan Harkins, security architect at Trapeze Networks Inc. "It's nothing to do with wireless security."
"It's a cooked-up crisis," suggests Alan Cohen, VP of marketing at Airespace Inc., and if a hacker has pentrated deep enough into corporate buildings to be able to plug into the wired network, then they will be able to do a lot more damage than just hacking into the wireless network.
"If I've broken into your house, do I really want to start making copies of house keys, or start looking for where you keep your jewelry?" asks Cohen, removing a ski-mask.
But Aruba is sticking to its guns, while clarifying that the hack doesn't have anything to with the security of the new 802.11i standard.
"Its a wired issue that is made worse by wireless," says David Callisch, communications director at Aruba. Enterprise wireless LAN leader Cisco Systems Inc. (Nasdaq: CSCO) says that it cannot comment on Aruba's papers before the firm presents them to the IETF next week.
— Dan Jones, Site Editor, Unstrung