LEAPing Attack Tools, Batman!
Prompted by our recent story on insecurities in Cisco's proprietary protocol, a hacker emailed Unstrung to say that he had posted an attack tool designed to exploit them on the Web along with a detailed description of how it works.
Unstrung has seen the download site and the technical details of how the tool uses the challenge/response mechanism implementated in LEAP to pull the authentication information out of the data stream and then mount a so-called "dictionary attack" offline (basically running a database of words and numbers against the captured data until the right combination is found) to crack the password. Obviously, as this is a family site, we're not going to reveal the URL [ed. note: although, for a small fee...].
The hacker says he has long been aware of the possibility of using the LEAP flaw as a way to mount dictionary attacks against wireless LANs. The issue was highlighted by Joshua Wright, an information security architect from Johnson & Wales University in Providence, at the recent Unstrung conference in New York, where he mounted a demonstration of the attack using a tool he had developed himself called "AsLEAP" (see Look Before You LEAP).
"The LEAP vulnerabilities were well known by then in the underground," the hacker says.
For his part, Wright has said that he won't release the AsLEAP tool until February 2004, to give Cisco and its customers time to react. The hacker's code, however, is available now and the anonymous one says that it "allows you to perform Joshua Wright's techniques."
To combat such attacks, Cisco recommends that IT staff implement "strong password policies." This means using 10-character passwords, a mixture of alphanumeric characters in both upper and lower case and choosing words that aren't in the dictionary, according to Ron Seide, product line manager at Cisco's wireless LAN business unit.
Cisco is working on a software upgrade to the LEAP code that is expected to hit in March 2004. However, Seide and his cohort Chris Bolinger, a manager of product marketing in the unit, were unable to reveal many details, other than describing it as "a generic software update."
"We're still working with partners and reviewing our options," says Seide. Many vendors have implemented LEAP as part of the Cisco Compatible Extensions (CCX) program (see Cisco Bolsters Its WLAN Hand).
However, Bolinger is happy to say what won't be in the upgrade. Some analysts, he notes, have suggested a policy that would limit the number of log-in attempts a user is allowed. This may work against an online attack, Bolinger notes, but would be useless against an offline attack, where the hacker has already grabbed the data he or she needs and can crack the password at their leisure (although in Wright's AsLEAP demonstration the tool typically took seconds or minutes to finish its task anyway). Furthermore, Seide cautions against the notion that any password-based protection can be totally secure. "We don't want to send out the message that there's a magic bullet coming out in March," he says.
In fact, Cisco is pushing Protected Extensible Authentication Protocol (PEAP) -- the protocol Cisco co-authored with Microsoft Corp. (Nasdaq: MSFT) -- as a potential upgrade path for LEAP. PEAP uses "trusted certificates" on both the client device and backend, rather than passwords, to authenticate users on an 802.11 network.
However, Bolinger figures PEAP may not be ideal for every company, as there will be those that don't want to implement a certificate-based public key infrastructure (PKI) system on their networks.
— Dan Jones, Senior Editor, Unstrung