You have probably followed the news and heard about AirTight Networks’ demonstration of the WPA2 design flaw. What does this mean for operators of wireless networks? Do you have to care? Do you feel threatened? Is there a way to feel better again?
First take a look what the design flaw means and what the attack looks like. Hole 196 means that „an insider can bypass WPA2 private key encryption and authentication to sniff and decrypt data from other authorized users as well as scan their Wi-Fi devices for vulnerabilities, install malware and possibly compromise those Wi-Fi devices”. So an attacker has to be authenticated before she can use the exploit. This does not mean that „WPA2” is compromised entirely (yet). It just means that we (maybe) deal with a design flaw. Attacking „WPA2” head on should still be difficult enough.
Should you use more defences now that this design flaw was published? Well, if your network security design follows the defence in depth strategy the impact is quite low. By deploying „WPA2” nothing keeps you from deploying secure protocols inside your local network. Paul Simmonds, Jericho Forum founder and Board member, told in his keynote speech at the DeepSec 2007 conference about the changing nature of the perimeter. Your best bet on keeping trouble away from your resources is to use secure protocols and authentication all the way from end to end, regardless if you’re in your safe haven or being a road warrior. If you can afford the extra layer of security, then use it. Almost everyone who needs a secure wireless network uses 802.11i and VPN (such as IPsec or OpenVPN™) with X.509 certificates. It may let you sleep at night (or even during the day).
P.S.: Since there are WPA cracking services available in the Cloud, you might want to reconsider the idea of having WPA(2) as the only line of defence anyway.