Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cisco over-the-air-provisioning skyjacking exploit - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cisco over-the-air-provisioning skyjacking exploit

Cisco issued a security advisory for its  1100 and 1200 Series access lightweight points. The advisory is based on work done by wifi IDS firm AirMagnet. The problem is pretty common and basic: How do you establish a secure connection over an insecure medium in order to configure a device. A new device will not have any encryption keys installed yet. We first need to establish some basic configuration options in order to enable encryption and exchange keys.

This is of course in particular tricky over wireless as you do not control the medium. Cisco uses an Over-The-Air-Provisioning (OTAP) protocol that uses multicast data to find a controller. During this initialization phase, a rogue controller could respond and send a bad configuration to the access point, disabling the device.

It should not be possible to setup a rogue access point using the actual networks encryption keys, as they are not known to the attacker. But it is a first step to possibly get a foothold in an environment.

Cisco provides an advisory here: . The quick summary: Establish basic configuration options like encryption keys and preferred controller lists before deploying the device.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
Aug 26th 2009
it's possible to steal fresh LAP with "rogue" WLC this way. it happened in our lab sometimes

Sign Up for Free or Log In to start participating in the conversation!