Hole 196

Jouni Malinen j
Mon Aug 2 13:33:38 PDT 2010

On Mon, Aug 02, 2010 at 07:56:07PM +0300, Andriy Tkachuk wrote:

> Did you hear about this Hole 196? Here -
> http://www.networkworld.com/newsletters/wireless/2010/072610wireless1.html
> I tried to understand something from it, but sorry - failed. Maybe
> someone of you could enlighten what it could be?

I don't think there is much to understand from that..

> In short, they exploit the nature of GTK which does not have protection
> against spoofing and data forgery (as it is stated in the note at the
> bottom of 196 page in standard). Legally authenticated (but evil) client
> begins to forge the group frames as from the AP into the air, but I
> don't understand what it may gain from this? How it can get clients PTKs
> with this (as they state in the article)? Any idea?

It doesn't; that's being reported incorrectly. It looks like this is
just getting way more press time than it deserves. The main difference
may be in some intrusion detection systems not detecting ARP poisoning
attach done by an insider using GTK to send the frame; there is not
really any new attack on wireless systems here. The same attack would
also be possible on pretty much any network type (including wireless by
sending the packet normally through the AP).

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list