WPA2 security hole discoveredJuly 26, 2010 – 5:39 AM
Security experts at AirTight Networks have discovered a hole in the WPA2 Wi-Fi security protocol. The security hole was named as Hole 196 after the number of the relevant page in the IEEE 802.11 (2007) standard document:. Right at the bottom of this page, the IEEE introduces the keys used by WPA2: the PTK (Pairwise Transient Key), which is unique for every Wi-Fi client and used for unicast traffic, and the GTK (Group Temporal Key) used for broadcasts. While data forgeries and spoofed mac addresses can be detected with the PTK, the GTK does not offer this functionality.
The AirTight experts say that this is the crux of the matter, because it allows a client to generate arbitrary broadcast packets other clients respond to with information about their secret PTKs which can be decrypted by attackers. AirTight reportedly only needed to add 10 extra lines of code to the Madwifi driver to make a PC with an ordinary Wi-Fi card act like an access point. Attackers could reportedly exploit this to cause damage on the network, for instance via denial-of-service (DoS) attacks. The experts say that the only factor mitigating the attack potential is that attackers need to be internal, authorised Wi-Fi users. They do not anticipate that a patch will become available because “Hole 196” is written into the standard.