Tel: +1 (650) 934 8191
Cell: +1(650) 868 5829,
Sign up for a customized personal demo with an AirTight expert.
Latest PCI DSS 1.2 Standard Requiring Upgrade to WPA/WPA2 Could Leave Retailers Confused About Next Steps for Wireless Security
Mountain View, Calif. - November 10 2008 - AirTight® Networks, the leading provider of wireless intrusion prevention systems (WIPS) and wireless vulnerability management, today announced an upgrade will be added to its SpectraGuard® Enterprise product to provide WPAGuardTM - the ability to detect, prevent and locate an attacker using the newly discovered Temporal Key Integrity Protocol (TKIP) vulnerability on Access Points (AP) using Wi-Fi Protected Access (WPA) encryption protocol. Two researchers, Erik Tews and Martin Beck have partially broken the TKIP in less than 15 minutes and will demonstrate this attack at PacSec 2008 in Tokyo this week.
This latest development could lead to new wireless network attacks on those enterprises which have gone only as far as upgrading to WPA instead of WPA2 to remain protected. According to independent security consultant Raul Siles, "This new research opens the door to new WPA(2)/TKIP attacks and future enhancements, so it is time to start applying and planning the appropriate security countermeasures to remove or mitigate this and similar future threats." Siles emphasizes this attack can also work against WPA2 if configured with TKIP because WPA2 allows both, AES and TKIP (while WPA only allows TKIP). Because the vulnerability is in TKIP, both WPA and WPA2 can be affected.
"While the attack appears to have elegantly woven together residual vulnerabilities from WEP and 802.11 QoS features to poke a hole in TKIP, it is an exaggeration to say TKIP is broken. Nonetheless this new discovery does create some cause for concern as so many companies have been migrating to WPA to avoid the security challenges that WEP presented, " said Dr. Hemant Chaskar, director of technology at AirTight. "It reinforces the fact that companies cannot rely on a single point of failure for security in their premises. No matter what infrastructure or encryption method you are using, this latest discovery points out the need for multi-layered protection that includes not only strong encryption and authentication, but also an overlay WIPS."
This newly discovered vulnerability could be of particular significance to the retail community which now must upgrade to WPA to meet the newest PCI DSS 1.2 wireless security standards announced last month by the PCI SSC. The new standards require the replacement of WEP in current installations by mid-2010 and the use of WPA in new installations after June of 2009. But this discovery places the security of the WPA standard in question as well.
Presently, AirTight’s SpectraGuard monitors for the use of TKIP in violation of AES policy and quarantines those clients or access points. AirTight will provide an upgrade to detect, prevent and locate the attacker of the newly discovered TKIP vulnerability. This will prevent such an attack from being successful.
"As AirTight did in 2007 when it included WEPGuardTM in its product to give its customers a higher level of security until such time as they could upgrade to more secure protocols such as WPA and WPA2, this latest upgrade to SpectraGuard demonstrates once again AirTight's leadership and responsiveness to the needs of its customers in addressing new and emerging threats in a timely manner," continued Chaskar.
AirTight offers a complete wireless intrusion prevention system to help detect, classify, prevent and locate wireless threats. The products can be purchased as a traditional WIPS security or as a hosted wireless vulnerability management. AirTight also offers a wireless planning service to help companies who are planning to deploy wireless in their stores, warehouses, distribution centers, or offices - to ensure adequate coverage and security.
About AirTight Networks
AirTight Networks and the AirTight Networks logo are trademarks; AirTight, SpectraGuard and VLAN Policy Mapping are registered trademarks of AirTight Networks, Inc. All other trademarks are the property of their respective owners.