Cisco access points support WPA migration mode, which enables both WPA and WEP clients to associate to an access point using the same Service Set Identifier (SSID). If WEP clients are still around, we can use the traditional WEP cracking arsenal against them. Therefore, we focused on analyzing the consequences of having this feature enabled when no WEP clients are present; for example after the migration to WPA has been carried out but this feature has been left enabled. We found that it is possible for an attacker to crack the WEP key under this scenario (i.e. no WEP clients). Once the key is recovered, it is possible to connect to the access point using this key (as it is operating in WPA migration mode) and access the network.
Core Security Technology Leandro Meiners works at CORE Security Technologies as a senior security consultant, and has been in the security industry working as a consultant for the past six years (the last three at CORE Security Technologies), focusing on penetration testing, both at the network (wired and wireless) and application level, having performed engagements for top-grade private and public international organizations.
Core Security Technology Diego Sor works at CORE Security Technologies as a senior security consultant and has been in the security industry for the past nine years, working first as a software developer and then as a consultant. Sor worked previously in the hardware industry with focus on communications security and holds a degree in Electronic engineering.