pskl.us

Decrypt those LWAPP Payloads

by on Nov.30, 2008, under Code

In our Defcon talk, “Medical Identity Theft” I touched on an issue that surprised a fair number of people.

In Cisco’s centralized wireless networking model, communications between the access point and the central controller is accomplished using the LWAPP (Light Weight Access Point Protocol) Protocol.  LWAPP has the ability to use very strong encryption – but only for the control traffic.  As it turns out, the payloads are completely unencrypted and simply concatenated inside of the LWAPP packet following the encrypted control traffic.  Since the packets are in a non-standard format, however, typical packet analysis tools are not able to extract the client traffic.

Curious to find out more, I wrote a short bit of Perl to convert captured LWAPP packets into normal .pcap files.

LWAPPDecoder.pl

[ejsmith@linuxbox dc2008]$ ./lwappdecoder.pl lwapp-voice-call.pcap
467 packets exported from lwapp-voice-call.pcap to lwapp-voice-call-unlwapped.pcap

The attack I discussed at Defcon is as follows:  An attacker plugs into the uplink of a physically insecure LWAPP access point, and begins to collect LWAPP data.  Looking at these pcaps in Wireshark does not reveal too much:

Running this file through the decoder, however, reveals a captured VoIP call:

So what?  Imagine a highly secure 802.1x implementation that is being used to secure access to a legacy system running an unencrypted protocol such as telnet or FTP.  If the wireless security is well implemented, the chances of it being broken by an attacker are low.  A physically insecure access point provides a convenient means of exchanging this strong encryption for mere encapsulation.

Remember, physical security is even more important than logical security: If you can touch it, you can pwn it.

Here’s the script if you’d like to try it out.  lwappdecoder.pl.gz

~Eric


3 Comments for this entry

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!