The proprietary security system used by Cisco Systems to protect wireless LANs widely deployed by enterprises can be defeated by a "dictionary attack" designed to crack passwords. To counter the security threat, the company is warning customers to institute strong password policies.
Cisco posted a security bulletin on its website on August 7 about the vulnerability of its Lightweight Extensible Authentication Protocol (LEAP) to dictionary attacks, according to Ron Seide, product line manager in the company's wireless business unit.
In that bulletin, Cisco acknowledged the flaw and said, "As with most password-based authentication algorithms, Cisco LEAP is vulnerable to dictionary attacks. Creating a strong password policy is the most effective way to mitigate against dictionary attacks. This includes using strong passwords and periodically expiring passwords."
Seide said Cisco believed that LEAP could be made "relatively" secure with strong password policies, which can mitigate against dictionary attacks. He said that the company also had an upgrade path to help customers migrate from LEAP to its stronger Protected Extensible Authentication Protocol (PEAP) which uses one-time passwords and digital certificates. And he said Cisco had used its field sales force to tell customers about the potential problem since the security bulletin was posted.
But all customers may not have gotten the message.
A Cisco reseller, who declined to be identified, said he hadn't been contacted by the Cisco field sales force and wasn't aware of the August 7 security bulletin until contacted by a journalist. And Mike Martell, systems manager for The Dingley Press, a catalog printer that has installed a Cisco WLAN in its warehouse, said he was unaware of the problem until asked about it.
Martell, whose company is featured in a customer profile on Cisco's website, said the possibility of a successful dictionary attack - which involves an assault against password protection by aiming huge amounts of words and numbers at a targeted system - didn't surprise him.
In the past, he said, such attacks could take years. Now, thanks to increased computer processing power, dictionary attacks can crack passwords in a matter of minutes. The only way to protect against such an attack, Martell said, is to use long password strings with unusual combinations of letters and numbers that create combinations "not found in the English language".
A systems engineer at Johnson & Wales University, Joshua Wright, yesterday demonstrated a dictionary attack against LEAP at a conference in New York sponsored by Unstrung, a website that reports on the wireless industry.
According to Unstrung, Wright said the tool he used to conduct the attack would be made generally available in the next couple of months. Wright couldn't be reached for comment.
An analyst at Nemertes Research, Robin Gareiss, said the LEAP vulnerability "damages Cisco's credibility" since the company has marketed it heavily as a secure system. Cisco has roughly 46 per cent of the enterprise wireless LAN market, according to a recent independent study done by Nemertes.
The LEAP problems could also affect Cisco's efforts to market to new customers, she said.
According to Gareiss, a survey she conducted of 60 top executives from Fortune 500 companies showed that a number of those looking to deploy WLANs "were assessing Cisco products" .
Gartner analyst, John Pescatore, said that since any password-based scheme was vulnerable to dictionary attacks, Cisco might have to reconfigure LEAP to lock out potential hackers after three tries at a password.