CommScope RUCKUS Community Forums

Hi Jesse, apologies if i offended you, my comment was not meant to. There may be a few people trivialising this issue but no more than there are people blowing out of proportion.

This is my opinion:
Is it a valid vulnerability? Yes.
Does it need to be patched? Yes.
Even after the patch is the full threat nullified? Not unless you have 100% governance over every client on your WLAN's and can ensure they are all patched.
Is it relatively difficult to actually take advantage of? Yes.
Even if you are attacked, is it likely to cause a large scale security breach? Unless you are unlucky enough to have them capture traffic on a single MiTM attack for a user who is sending sensitive data upstream on an unpatched client, in an areas serviced by unpatched mesh AP's or a WLAN configured with 802.11r, no.

I appreciate it is annoying, and i have had to answer questions today from my customers about how long it has taken Ruckus to post an advisory and how long it will take for a patch but thats part of being in tech. There's a serious security treat almost every month, this month its WiFi's turn. 

Yes Ruckus' comms haven't been what would be expected of a top enterprise WiFi vendor, and im sure that many of us will be having conversations with our reps over the coming days but hopefully they will learn from this. 

Robert,

None taken really, and I agree with your points above. I think it's another question of industry whether or not the big issue is if you could potentially snoop something significant in clear text to bring down the organization. In our case it isn't really about that.

The thing about regular security threats in IT is that you typically spend your money with folks you expect to fix things in a timely manner and exhibit exceptional communication. I don't think we hit either of those marks as we can both agree. So do you stick with somebody that predominately works in the industry they have a lackluster response in? Is this due to all the mergers, etc that have happened over the past year with them? I don't know, nor frankly do I care. I expect more from the company than device up-time.

@Jesse,If you are in a place where they need secure connections, you don't care about WPA - then you run VPN on top, of use applications that use SSL connections between peers, making sure you don't rely on encryption between the wifi endpoints.Heck, Apple enforced all App-connections to backend servers use SSL encryption, this summer, so you as a customer know that Apps now don't rely on encryption on the wire itself.
Hell, that is what all users do on 99% of all hospitality locations around the world on a daily basis.

We see customers that just moved from WEP to WPA because their old creditcard terminals did not support other than WEP.. 
So, if it's not more important than that, maybe we should help remind the customers that they need to make sure the Apps they use are secure...

Jakob,

Don't assume I am only talking about guest wifi. I haven't said anything to imply that.

Do you know how VPNs actually work? I don't often use them inside of the same network over wifi .

That's really the key distinction here... It doesn't matter if they are using WEP/WPA/WPA2... That's not to say it's a good idea to be using anything other than WPA2. The attack surface is still there for properly configured access point(s). Where's my new firmware?

Not every application utilizes encryption to their back end, especially when the service is LAN side. I have said this repeatedly, but it is yet another question of your industry, and what applications you require to operate.

The customers don't typically know anything about their application other than its business value to them and the fact that they need it for operations. Even if they do care, they may not have a choice between secure/insecure applications to provide security over the wire regardless of price.