Almost everyone can easily purchase an access point or Wi-Fi router to generate a rogue SSID that looks exactly the same as the legitimate corporate SSID. It can be placed, for example, in the parking lot around thecorporate building as a honey pot to which a valid employee’s notebook might inadvertently connect.
The rogue SSID attack is more likely to happen whenever more companies use cloud services like Google Suite, Salesforce.com, etc. The hacker doesn’t need to hack the corporate network but simply put out a honey pot and sniff the traffic between valid users and cloud services.
It becomes even easier when new roaming technology is implemented in mobile phones and notebooks that will detect the stronger signal of the same SSID and roam to it. The hacker can then boost his rogue AP aside the corporate building whereas corporate Wi-Fi might have weaker coverage around the corners or border of the building.
EnGenius AirGuard can check the SSID name (ESSID) or AP radio MAC (BSSID) to automatically detect the rogue AP that mimics the legitimate SSID but is not listed among legitimate EnGenius managed APs in the same network.
It is a good practice to set up a honeypot environment in a corporate network to lure and identify malicious attackers. Administrators can set up a network separate from corporate networks with a honeypot AP using an open SSID and some clients generating traffic. Malicious hackers will then find the “weak” SSID of the honey pot and attack.
AirGuard allows users to set rogue rules and whitelist rules by comparing the SSID name or BSSID MAC address. In the honeypot case, administrators can monitor which MAC sources mimic the honeypot SSID, observe how they are trying to attack the network, and take actions accordingly. In case there might be legitimate non-EnGenius APs deployed in the corporate network, administrators can whitelist the MAC address of the non-EnGenius APs and separate them from the rogue SSID list.
By luring valid users to connect to the rogue AP, hackers can connect a proxy to the rogue AP and redirect all traffic through the proxy. Hackers can then snoop through sensitive corporate information while the valid user is accessing corporate cloud services.
If the hacker can furthermore connect to a legitimate AP, then he can connect a rogue AP to a legitimate AP, and mimic the legitimate SSID. Everything looks the same from the client end when the client connects to the rogue SSID of a man-in-the-middle rogue AP.
There are three easy ways a hacker can connect to a legitimate AP:
Factory Default Device Admin Credential This is the most common fraud that users might encounter accidentally. Using the factory default credential, hackers can hack into the device and change the configuration to allow a rogue AP to connect to a legitimate AP.
When the SSID security type is set to “Open.” When an SSID is “Open,” everyone can connect to the legitimate AP and access corporate networks and assets. It’s also quite common to set the SSID security type to Open when the captive portal splash page is set up for user authentication. The rogue AP can easily connect to the legitimate AP and pass overall traffic, including splash page authentication while sniffing all data.
Exploit the vulnerability without updating the firmware There were some vulnerability issues found in WPA2, like the KRACK issue where hackers could leverage a four-way handshake sequence of WPA2 and hack the PSK to steal sensitive information like credentials, credit card info, and so on. The vulnerability was fixed but users had to upgrade to the most up-to-date version of their device firmware. Managing the device firmware across the corporate network is also a task for the administrator. For example, the hacker can start a DoS attack to break the connection between clients and a legitimate AP, so that the clients will have problems connecting to the legitimate SSID. For example, if a hacker finds a network called "XYZ," the hacker can create a look-alike SSID “XYZ-5G” to connect to. (The hacker can also use the exact same SSID name to simulate a legitimate SSID; however, this will be found through “rogue SSID” detection.) The hacker can then either redirect the traffic to a phishing web page to steal credentials or direct the traffic back to a legitimate AP and sniff all data transferred in between.
AirGuard will monitor all SSID’s with the same name as the legitimate SSID and check if the SSID is from legitimate AP’s in the network. Users can also set whitelist rules by adding legitimate AP MAC lists which are not managed by EnGenius Cloud to exclude from the rogue SSID list.
It is common and easy to set the passphrase of the WPA PSK of the SSID to have basic security access control. However, once someone knows the passphrase he/she can access the SSID forever uninhibited. EnGenius myPSK allows the network administrator to set a unique PSK for each person and control the valid period and VLAN, so when the person is not eligible to access the network, the PSK will be invalid. This feature is especially suitable for school dormitories where the students and teachers come and go with different levels of resource access. Dormitory administrators can base access on the full school year or certain semesters for students to be assigned a unique PSK and access a certain VLAN for a limited period of time.
All devices come with a default account and password for easy first-time configuration. If the administrator doesn’t change the account/password, it’s easy for someone to log in to the device and change the configuration. This is the most common oversight that puts corporate network security at risk.
EnGenius encourages users to set a unique network-wide local admin account and password immediately. When a new device is assigned to the network and a new network created, the local admin account and password to access the local GUI of the device must be changed accordingly. If the factory-default credential is not changed. EnGenius Cloud will mark the network as “insecure” by putting a warning icon on the network to indicate that the network devices are exposed to security fraud.
WPA3 enhances the security mechanism with OWE (Opportunistic Wireless Encryption) to replace the open security type. Clients don’t need the passphrase to access the AP, because OWE will encrypt the transmission. In addition, WPA3-personal uses SAE technology to replace the WPA2 pre-shared key, a more secure way to do the key exchange and to prevent attacks like the four-way handshaking KRACK.
EnGenius provides an HTTPS option for users to encrypt the communication between the client and AP before the user gets authenticated through a captive portal. Without the encryption, a man-in-the-middle can easily sniff the credential during the captive portal login process.
To make sure the firmware of devices on the corporate network is most up-to-date and vulnerabilities fixed as soon as possible, the EnGenius Cloud auto firmware upgrade feature allows users to set time slots each week to upgrade. Once set, administrators won’t need to worry about firmware version management across the whole network.
Hackers use evil twin devices to hack into networks by seducing legitimate clients to connect. Since security detection checks to make sure frames are from legitimate access points, hackers will change the MAC address and even the SSID name of the evil twin to match the MAC address and SSID name of the legitimate AP.
AirGuard can detect the evil twin attack with an algorithm to distinguish if the frames are from a legitimate EnGenius AP or rogue AP mimicking the legitimate MAC address. Two categories are classified:
AP Spoofing The rogue AP will spoof the legitimate AP by sending frames with the same MAC address as the legitimate AP.
AP impersonation The rogue AP not only mimics the MAC address of the legitimate AP but also its SSID name.
Usually the way an AP can detect an evil twin is by leveraging the technique of “I know you are not me.” So when “I,” the detecting AP, detect frames with my MAC address, I know I didn’t send the frame, so I know there is an evil twin around. However if an evil twin is outside the range of the victim AP, the victim AP won’t be able to identify whether it’s legitimate or fake. EnGenius enhances the evil twin detection algorithm by letting all legitimate APs in the network know who my colleagues are and who the evil twin is.
With the EnGenius Cloud Map function, users can upload a floor plan and place an AP on the floor map to see the heat map of Wi-Fi coverage. Users can also add walls and doors to the floor plan to see how the obstacles affect the heat map. For every rogue detected, AirGuard will list the detecting APs with signal strength (RSSI value) so users can leverage the floor plan to locate those detecting APs and discover if the rogue source might be nearby.
Every EnGenius Cloud device has a built-in certificate installed at the factory, which is a mandatory component when communicating with EnGenius Cloud. Therefore, an evil twin rogue AP can clone the same MAC as a legitimate AP. However, the rogue AP cannot connect to EnGenius Cloud without the built-in certificate to access the corporate network.
To get the built-in certificate, the intruder might purchase an EnGenius AP from the market to function as an evil twin rogue AP; however, the AP needs to go through the MFA (multiple-factor authentication) process to be able to connect to the Cloud and join the network. First, EnGenius Cloud will check the certificate, MAC address, serial number, and key exchange process, and then check if the device is registered to an org or if the device is associated with the network.
Only the control plane of device information and configuration goes to EnGenius Cloud. All other user data planes will not pass through the Cloud, so users don’t need to worry if EnGenius Cloud will capture or store any user-sensitive data. EnGenius Cloud also encrypts the control plane information to prevent hackers from sniffing the management traffic.