A rogue access point is an AP that is connected to a company’s physical network infrastructure but is not under that company’s administrative control. This could arise if an employee or student naively brought in a home WiFi-enabled router and connected it to the company’s infrastructure to provide wireless network access. This act introduces multiple threat vectors to the company, such as:
Insecure wireless authentication – the rogue AP might only support a deprecated and insecure encryption standard, such as WEP. Or even worse, be purposefully configured with open association and authentication.
Inappropriate attachment – the user could also physically attach the AP to a network port in a secure area of the network, or in an area without appropriate firewalling between it and sensitive information.
Inappropriate location – the AP could be placed close to the perimeter of a building, meaning that someone could listen in on the company’s network.
It’s clear that rogue access points are something we need to protect our business-critical WLAN and networks.
A comprehensive Wireless Intrusion Prevention System to create a secure wireless network.
Wi-Fi security risks are always something to consider when providing any kind of wireless service. With the inception of next-gen technologies such as the Internet of Things (IoT) and Metaverse, secure WiFi access has become a critical component of enterprise and small business networking. The pandemic has even made Wi-Fi security more essential to home networking since working from home is common nowadays.
EnGenius AirGuard© is a full-featured solution with advanced wireless security technologies that allows network administrators to build a secure, efficient, and easy to manage Wi-Fi network. The core concept of AirGuard is to be able to prove that your security solution defends your business against Wi-Fi attacks and deliver the following benefits:
Provide automatic detection and protection from Wi-Fi threats:
Containing rogue SSIDs to prevent user connections to unauthorized APs.
Allow legitimate external APs to operate in the same airspace.
It is an important first step to reveal and classify potential wireless threats in securing the wireless network and network infrastructure as a whole. Once classified, remediation can be taken against confirmed threats and innocuous alerts can be dismissed. AirGuard automatically classifies threats into the following categories to provide great visibility and overall protection for your network.
The network administrator can manually maintain an SSID naming rule set to identify the Rogue APs. For any wireless services matching the rogue rules, the cloud system would identify it as a rogue service and list it in Rogue SSIDs.
Note:
Rogue rules are Network-wide settings. If you have multiple Networks running close to each other and with different managed SSIDs defined, you'd better add all managed SSIDs in the white list rule set to avoid the adjacent managed SSIDs being identified as rogue SSIDs.
SSIDs that do not match the rogue rules or match the whitelist rules are classified as Other SSIDs. This can be the SSIDs running by your neighbors or by the coffee shop close to your office. With the visibility of these SSIDs, the network administrator can easily decide whether or not to identify the SSIDs as rogues.
An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing scam. AirGuard could detect two types of evil twins:
AP spoofs
The malicious mimic of a legitimate AP by spoofing the SSID name.
AP Impersonation
Malicious impersonation not only on the SSID name but also the BSSID (the wireless MAC address, which makes it indistinguishable from the original AP).
More details are available here.
To prevent clients from associating with the legitimate AP, it's possible to have Denial of Service (DoS) attacks by sending an excessive number of broadcast messages to clients or APs. DoS attacks could be from malicious clients, APs, or even another WIPS system in the area that considers the corporate network a threat and is attempting to remediate. AirGuard is capable of detecting two types of Malicious Attacks:
De-auth attack to AP
The attacker mimics a client by sending an excessive number of De-auth messages to managed APs and makes the AP disconnect the client.
De-auth attack to client
The attacker mimics an AP by sending an excessive number of De-auth messages to a client associating with managed AP. This also results in the disconnection of an attacked client.
RF jamming is a technique utilizing the open medium nature of WiFi by sending a lot of noise in the environment, making it impossible for other nodes to send messages through available channels.
An RF jammer is not needed to be compliant with WiFi protocols. Instead, it only needs to interfere with the physical transmission and reception of wireless communications. AirGuard is capable of detecting four types of RF jamming:
Constant Jammer:
Continually emits a radio signal that interferes with communication.
Deceptive Jammer:
Constantly injects regular packets to the channel without following CSMA/CA procedure.
Random Jammer:
Intermittently emits the jamming signal.
Reactive Jammer
Jam and simultaneously sense/discern/detect the legitimate transmission.
Refer to more details here.
Deauthentication attack is a disruptive technique against wireless connections. It belongs to the denial-of-service family, abruptly rendering networks temporarily inactive. These tactics are usually low-key as they do not require unique skills or elaborate equipment. For some, deauthentication attacks are innocent pranks on coworkers, friends, or neighbors. However, it can be a component of a bigger ruse, such as an evil twin attack. As a result, perpetrators overwhelm networks with deauthentication requests, forcing them to drop their clients’ connections.
Deauthentication attacks represent fraudulent requests that interfere with the communication between routers and devices. The strategy attacks 802.11-based wireless networks, as they require deauthentication frames whenever users terminate connections. The dilemma here is that access points might not recognize that requests originate from a fraudulent source. Since networks do not validate incoming frames, hackers can imitate them. Lack of encryption adds fuel to the fire, even if sessions feature WEP.
Wi-Fi networks also do not have effective mechanisms for verifying MAC addresses. Perpetrators could spoof addresses and perform deauthentication attacks. Forged frames terminate connections. If attackers continue to send requests, users won’t be able to reconnect. While the attack could focus on a single target, all clients could lose connection to the access point.
As the attack forces clients to abandon the authentic AP, they might consider connecting to other hotspots. Rogue access points known as evil twins are highly prominent in the free Wi-Fi landscape. Nowadays, many popular hangouts supply free internet. Hackers could generate fake hotspots by mimicking the details of an official access point. So, after a deauthentication attack terminates clients’ connections, they could connect to a rogue network. Then, its owners can monitor all activities. This surveillance covers all communications, visited websites, financial transactions, and more. Hence, free Wi-Fi in crowded locations poses severe threats, especially if hackers set up evil twins nearby.
Disturbingly, there are articles and special tools for performing deauthentication attacks. While this strategy is prevalent in hackers’ communities, its purpose could be benign. Let’s discuss several scenarios that force networks to drop connections.
A prank on neighbors or friends. Ethical computer hackers could employ deauthentication for testing purposes. In other cases, tech-savvy users might make their neighbors stop stealing their Wi-Fi. However, deauthentication attacks can participate in evil twin attacks, highly damaging to victims’ privacy.
The use of encryption in 802.11 is limited to data payloads only. Encryption does not apply to the 802.11 frame headers, and cannot do so as key elements of 802.11 headers are necessary for normal operations of 802.11 traffic. Since 802.11 management frames largely work by setting information in the headers, management frames are not encrypted and as such are easily spoofed.
To prevent deauthentication/disassociation attacks, the IEEE implemented the 802.11w amendment to 802.11. This provides a mechanism to help prevent the spoofing of management frames, but both client and infrastructure need to support it (and have it enabled) for it to function.
Good to know:
Not all WiFi clients, especially iot devices, supports 802.11w well. For maximum compatibility, network providers tend to turn off 802.11w today. That's why de-auth attacks are still popular.
AirGuard is capable of detecting two types of Malicious Attacks:
De-auth attack to AP The attacker mimics a client by sending an excessive number of De-auth messages to managed APs and makes the AP disconnect the client.
De-auth attack to client The attacker mimics an AP by sending an excessive number of De-auth messages to a client associating with managed AP. This also results in the disconnection of the attacked client.
AirGuard shows the details of a Malicious Attack.
But that speed and convenience come with a cost. Hackers can quickly take over a safe-seeming WiFi connection and see (or steal) anything users do online.
An attack typically works like this:
Step 1: Set up an evil twin access point. A hacker looks for a location with free, popular WiFi. The hacker takes note of the Service Set Identifier (SSID) name. Then, the hacker uses a tool like a WiFi Pineapple to set up a new account with the same SSID. Connected devices can't differentiate between legitimate connections and fake versions.
Step 3: Encourage victims to connect to the evil twin WiFi. The hacker moves close to victims and makes a stronger connection signal than the valid version. Anyone new will only see the evil twin, and they will tap and log in. The hacker can kick off anyone currently connected with a distributed denial of service (DDoS) attack, which temporarily takes the valid server offline and prompts mass logins.
Step 4: The hacker steals the data. Anyone who logs in connects via the hacker. This is a classic man-in-the-middle attack, which allows the attacker to monitor anything that happens online. If the user logs into something sensitive (like a bank account), the hacker can see all the login details and save them for later use.
When an evil twin AP is present, a threat actor broadcasts the same SSID as the legitimate AP (and often the same BSSID or MAC address of the SSID) to fool the device into connecting (image below).
Additionally, it's important to note that evil twin attackers need to use clients with a radio capable of "monitoring mode."
If the target SSID is a busy open hotspot, victim clients will connect to the evil twin AP within seconds. If the target is a private, PSK-encrypted SSID, then the attacker would need knowledge of the PSK (a service offered online that requires packet capture files of the WPA/WPA2 handshake sequence).
Most Wi-Fi clients and their human operators choose to "auto join" previously saved Wi-Fi networks. If the attacker can't successfully trick the victim into connecting to the evil twin, he can simply break the connection between the victim and any legitimate AP he or she is using by flooding a client and/or associated AP with spoofed de-authentication frames in what's called a de-authentication attack. This means that the target device and AP are informed that their connection has been dropped.
Once a client is connected to the evil twin AP, the attack is over. This entire process is used to allow attackers to establish MitM (man-in-the-middle) positions from which they can siphon packets and inject malware or backdoors onto victim devices for remote access. Once in a MitM position, the attacker has complete control over the Wi-Fi session. These cybercriminals can leverage well-known tools to duplicate popular login forms for social sites or email hosting platforms, intercept the credentials in plain text, forward them to the real websites, and log in the user. As the target, you might believe you've simply logged in to your email account as always — but in reality, you have handed your credentials over to an attacker.
AirGuard could detect two types of evil twins:
AP spoofs
The malicious mimic of a legitimate AP by spoofing the SSID name.
AP Impersonation
Malicious impersonation not only on the SSID name but also the BSSID (the wireless MAC address, which makes it indistinguishable from the original AP).
The system not only helps detecting the evil twin but also helps analyzing the attacks in detail.
EnGenius AirGuard offers wireless intrusion prevention systems (WIPS) solutions to detect the presence of an evil twin AP and contain any managed corporate clients from connecting to them. (Full disclosure: EnGenius is one of a number of companies that provide such services.)
For Wi-Fi users, an evil twin AP is nearly impossible to detect because the SSID appears legitimate and the attackers typically provide Internet service.
Terminating hidden cameras. Airbnb clients always wonder whether accommodation providers follow the rules regarding surveillance through cameras. Over the years, forced Airbnb to forbid the use of cameras in rented apartments or rooms. However, more cunning homeowners can conceal cameras from their guests. White hackers emphasize that deauthentication attacks can reveal whether a rented apartment conceals cameras.
Hotels pushing their paid Wi-Fi plans. There have been incidents when hotels employed deauthentication to promote their Wi-Fi services. In fact, the Federal Communications Commission (FCC) stating that blocking or interfering with Wi-Fi hotspots is illegal. One of the first offenders was the Marriott hotel with financial motives for disrupting visitors’ access points. However, charging perpetrators with deauthentication attacks is a rare sight. Usually, victims might blame the interruptions on unstable Wi-Fi.
Hackers need impatient web users to pull off an evil twin attack. Unfortunately, plenty of us falls into this category. When we go into a public space, such as a library or a coffee shop, we expect that establishment to offer free and fast WiFi. In fact, by their connection speeds.
Step 2: Set up a fake captive portal. Before you can sign in to most public WiFi accounts, you must fill in data on a generic login page. A hacker will set up an exact copy of this page, hoping that they will trick the victim into offering up . Once the hacker has those, they can log in to the network and control it.
Customer participation is critical in an evil twin WiFi attack. And unfortunately, only think they're responsible for securing their data on a public WiFi account. Most think the companies that offer connections will protect them. The companies may disagree.
While within range of the target SSID, attackers begin by broadcasting the same SSID. This is straightforward and can even be done on smartphones with data plans that allow mobile Wi-Fi hotspot tethering. Attackers looking to avoid drawing suspicion toward antennas and battery packs typically opt for a popular tool called , which can run natively on Linux, Mac, Windows, and Android systems.
Radio Frequency or RF Jamming is one of the easiest methods of defeating a wireless system – the wireless equivalent of cutting the wires on a traditional wired system. The open medium nature of WiFi makes it vulnerable to various attacks, among them, attacks against availability is wifi jamming. WiFi jamming sends a lot of noise in the environment, making it impossible for other nodes to send messages through available channels.
AirGuard is capable of detecting four types of RF jamming:
Constant Jammer:
Continually emits a radio signal that interferes with communication.
Deceptive Jammer:
Constantly injects regular packets to the channel without following CSMA/CA procedure.
Random Jammer:
Intermittently emits the jamming signal.
Reactive Jammer:
Jam and simultaneously sense/discern/detect the legitimate transmission.
AirGuard adopts unique technologies to detect all types of RF jamming while keeping a very low fail rate on the detection. That is, the system would not easily treat massive transmission of WiFi data as an RF Jamming attack. In contrast, the signal interference sent by a jammer can be efficiently detected in seconds.
