A Rogue Access Point is a WAP (Wireless Access Point) which has been installed either knowingly or innocently which allows access to a controlled network through an uncontrolled SSID.
Rogue Access Points can advertise as a legitimate SSID, a unique SSID, or not broadcast their SSID at all.
What can an everyday user do to detect, isolate and prevent a Rogue Access Point from commandeering or hijacking their network?
How connecting to a WIFI works
First of all an SSID (Service Set Identifier) is like an IP address for your wireless network. The name you assign to the network is used as a shortcut for the MAC (Machine) address of the wireless transceiver.
An SSID can be up to 32 characters in length, and is generally human readable to make it easier for an operator to input into their devices.
SSIDs can be configured to transmit and be visible when searching for WIFI signals, or configured to not transmit. Where an SSID is not being transmitted a user can still connect to the network by either knowing the SSID, or connecting directly to the MAC address of the transceiver.
Connecting to a secure SSID
Depending on how an SSID has been configured the user will be required to enter a password before being allocated access to the network.
An SSID with Open security selected will allow any device to connect to the network as long as the SSID is known to the user. This also means that all datagrams and packets between the transceiver and user device are not encrypted.
An SSID with WPA2-PSK is considered to be very secure, with WEP being undesirable due to the trivial nature of deciphering the traffic.
Multiple WIFIs with the same SSID
Many residential access points come preconfigured with a default SSID, administrative username and password. If a user does not reconfigure or rename their access point after installation, it may be possible for a similar access point to operate on the same SSID nearby.
This could create confusion for client devices which are looking for the default SSID rather than a unique one.
Where a user device detects multiple wireless networks with the same SSID, it will prefer and may try to connect automatically to the access point with the strongest received radio signal. This may not mean the closest access point, and could well mean a rogue access point with a more powerful radio transceiver.
Being forced onto a Rogue Access Point
An attacker could identify an unsecured network they desire access to and replicate the SSID in order to force devices to connect to their network.
Once a user device has successfully connected to the Rogue Access Point the attacker would have access to the connected device. From here a vulnerability scan of the user device would allow the attacker to determine a point of entry for that device.
The attacker would only require uncontrolled access to a single device of the legitimate network to upload malware which could be used to either grant remote access, or propagate across to other devices.
But my WIFI is secured with WPA2-PSK. Is it secure?
WPA-PSK2 (WIFI Protected Access 2 - Pre Shared Key) is a plain-english passphrase of between 8 and 63 human readable characters. This passphrase is encoded prior to transmission using a technique called TKIP (Temporary Key Integrity Protocol).
The encoded passphrase in combination with the SSID is used to generate a unique encryption key for each wireless client device.
During the connection of your WIFI to your home network a 'four-way handshake' is performed. This is the Wireless Access Point and the client device negotiating with each other to allow access to the network.
It is during this exchange where the encoded passphrase is transmitted from the client to the wireless access point.
An attacker would use an application like ‘airdump’ to collect WIFI packets being addressed to and from a target SSID. The raw packets would be recorded to file for further processing in an offline attack of the WPA2-PSK passphrase.
What if I am already connected to the WIFI? Can they still steal the passphrase?
An attacker could wait within range of your wireless network and listen for the connection requests and then log them for further processing. However this increases the likelihood of detection (i.e. there is a person in a car outside your house waiting for a disconnection).
However an attacker could also perform a 'de-auth' attack to force devices on a WIFI network to disconnect and reconnect. A de-auth attack would perform a forced disconnect of all devices connected to a WIFI network, and your user devices would immediately begin reconnecting, performing the 'four-way handshake' which the attacker would record and further process offline.
But my password is random, won't it take a long time to crack?
An attacker can use a dictionary of common passphrases and variants to run a quick brute force decoding of the captured handshake. Should the passphrase not be decoded through this attack, the recorded handshake can be fed into a cloud computing type service to expedite the decryption of a passphrase.
An 8 character WPA2-PSK with special characters, numbers and mixed case has 6.63 x 10^15 possible combinations and depending on the hardware may take months or years to successfully decrypt.
However a well resourced attacker could also leverage cloud computing to offload the passphrase decryption to several specialised processors.
These devices would obviously be extremely expensive and power hungry but nonetheless would still be able to decrypt a trivially short password in short order.
So how do I protect my home WIFI from hackers and attacks?
- Laptops, computers and mobile devices should always be protected with a layer of antivirus and internet security software.
Without active virus scanning and intrusion monitoring an attacker would be able to slip malware into a network which could disable such protections.
- Keep your virus databases and signatures up-to-date.
A great deal of people install a virus scanner and forget to maintain their subscriptions or permit the updates to occur on a regular basis. New viruses and malware are developed and transmitted on a daily basis, maintaining protections against these 0-day viruses is imperative.
- Change your WIFI password on a regular basis, and ensure the password is NOT written down somewhere publicly visible.
There is no point changing your password regularly if an attacker can discreetly take a photo of your post-it note on the fridge from several hundred meters away.
- Change the SSID of your wireless network regularly.
Since the SSID name is used to both locate and encode your WPA2-PSK passphrase, changing this value will also affect the encoded passphrase being transmitted.
- Reduce the power output of your Wireless Access Point.
If you can connect to your access point from half way down the street, you should consider reducing the power output to encompass as much of the house as possible. This will make the task of capturing packets by an attacker much more difficult and increases their likelihood of detection.