Wireless networks are one of the fastest growing segments in the worldwide telecommunications market. In a typical wireless (radio) system, mobile subscribers are served by a series of interconnected radio stations, or base stations, each covering a certain geographical area. The base stations are connected to and controlled by a mobile switching center (MSC) which is in turn connected to the wireline (land line) public switched telephone network (PSTN). The mobile subscribers are provided with portable or mobile (car-mounted) telephone units, which are collectively called mobile stations. The base stations represent the entry points, or network access points (APs).
A serious problem which has plagued wireless communications systems is fraud, which results in significant monetary losses for the respective network and service providers. To address this issue, wireless networks use encryption for maintaining the confidentiality of the information exchanged over the air link. Encryption however does not fully address access of unauthorized mobile stations to a network to steal services (e.g. fraudulent use of mobile identification numbers, “roamer” fraud, mobile station “cloning”). A variety of verification and validation systems were developed and installed to detect and prevent these types of fraud. Thus, most tools for securing communications in a wireless system perform authentication for confirming the identity of the mobile station, at registration, call initiation or call reception. Since both authentication and encryption require communication between the remote (visited) network and the home network (where the MS has a permanent registration) in order to obtain mobile-specific information, the authentication of the MS is a complex and sophisticated task.
In addition to mobile fraud, one of the today's most challenging IT security issue is detection and removal of illegal (fraudulent) wireless APs; these are generally referred to as “rogue access points (AP)”. Rogue APs are set up by malicious attackers with a view to simply deny access to the network, or to attract traffic towards them and obtain sensitive information from users. This can leave the assets of the company under attack wide open for a casual snooper or a criminal hacker.
Current wireless protocols do not provide authentication mechanisms for determining if the AP is a valid AP or a rogue one, and the attackers take advantage of this vulnerability. For example, when an 802.11 MS attempts to connect to a given network, it scans the environment and looks for APs located nearby, automatically selects the best available AP and connects with it; e.g. Windows XP connects automatically to the best connection possible in the vicinity. At this point, wireless protocols include ways to authenticate the mobile, but not the AP. Due to this behavior, authorized clients of one organization can connect to APs from a neighboring organization. Though the neighbors APs have not intentionally lured the client, these associations can expose sensitive data. The existence of the problem has been documented for GSM networks by Niemi and Nyberg (UMTS Security, Wiley, 2003) and for IEEE 802.16 networks by Johnston and Walker, (Overview of IEEE 802.16 Security, IEEE Security and Privacy Magazine, pp. 40-48, Vol. 2, 2004).
Rogue AP detection is a two step process starting with discovering the presence of an AP in the network, and then proceeding to identify whether it is a rogue one or not. Current methods for discovering the presence of an AP can be classified into Radio Frequency (RF) scanning, AP scanning, or use of wired line inputs. RF scanning, which is suitable for WLANs, is performed by placing RF sensors all over a wired network. These sensors, which are mainly re-purposed access point APs that only perform packet capture and analysis, detect any wireless device operating in the area and can alert the WLAN administrator. However, a rogue AP may be placed in a dead zone, which is not covered by the sensors, so that it might go unnoticed until more sensors are added. Also, these fixed sensors cannot detect directional rogue APs.
AP scanning implies deploying APs enabled with a scanning device for discovering all APs operating in a nearby area. Though it is a very useful feature, few AP vendors have this functionality implemented in their products. In addition, the ability of an AP enabled with AP scanning is limited to a very short range; rogue APs operating outside this coverage area will go unnoticed.
Generally, the network management software uses the wired side inputs technique to discover APs, which may detect devices connected to a LAN (e.g. SNMP, Telnet, Cisco Discovery Protocol CDP, etc). This approach is reliable and proven as it can detect an AP anywhere in the LAN, irrespective of its physical location. Moreover, wireless Network Management Systems (NMS) can in addition constantly monitor these APs for health and availability. The limitation with this method is that any AP that doesn't support the respective network management software will go unnoticed by the network management software.
Once an AP is discovered, the next step is to identify whether it is a rogue AP or not, which is not an easy task. One of the major difficulties is presented by the fact that the method of attack depends on the type of network. In WiFi/802.11 networks, which uses carrier sense multiple access, the attacker has to capture the identity of a legitimate AP in order to built a message using the identity of a legitimate AP. Once it captures such an authorized identity, the rogue AP waits until the medium is idle and then sends messages to the MS(s).
On a local plane, this problem is addressed by some administrators, who use pre-configured lists with authorized MAC addresses for authorized APs, vendors, media types, or channels, and provide a tool which automatically advises of any newly detected AP that falls outside the authorized. For example, M. K. Chirumamilla, et al. describe such a technique in the paper entitled “Agent Based Intrusion Detection and Response System for Wireless LAN”, IEEE International Conference on Communications (ICC), 492-496, 2003. The paper proposes to check MAC addresses extracted from beacons of APs, for membership in such a list of registered APs. Failure to resolve the MAC address is interpreted as a rogue AP attack. This approach is however vulnerable to MAC address spoofing. In addition, the lists must be updated and are sometimes outdated, and thus unreliable.
Furthermore, rogue AP detection does not seem to be addressed in the context of WiMax/802.16 access networks. WiMax/802.16 is a next generation wireless access network technology which is faster (speeds of up to 70M bits per second), provides network coverage over a distance of about 50 km, offers better quality of service and is more secure than previous wireless technologies. Future WiMax products will support mobile wireless connections; for example, Intel plans to integrate WiMax support in notebook computers by 2006 and in mobile phones by 2007. In view of the potential market size for the future WiMax market, and of the current trend of increase in attacks on network security, the problem of rogue AP detection is an important aspect of secure WiMax communication.
However, the rogue AP attacks are an important threat to these networks. In order to succeed, an attacker must be first armed with the identity captured from a legitimate AP, and transmit at the same time with the legitimate AP. The attacker must also transmit a signal that arrives at the targeted MS, i.e. has a receive signal strength (RSS) much stronger than the signal received from any legitimate AP in the area. In this case, the MS receiver automatically reduces its gain in the presence of this strong illegitimate signal, to a point where the legitimate signal appears as background noise. The exact difference in strength between the two signals depends on the receiver sensitivity.
In addition, with this technology, the mutual authentication of the mobile and AP is optional and occurs late in the network access process. As well, security at the physical layer is absent. As such, a rogue AP attack can occur at several points during a dialog between a MS and an AP in WiMax/802.16 access networks.
Other methods of establishing the legitimacy of an AP include that proposed by Beyah et al. in a paper entitled “Rogue Access Point Detection using Temporal Traffic Characteristics” published in the Proc. of IEEE Global Telecommunications Conference (GLOBECOM), pp. 2271-2275, 2004. The paper proposes an approach based on the analysis of the temporal characteristics of the network traffic. It is based on the assumption that the wireless traffic is more random than the wired traffic. However, the method described in Beyah et al. paper proposes discovery of rogue APs by visual inspection of traffic plots, and is not automated. Furthermore, assumptions on traffic characteristics are hard to validate in real networks.
In principle, the current solutions for detecting rogue APs are expensive, rudimentary and easy to circumvent. Therefore, wireless networks need efficient methods to detect the rogue APs in order to prevent malicious attacks.