1. Field of Invention
The present invention relates to the field of wireless networks. Specifically, the present invention relates to using clock skew of a wireless local area network access point (AP) as its fingerprint to detect unauthorized APs quickly and accurately.
2. The Relevant Technology
With advances in micro-technology and wireless networks, networked mobile systems are becoming increasingly prevalent. There is also an ever growing demand for ubiquitous services. These two factors are fueling a wide scale deployment of wireless networks including the IEEE 802.11 wireless local area networks.
However, because of their importance in providing ubiquitous services and their inherent vulnerability due to broadcast nature of the wireless medium, the wireless local area networks (WLANs) are also becoming targets of a variety of attacks. One of the ways in which a WLAN can be attacked is by introducing one or more unauthorized (e.g., fake) Access Points (APs) in the network.
A fake AP can be set up by a malicious attacker to masquerade as an authorized AP by spoofing the authorized AP's medium access control (MAC) address, as shown in FIG. 1. This fake AP is used to fool a wireless node in the WLAN into accessing the network through the fake AP instead of the authorized one. The fake AP can then launch a variety of attacks thereby compromising the security of the wireless communication.
Setting up fake APs is not hard. Public domain programs sniff 802.11 probe request frames to find out the default AP of the probing wireless node and then impersonate the default AP. As current wireless standards do not mandate integrity protection of beacon frames and current AP selection procedures only consider signal strength as the criteria for selecting an AP, fake AP is a serious problem.
The new wireless security enhancement 802.11i RSNA (Robust Security Network Association) uses traditional cryptographic methods (i.e., digital certificates) to provide strong mutual authentication between wireless clients and the APs. Although this solution, if implemented properly, will make the fake AP attack less likely, the following practical issues can still make wireless networks using 802.11i RSNA vulnerable.
First, the traditional crypto methods are based on keys and passwords that can be stolen. Furthermore, they also commonly use public key certificates that are cumbersome and difficult to manage. That is, management and verification of digital certificates across different domains is known to be cumbersome. Second, as the current AP selection algorithms use signal strength as the only criteria for AP selection, users can be fooled to connect to the fake AP that has a higher signal strength compared to the original one but does not support any security measures such as RSNA. Third, an attacker can also set up fake APs having the same identifiers (MAC address, basic service set identifier (BSSID) and service set identifier (SSID)) as the original AP and evade detection by using different physical channel characteristics (e.g., by using short/long preambles, operating in a different channel, etc.).
Therefore, detecting unauthorized APs is a very important task of WLAN intrusion detection systems (WIDS).