1. Field of the Invention
Embodiments of the present invention generally relate to wireless security and, more particularly, a method and apparatus for authenticating a wireless access point.
2. Description of the Related Art
Public access to the Internet has increased dramatically in the last several years. Business people, students and travelers rely on the Internet to keep in constant communication with their workplaces, universities, family and friends. People also rely on the Internet to receive the most up-to-date news and financial information such as stock market quotes. As a result, coffee shops, cafes, and other businesses commonly offer wireless Internet access to attract customers that require a constant Internet connection.
The number of computers in a private home has also increased in the last several years. A family may have one computer specifically for children to use for homework and another computer specifically for parents. A parent or a student may have a laptop computer he or she brings home from work or school. Typically, it is desirable for all of these computers to have access to the Internet. A wireless router can provide Internet access to all of the computing devices in the home, allowing each computer to share Internet access. The wireless router also provides an additional benefit by avoiding the expense and hassle of installing a wired connection for each computer in the home.
Each connection to a wireless network is made via a “wireless access point”. Wireless access points are also sometimes known as “hotspots” or “Wi-fi hotspots”. A wireless access point may be a wireless router, another computer connected to the network, or any device that allows a computer to connect to the network. The network may be the Internet, a local area network (LAN), a wide area network (WAN), home network, corporate intranet, ad hoc network or any computer network. Wireless access point broadcast a service set identifier (SSID) identifying the presence of a wireless network. Computers can attempt to connect to the wireless access point once the SSID is known.
As the number of wireless access points has increased, cybercriminals have developed methods to intercept information destined for these wireless access points. One such threat to the security of a wireless access point is known as the “evil twin” access point. The cybercriminal deploys a wireless access point that broadcasts the same SSID as a known wireless access point but with stronger signal strength. A computer is typically set to automatically reconnect to with any known SSID, i.e., an SSID with the same name as a previously connected to SSID. A computer is also typically set to connect to a known SSID broadcasting the strongest signal. Because the evil twin access point is broadcasting the same SSID as a known wireless access point and at stronger signal strength, the computer may automatically connect to the evil twin access point instead of the legitimate wireless access point.
Once the computer is connected to the evil twin wireless access point, the cybercriminal receives all of the information originally intended for the legitimate wireless access point. This information may include credit card information, user names and passwords, and other sensitive information. The cybercriminal can also use the evil twin wireless access point to infect the computer with a computer virus or other malware. Because the evil twin wireless access point broadcasts the same SSID as the legitimate wireless access point, the user is often unaware he has connected to the evil twin wireless access point and that he is transmitting his information directly to the cybercriminal.
Further computers can only identify a wireless access point by the SSID. Each time a computer encounters a wireless access point with an SSID identical to a previously encountered SSID, the computer assumes the wireless access point is the same as the previously encountered wireless access point. A false level of trust and security is built into identifying a wireless access point by only the SSID. The user may also set the computer to automatically connect to a known wireless access point, in which case an evil twin wireless access point may broadcast a commonly used SSID to ensnare a connection by the unsuspecting user. Currently, a method does not exist for a computer to authenticate a wireless access point by anything other than the SSID.
Thus, there is a need in the art for a method and apparatus that enables a computer to authenticate a wireless access point in a manner that does not solely rely upon the SSID.