Access points and base stations (sometimes generally referred to points of attachment) provide a gateway between a wireless network and a wired network. Wireless networks have an inherent security risk in that the signals transmitted in a wireless network can be received by any wireless device within range of the transmitter. The popular IEEE 802.11 wireless networking standard combats this by including security mechanisms known as Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access, (WPA and WPA2). WEP and WPA provide rudimentary authentication and data encryption for wireless clients. Beyond WEP and WPA, many vendors implement firewalls and MAC address filtering in an attempt to protect the internal network infrastructure and wireless clients.
What is often overlooked in wireless network security is the threat posed by rogue access points (AP).
The AP impersonation attack was originally developed to trick unsuspecting clients to connect to an attacker controlled wireless network. This can be achieved by establishing a rogue access point with the same SSID (Service Set Identifier) as the target network. For example, an attacker could impersonate a wireless network by broadcasting the SSID of that specific wireless network with high signal strength to provide best connectivity. Wireless devices scan for their favourite wireless network SSID and associate to the access point offering the strongest signal. An attacker can configure an access point to respond to client requests and, ultimately trick the client into connecting to its access point. The attacker can then monitor, control, or modify any of the traffic sent to and from the client.
For example the attacker can then serve them a Web page asking for the user to re-enter their credentials, give them an IP address and then pass them on to the Internet. The user of the wireless device may remain unaware that the attack has occurred.
A method for dealing with rogue access points is described in the patent application WO2008/095291. In some embodiments the combination of a wireless network's SSID and the AP's MAC address (Media Access Control address) is verified when a wireless device first connects to an access point. The administrator of the WLAN provides registration information regarding itself, including the desired SSIDs to a central server. The central server receives the registration information and connects with a database registry containing all registered SSIDs. A check is performed to ensure that the desired SSID has not already been registered. If the desired SSID has not been registered, the central server creates an association between the SSID and each AP MAC address of the WLAN. This association is stored in the database registry. The central server then transmits the registration information to a certificate authority. The certificate authority performs validation of the registration information and if the validation passes, the certificate authority issues for each access point within the WLAN digital certificates associating the AP MAC address with the SSID of WLAN. Such a digital certificate is transmitted to each access point of the WLAN.
Once the wireless device is connected to the access point of the WLAN, the access point of the WLAN transmits the digital certificate to the wireless device. The wireless device connects to the central server through the access point and submits the certificate and SSID to the central server. The central server authenticates the digital certificate and verifies that the purported network identifier is indeed associated with the WLAN to which the AP with this MAC address belongs. This ensures that the WLAN to which the wireless device is connecting to is the one to which the wireless device is intending to connect.
The known method remains vulnerable to a so-called man-in-the middle-attack; the certificate can be sniffed and copied and used by rogue access points. The application suggests the use of traceroute information to prevent sniffing; however, tracerouting is not suitable in an IP network since packets can be routed over many different routes between the same endpoints and further, nothing prevents a rogue access point from spoofing also the traceroute packets.
US20040198220 discloses another system for securely accessing a wireless network. The system includes a security server that subscribes to messages from an SNMP trap on the access point. When a mobile unit associates with that access point, the trap sends a message indicating the association information. A roaming control client on the mobile device polls the security server, which verifies (or not) that it has received the message for that association.
A disadvantage with this system is that since the wireless device polls the security server via the unauthenticated access point it is likely that the device will have exchanged several messages, likely including sensitive data, with a possibly rogue access point before even realising that it is a fake access point.
EP1542406 discloses an impersonation detection system for a wireless node. The node comprises an intrusion detection module for correlating original data frames, transmitted directly by the wireless node over a secure link to the intrusion detection module, with incoming data frames received over the air interface. If the wireless node is inactive but the intrusion detection module receives traffic that indicates that the monitored node is the originator, then this would be a sign of suspect behaviour since correlation of the data sets would not result in an empty data set.
This is a fairly complicated system in which the intrusion detection module constantly has to monitor the channels allocated to the node using an antenna in order to compare frames. Another disadvantage is that the wireless node has to be connected to the intrusion detection module over the secure link and if this link fails for some reason the system does not work. It is also a disadvantage that the node needs to have two connections running most of the time.