This invention relates to the operation of wireless local area communications networks, such as those operating to the IEEE 802.11 standard commonly known as “Wi-Fi”. Such systems are widely available and provide access to a telecommunications network, such as the “Internet” for any suitably equipped wireless user terminal, using a wireless interface. Such systems are commonly provided in areas where mobile users may require access to the Internet using their own wireless terminals. Access may be subject in some cases to access control requirements (password control), but the present invention is more concerned with public access systems.
In a typical configuration, an infrastructure or managed Wi-Fi network is used to provide public access/hotspot style wireless internet services, using fixed access points to operate as portals between the user terminals and the wider network. If several such access points are required to cover a large space with the potential to generate a lot of traffic, such as a stadium, the access points can be configured to operate according to a channel plan, in order to avoid interference between them and maximise capacity.
The 802.11 standard also allows for ad-hoc or peer-to-peer networks to be created. Formally these are known as IBSS (independent basic service set) networks. In such systems individual wireless stations communicate directly with each other. When established an IBSS consists solely of client stations that are directly connected without the requirement of a centralised access point or wireless router. Within the system there is no physical distribution system, portal, or integrated wired LAN. This allows data to be exchanged between individual members of the group, but cannot communicate with the wider “Internet” unless at least one of the group is also connected to an external access point.
Networks using the 802.11 protocols advertise their existence to potential clients by generating beacon management frames as a means of detailing the network configuration, and to maintain synchronisation of any stations currently connected. In an infrastructure or managed Wi-Fi fixed network the access points generate the beacons, whilst beacon generation in an ad-hoc (IBSS) network is distributed between all stations. When a station joins an ad-hoc network it too must participate in beacon frame generation in the absence of a centralised access point. Each station maintains its own timer to maintain the beacon interval within the ad-hoc network.
In a standard network configuration, management and control traffic is typically transmitted at the lowest modulation rate possible (lowest bitrate), this is to maximise the coverage area and ensure robustness of broadcast traffic within the service environment.
With the proliferation of Wi-Fi enable devices such as smartphones and the ever growing demand for internet or data connectivity there exists a behaviour of the ad-hoc protocol that can severely increase network congestion in certain environments. The implementation of network connection managers in some client devices (referred to herein as ‘susceptible’ or ‘vulnerable’ devices) can allow the (accidental or malicious) propagation of ad-hoc networks in public areas. This issue is a particular problem when the ad-hoc network beacons advertise themselves as providing “free” internet access, which they cannot in fact provide unless they also have an external connection, thereby enticing users who are looking for Wi-Fi connectivity to connect to an ad-hoc network, rather than through the fixed access points installed for the purpose. In a location like a stadium or concert hall this can result in a large number of Wi-Fi enabled devices flooding the area with management or control traffic associated with such ad-hoc networks this can significantly reduce available capacity and service availability of the installed network.
It is a feature of the connection management process that the user devices will not display more than one network having the same network name (SSID—“service set identifier”), regardless of the number of beacon messages received. Another feature provides that, in the event of some beacon messages stating that the network requires a security mechanism to be employed (e.g. WPA/WPA2/802.1x), the existing connection management process offers the beacon message with that requirement in preference to any of the same name and SSID. Consumer products may also prioritise network selection by other criteria, such as signal strength, or infrastructure type (BSS or IBSS).
The default behaviour of the connection manager (the software that manages any Wi-Fi network connections) of a user device is to add any network to which it successfully connects as a ‘preferred network’ and in doing so the device will continually attempt to search for and join this network until it is either turned off or connects to another network. If this network were a standard infrastructure network (i.e. using an access point) the device would passively issue probe request frames and wait for a response to identify if this ‘preferred’ network was in the vicinity. However, if the network is an ad-hoc network the default behaviour of the device is to issue further beacon advertisements and await another device to make a peer-to-peer connection with itself. Where the network name (SSID, service set identifier) is enticing to surrounding users (e.g appearing to offer a free public Wi-Fi service), and the implementation of the device connection manager either allows this type of network or does not distinguish between an ad-hoc or infrastructure network, a number of other users will inevitably attempt to connect. In doing so these new devices also become members of the ad-hoc network and in turn participate in the generation of the network beacon advertisements. This behaviour will continue even if the original ad-hoc source is subsequently moved out of the environment or disabled. The resultant behaviour is a propagation of this network (over time and distance) through every device that attempts to make a connection, this then becoming in effect a viral network.
Should such a device subsequently enter the coverage environment of an infrastructure or managed Wi-Fi network used to provide public access/hotspot style wireless internet services in a publicly accessible area such as a stadium, this behaviour can result in a substantial and rapid increase in network traffic as all beacon advertisements are sent at the lowest bit rates and potentially from a large number of devices as more and more users attempt connection. As with many WIPS/WIDS (wireless intrusion protection/wireless intrusion detection systems), the presence of such an ad-hoc or rogue access point within a managed network can be detected, and the necessary alarms raised through the managed access points or dedicated wireless sensors. A typical but crude method of dealing with such a threat is for the network to spoof de-authentication frames to any client that attempts a connection to the ad-hoc or rogue source. This technique would result in the disabling of any terminal which attempts to connect as soon as a connection is established. However, such a method is effectively a denial of service attack on the client devices attempting connection. In a private or restricted environment where only managed network equipment is permitted, this may be perceived as a valid technique, although it is unlikely to be popular with the users of the devices in question. However in a public environment such techniques may not be permitted.
The primary focus of existing techniques is to prevent legitimate clients connecting to potentially insecure or malicious networks that pose a security threat to the wider network. While such techniques may be effective for rogue access points they are unable to contain the propagation behaviour of ad-hoc networks within some connection manager implementations. As described earlier once a vulnerable device has initiated an ad-hoc connection, it will continue to broadcast beacon frames even without the presence of other participating stations.
The present invention focuses on preventing the propagation of the ad-hoc network through vulnerable devices, with the aim of maximising potential bandwidth in critical scenarios.
It is known from U.S. Pat. No. 7,885,602 (Kelsey et al) to operate a network security system in such a way as to disrupt a rogue ad hoc network by fragmenting it into two or more smaller networks which are unable to communicate directly with each other. However, the control signals needed to disrupt the rogue network could actually increase traffic in the short term before containment is achieved.
The present invention provides a technique for preventing viral ad-hoc network propagation in wireless networks using a reactive system that allows containment of the ad-hoc network through exploiting the connection manager implementation of the vulnerable devices.
According to the invention, there is provided a method of operating an access point for a first wireless area network system comprising the steps of:
monitoring for beacon signals transmitted within the area of coverage of the access point
on detection of a beacon signal, determining whether the beacon signal advertises a second wireless network, the second wireless area network being an ad-hoc network,
on such determination, initiating a network reconfiguration in the same environment as the second wireless network, by generating a new network identity matching that of the second wireless network, but having a higher-level security mechanism than the second wireless network such that mobile devices default to the new network identity in preference to the second wireless network,
and transmitting a beacon signal with the new network identity.
As well as the security mechanism, the system may also use other factors such as the presence of a default setting in the user devices providing for infrastructure-type networks to take precedence over ad-hoc types, or simply defaulting to the beacon with the greatest transmit power, although an appropriate level may be difficult to determine where the distance of the access point from the user terminals is much greater than the inter-terminal distances, for example in a crowded stadium.
In one embodiment, the access point determines whether operation of the second wireless network is potentially disruptive of the operation of the first wireless network, and initiates the network reconfiguration if it is so determined.
This determination may involve assessment of how many mobile terminals have joined the second wireless network, analysis of the SSID or network identity of the second wireless network, determination of the security level required to access the second wireless network, or any combination of these factors.
The invention also provides a network management system for controlling one or more access points for a first wireless area network system, comprising
a monitoring system for monitoring beacon signals transmitted within the area of coverage of the access point
a detection system for determining whether beacon signals detected by the monitoring system advertise a second wireless network, the second wireless area network being an ad-hoc network,
security detection means to detect a first security level required to access the second wireless network,
a network reconfiguration system for generating a new network identity matching that of the second wireless network, but requiring a second security level for access, the second security level being higher than the first security level, such that mobile devices default to the new network identity in preference to the second wireless network,
and arranged to cause at least one of the access points to transmit a beacon with the new network identity.
In the preferred arrangement the new network identity is configured such that it prevents the network identity relating to the second wireless network being made available to a connection manager function of a mobile terminal receptive to both the beacon signal of the second wireless network and the beacon signal containing the new network identity. In the embodiment to be described it is convenient for the new identity to replace the network identity relating to the second wireless network in the menu presented to the user.
A group of access points co-operating to provide coverage over a predetermined area may co-operate to transmit the new network identity in response to one member of the group identifying the presence of a second wireless network of the kind described.
The security mechanism employed may be, for example, of type WPA/WPA2/802.1x.
The intent of this reconfiguration is to exploit the connection manager implementation of the vulnerable devices which are only capable of displaying a single network of the same name/SSID. In the environment where the reconfiguration/containment has occurred the vulnerable devices will only show the infrastructure type network in the wireless network availability list from the device's connection manager, regardless of signal strength. This technique can be used to prevent new devices connecting to the ad-hoc network as the containment network acting as a ‘honeypot’ takes priority over an ad-hoc network on the device, any subsequent connection which would ordinarily begin the propagation of the ad-hoc network cannot occur. The layer of security added also serves the purpose of preventing the containment network being added to the preferred networks list; an incomplete connection (due the lack of security credentials on connecting devices) will not be added to the ‘preferred network’ list.
In tests, such a technique has been shown to be successful in preventing the most susceptible device types from joining the ad-hoc source and propagating the network through surrounding devices.
In an environment with a channel allocation plan based on multiple fixed access points, the access point first detecting the rogue ad-hoc network can be used to initiate the same procedure on the other access points, to prevent propagation to the rest of the area of coverage.
The determination step can use decision-making processes that assess the risk to the network from any rogue ad-hoc network that has been identified. This process may involve a number of input variables including the settings of the detected ad-hoc network e.g. the SSID name, the security or authentication settings and the proximity to other vulnerable devices within the network or environment. This may be rule-based, responding to ‘inviting’ SSID names, or names existing in a (pre-defined) database of known viral networks which would pose a higher risk than an innocuous ad-hoc SSID. In addition a network that has security settings configured as ‘Open’ or unsecured would be identified as requiring containment as it would allow any device to connect and proliferate the undesirable ad-hoc behaviour. The system may also take account of other devices in the network to make a decision of whether to employ the containment method. This may be achieved through inspection of any currently unconnected client MAC (media access control) addresses in the areas, a high concentration of devices from specific manufacturers (by analysis of the OUI [Organizationally Unique Identifier] octets in addresses) for example could indicate a higher risk than usual. The system may also keep track of the ad-hoc device through feedback from all managed access points and employ the proposed method anywhere where the device moves within the network, this would allow either permanent containment of the ad-hoc network or allow time in which the device could be located and the user requested to remove the ad-hoc ‘preferred network’ entry from the device.