When traveling, at trade shows or when visiting a client or customer, a wireless access point (AP) can offer the most direct way to connect to the web. And the most dangerous, too.
Beware “rogue” access points (RAPs). They’re out there ready to get you when you expect it least.
Rogue access points pop up on your device’s network menu with labels that look like what you’d expect to see when trying to gain access to a system in a public or semi-public space.
They pop up in coffee shops, hotel lobbies and hallways, on trade show floors, commuter trains or at airports. The network label at Reagan National Airport in Washington DC, for example, reads FlyReagan. But someone may have set up a RAP labeled FlyReagan or FlyDCA for their own (read: dark) purposes.
RAPs vs. APs: Would you know the difference?
Have you ever been pwned by a rogue AP? Most victims wouldn’t be able to recognize a RAP even if it fell from the ceiling and bounced off their head.
Security-savvy IT security professionals, it turns out, are just as susceptible to RAP attacks (the digital, more stealthy kind) as anybody else.
After security firm WatchGuard Technologies ran a rogue access point experiment at the RSA Conference 2017 in San Francisco, HelpNet Security reported that the security researchers had lured 4,499 Wi-Fi clients into their gotcha network. The “victims” of the experiment, it should be noted, were mostly IT security professionals.
They were lucky and hopefully learned their lesson. In the wild, rogue APs are rarely set up for educational purposes. In less benign circumstances, the goal may be to pull off a Man-In-The-Middle (MITM) attack, for example, by using a tool like Ettercap.
Such multipurpose tools make victims believe they are interacting with a valid endpoint, when they (and the real endpoint) are actually interacting with a third party who is secretly controlling the dataflow. The attacker can stay silent in the background, just observing or skimming off credentials and other information.
Another way rogue APs are used is to flood a network with random data, to create a denial-of-service exploit situation. But the possibly most worrisome use is as a data exfiltration point.
Network data exfiltration via RAP
In this scenario, the rogue AP (the same one that tricks you into connecting, but used here for a different purpose) injects malware into a system to steal files and data on a secured network which is connected to your device.
To accomplish this heist, the rogue AP can be logically positioned so that the haul never goes past the boundaries that have been set up by IT and the intrusion detection systems that sit there. For the attacker, it’s like using a side road to bypass the guards at a checkpoint on the main road.
As for you, as the victim in this scenario: congratulations. Your random hookup habits on WiFi just opened up your employer (and perhaps its business partners and customers) to IP and ID theft, malware attacks, possibly lawsuits…. - you get the idea.
Stealing data over WiFi is easier than you think, as documented here. The bad guys can capture and broadcast an identical network name and trick the victim’s machine into connecting to an "evil twin".
Why legit APs are pushovers for RAPs
Perpetrators don’t need a computer science degree to launch a rogue APs. The web is awash in hardware and software tools that make launching rogue access points fairly straightforward, with capabilities far beyond simple message interception.
One feature, for instance, allows attackers to shut down other competing APs available in the same area so that a victim will be more likely to connect with the rogue access point instead of real one.
Software tools like Aircrack-NG Suite facilitate this kind of router deauthorization - with occasionally unexpected (and potentially dangerous) effects that go beyond just hijacking a victim’s connection.
A security researcher found out about this the hard way when a rogue AP incidentally shut down the roller coaster he was riding at Disneyland. He had forgotten that a device called a Wifi Pineapple, used to set up APs for pen testing, was still active in his backpack. The ride got up the first big hill - then everything stopped dead.
”Huge security and privacy problem”
That’s when the pen tester realized that the Pineapple was still on. It had intercepted the roller coaster’s WiFi signal and shut down the router associated with it, which stopped the ride in its tracks.
“Everything around us [is] running on WiFi these days, and nobody is protecting things correctly,” WiFi pen testing gear reviewer Shannon Morse told The Parallax. “Wi-Fi is a huge convenience factor for customers and consumers, but it’s also a huge security and privacy problem.”
For a rogue AP to work as intended by the perpetrator, your system needs to connect to it first. Such connections can happen from the WiFI system without your manual intervention, though.
One of the biggest traps is the “auto-join” feature, meant for users to enjoy an effortless hook-up with available WiFi access points. If a device has previously connected to a network and “knows” it from the name it broadcasts (the SSID), it will reconnect to it every time it encounters it if auto-join is enabled.
It’s that same feature that allows a rogue AP to effortlessly trick a device into auto-connecting by simply presenting a common SSID as its name, like “NETGEAR”.
How to protect yourself against rogue APs?
Switching off Auto-Join on your mobile device should be the first, but not the only step.
Make sure to also enable server verification on the client side. Consider deploying WiFi protection apps or hardware. And most importantly, use a VPN or a cloud-based browser that provides strong encryption for your data traffic, rendering it useless for the attacker should it get intercepted.
Larry Loeb has been online since uucp "bang" addressing (where the world existed relative to !decvax) and served as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. He wrote for BYTE magazine, was a senior editor for the launch of WebWeek, and authored books on the Secure Electronic Transaction Internet protocol and "Hack Proofing XML" (his latest). Larry currently writes about cybersecurity for IBM's SecurityIntelligence as well as Security Now.