WiFi Rogue AP: 5 Ways to (Mis)use It

“The notion of a hard, crunchy exterior with a soft, chewy interior [Cheswick, 1990], only provides security if there is no way to get to the interior. Today, that may be unrealistic.”  – What Firewalls Cannot Do, Firewalls and Internet security

Rogue APs are Access Points (APs) that are deployed in an enterprise network without the consent of the network administrator. In certain cases, the intent behind a Rogue AP may be benign – for example, an employee who wants to access the network from his favorite corner of the office. While in other cases, a Rogue AP can be deployed with a malicious intent – say, by an attacker or his accomplice.

Sneaking in Rogue APs into an enterprise may not be difficult. Pocket size WiFi APs for less than $50 are readily available in retail stores. Due to spillage of RF signal, a Rogue AP enables an attacker sitting in the parking lot to directly access your enterprise wired network. After interacting with some of our customers and prospects, I have realized that they are familiar with Rogue APs but, lack a complete picture of what all damages one can inflict via a Rogue AP. Hence, I thought of compiling this list of “uses” for a Rogue AP (yes, “use” from the perspective of an attacker or an unauthorized user).

1. Data Leakage One of the most basic uses of a Rogue AP is the wealth of information it can expose through leakage of enterprise data. Just by passive sniffing of the leaked data, an attacker can gain information about the users in the network and their communication. Packets may be leaking network related information such as host names & IP addresses (All of us know about tons of broadcast packets that network devices transmit). Or, worse, in some poorly configured networks, sensitive information such as user names, passwords, email and data communication may also leak out.
2. Network Scans and Device Fingerprints Once the host names and IP addresses are obtained, an attacker can resort to free tools to scan the network (e.g., IP Scan) and build a list of potential target hosts to attack. Each of the selected hosts can be “fingerprinted” using tools such as Nessus to obtain additional details – operating system vulnerabilities, mis-configurations, open services etc. Fingerprinting of both the end hosts and network entities (e.g., switches, routers) can be extremely valuable for launching further attacks!

 

3. Enterprise Data Access With the information obtained from the item #1 above, an attacker may already have the data that he is looking for. If he is not (yet) lucky, targeted attacks can be launched on the list of potentially vulnerable hosts (that was built in item #2 above) to gain direct access to the data. Examples of such attacks include password guessing (how many of us change the default user name/passwords on switches/routers?), launching remote dictionary attacks and obtaining remote shell access (say, using buffer overflows).

 

4. Free Internet Access This is really cool – your rogue AP can provide free Internet access to anybody in the vicinity of your premises (at your cost). There is no guarantee that it will not be used for illegitimate purposes. This can be used to bypass enterprise policies and access prohibited sites from your enterprise. Worse, criminal use of your internet connection can put you in a lot of legal mess. More so, if you are not able to produce any evidence of who used it.

 

5. Denial of Service (DoS) Attack on your Enterprise network A Rogue AP can be potentially useful to bring down your enterprise network by launching a DoS attack. Example attacks include ARP Poisoning, IP Spoofingand any other network device specific DoS attacks. Tools are readily available on the Internet for launching such attacks.

Hence, any unattended Rogue AP is a serious threat to your network security. You should take appropriate measures to detect them and flush them out of your network.

If you are thinking that your wired side security mechanisms such as firewalls and Network Access Control (NAC) units can solve this problem reliably, I beg to differ (a topic for another post). Meanwhile, here is some food for thought – will you sleep at peace if one of the network cables of your enterprise is extended way outside of your premises? Well, a rogue AP is not very different!

K N Gopinath Wireless security Network Security, Rogue AP