Rogue APs

Rogue APs are unauthorized APs in a network. Network users often set them up for convenience, especially if there is no existing wireless infrastructure. APs are cheap and easy to install in a network and are frequently set up with no or minimal security. Even if rogue APs are set up with security features, such as WEP, a user is usually unable to configure more robust security mechanisms such as VPN tunnels or back-end authentication. Another potential danger is a physical intruder installing a rogue AP as a method of obtaining future access to a network.

Rogue APs do not have to be set up within a site's physical perimeter. They could be located offsite in a van or in a neighboring building. The MitM attacks discussed previously require the attacker to set up a rogue AP.

Some APs serve as public gateways, such as in airports, hotels, cafes, or other public hotspots, and many of them require a username to authenticate for wireless service. An attacker can set up a rogue AP to pose as a legitimate AP and gather user account information. One tool, Airsnarf (, is designed to demonstrate just that. It sets up a rogue AP and presents any web page you want to a user. You can easily mirror a hotspot's registration page and steal user credentials as the user attempts to authenticate. Unless the user has some way to authenticate the AP, such as an SSL session, he has no defense against this type of attack. Even if the service provider uses SSL, the user will probably assume that the first legitimate-looking authentication screen that pops up is genuine. The attacker has the advantage that the user has no network access, so a casual user is likely to use anything to which he can connect. Use of one-time passwords limits the scope of this attack but does not prevent it. An attacker can still steal your one-time password and use it for one session. An attacker could even set up a billing page and steal credit card numbers or other sensitive information.

An attacker can also use a rogue AP to leverage a physical compromise of a network. If an attacker is able to get physical access to a network (either directly or through an accomplice), he might be able to place an AP on a wired network. This AP can allow future access to the network without the need for further physical intrusion. An attacker can then use this "mole" on the inside to perform other attacks, such as sending confidential data to the outside.

Clearly, rogue APs can represent significant security breaches into a network. A network administrator needs a strategy for finding and eliminating any APs that are not authorized to be on his network. Best practices for dealing with rogue APs are outlined in Chapter 9, "SWAN: End-to-End Security Deployment," and Chapter 11, "Operational and Design Considerations for Secure WLANs," but a summary of solutions is as follows:

  • Provide a secure wireless alternative.

  • Enforce strict policies for your users.

  • Perform periodic wireless surveys to detect rogue APs.