Forgot your password?
typodupeerror
Australia Security Wireless Networking IT Linux

Fighting Rogue Access Points At linux.conf.au 80

Posted by timothy
from the your-boy-zoolander's-on-the-move dept.
An anonymous reader writes "Last week's linux.conf.au saw the return of the rogue access points. These are Wi-Fi access points which bear the same SSID as official conference hotspots. Often it might be a simple mistake, but sometimes it's more nefarious. To combat the attacks this year, conference organisers installed a Linux-based Wi-Fi 'intrusion prevention and detection system' supplied by sponsor Xirrius." At most conferences I've been to, I'd be grateful just to be able to get on any access point.
This discussion has been archived. No new comments can be posted.

Fighting Rogue Access Points At linux.conf.au

Comments Filter:
  • Cisco (Score:3, Informative)

    by Bios_Hakr (68586) <xptical.gmail@com> on Tuesday January 24, 2012 @12:24PM (#38807439) Homepage

    At a recent event, we utilized Cisco's Wireless Access Controller. We are an all-Cisco house, so it was an easy choice.

    http://www.cisco.com/en/US/products/ps6302/Products_Sub_Category_Home.html [cisco.com]

    • Re:Cisco (Score:5, Informative)

      by mindcandy (1252124) on Tuesday January 24, 2012 @12:30PM (#38807507)
      Cisco's WLSE has APs dedicated to TDOA and cleanair .. you can upload a CAD drawing of the building and pinpoint where exactly your TDOA aps are at and it will show you exactly where (on a virtual drawing) the rouge AP or client is.
      • by Anonymous Coward

        Cisco's WLSE has APs dedicated to TDOA and cleanair .. you can upload a CAD drawing of the building and pinpoint where exactly your TDOA aps are at and it will show you exactly where (on a virtual drawing) the rouge AP or client is.

        Cisco WLSE and WLC are completely different products that do different things. WLC is a wireless LAN controller that does all the radio management in hardware with lightweight APs. WLSE is an old software platform that tells IOS APs to change channels. WCS is the spiritual successor to WLSE.

      • by Lumpy (12016)

        And can be thrown off with a directional antenna.

        They are not accurate but highly approximate and if I put the "center" of my signal 4 rooms away it will not show my location.

        • by X0563511 (793323)

          Not to mention a simple CAD drawing is not going to include all the furniture, equipment, people etc - all things that affect the signal.

          At best it can give you a good idea where to start looking.

        • Here's a tip (and I work on a campus with thousands of these, btw)

          When we go looking for miscreants, the guy with the Yagi (or pringles can, or patch antenna, or anything that isn't a regular laptop without external cabling) sticks out pretty clearly.
      • by flosofl (626809)
        That's not really a differentiating feature, there are a quite a few companies that have the similar capabilities and are more accurate that Cisco. I find Cisco's wireless security offerings to be pretty damn weak. They target a very small slice of WLAN issues and exploits (granted, they are typically the most severe), than other vendors who focus solely on security.

        For WLAN Cisco is adequate (I have issues with some of their config and engineering choices), but for WIPS/WIDS I can think of perhaps two (
    • by Anonymous Coward

      At a recent event, we utilized Cisco's *cha-ching* Wireless Access Controller. We are an all-Cisco *cha-ching* house, so it was an easy choice.

      http://www.cisco.com/en/US/products/ps6302/Products_Sub_Category_Home.html [cisco.com] *cha-ching*

      Cisco. *cha-ching*

      • Clearly A/C has never had to do an enterprise deployment.

        The reason for going "all $vendor" (be it Cisco or Microsoft) is because our business is not about finding the absolute lowest line-item cost for every piece of IT gear.

        Our business is doing something ELSE, and IT is just in support of that.

        Could Cisco's technology be replicated with a bunch of WRT54GLs and a room full of grad students? .. probably, but who's going to support that long term?.

        Trust me, the "fun" of making two random things work t
        • by asdf7890 (1518587)

          Clearly A/C has never had to do an enterprise deployment.

          Clearly you have misread A/C's point.

          He wasn't (unless my understanding is wrong, of course) commenting on the expense of the equipment, he was commenting on the fact that the parent post looked like a very amateur paid shill. A worthwhile informative post would not have simply stated "we use this stuff, here go look at this link", it would explain how that equipment was pertinent to the article at hand. Perhaps it makes solving the problem easier in some way, if so he could have stated that rather than

    • Re: (Score:2, Informative)

      Full Disclaimer: I work as a software engineer at Cisco in our San Jose headquarters, and I must also say that this product does exactly what the submitter needs.
      • by Bios_Hakr (68586)

        Nice. I've probably installed IOSs compiled by you. It's always nice when the IOS tells you who compiled it at boot time.

  • by Skarecrow77 (1714214) on Tuesday January 24, 2012 @12:32PM (#38807577)

    android phone + cyanogenmod + grandfathered verizon unlimited data plan = "it may not be perfect, but it gets the job done and it is still way better than the dialup connection I used back in the day."

    unless I'm in some building shielded with sandwiched lead sheets or something. in which case, hell, screw it, time to read an ebook.

    • Just window foil and energy efficient windows in a concrete/steel building will do it. I work for a mobile telco and we can't get any 3G at all inside the building, getting GSM900 reception is a struggle. It's so bad, we can't even use our cell phones in 90% of the rooms.
      • My company has a branch in another city that I occasionally have to visit. Office is on the 34th floor of a rather new building. reception there is atrocious. I wonder if it's got the same problems you're talking about.

        When scouting out a new location for my company's business in this city, one of the first things I test is 3g signal strength for that reason.

    • by Inda (580031)
      Vanilla Android does that.

      It does in my country.

      Really.
      • your country is more awesome than the usa.

        here, our telcos sell us devices that we're locked out of by default, with features that are built into the operating system disabled, so that we can pay the telco stupid amounts of money to turn back on.

        or we just say "screw the warantee, I own this device, I'm going to do with it what I damn well please" and flash a cleaned-up rooted version of the OS on it.

      • by Cimexus (1355033)

        Hell, my ~iPhone~ does this out of the box. It's nothing to do with Android or the phone itself, and everything to do with the telcos/carriers.

  • by vlm (69642) on Tuesday January 24, 2012 @12:34PM (#38807623)

    Note for next revision of the protocol... public key signed SSID names. Or SSL certed SSIDs

    • by Anonymous Coward

      It's happening (kinda).

      Take a look at 802.11u.

    • by Anonymous Coward

      Where do you get the public key? Why is that source more trusted than the source of the SSID?

      • by vlm (69642)

        Where do you get the public key? Why is that source more trusted than the source of the SSID?

        There was a fad a couple years back of handing out little circuit boards with "stuff" on them at cons. I could see the next HOPE conference handing out ID necklaces with a little cheap USB flash drive as the "I paid my entrance fee" physical token.

        At work its simpler, you preload your standard system image with the key.

      • by Anonymous Coward

        You do something smart.

        Attach it to emails of the Convention newsletter, maybe with links on the convention web page. Or request it from the infodesk along with the wifi password.

        Heck, depending on the swag bag you get, include a small USB drive with the keys.

      • 1. Print big poster with the key fingerprint
        2. Prevent people from putting up their own posters

        Physical security ftw.

    • Already done; but not really designed for the 'open' deployment scenario:

      WPA2 (if you flip the switch to "enterprise", this is exactly the sort of hassle that gets left out in order for things to Just Work and not get returned to the store by frustrated Joe User) adds 802.1X authentication, which includes validation of the authentication server's certificate.

      Trouble is, all that stuff is basically aimed at a big serious corporate deployment, where everybody has a username and password and things are c
      • by Vancorps (746090)

        I have a unique perspective on this problem as I do shows as well. The idea is, you have one set of access points that provide service, one set that monitor, and one set for active interference with rogue APs. When a rogue AP starts broadcasting you blanket the exact frequency and change neighboring service access points to channels that are on the other side of the spectrum. This works great in practice against regular people popping a linksys when they only pay for one Internet connection.

        It won't work f

  • by King_TJ (85913) on Tuesday January 24, 2012 @12:35PM (#38807631) Journal

    As wi-fi becomes a mainstream Internet on-ramp when you're out and about, I think the rogue AP issue needs to be addressed FAR better than it is today. As the story's submitter said, tech. conferences might be the least of the problem since most of the time, you've got a massive flood of wi-fi usage attempts concentrated under one roof at such things. The tech-savvy will already plan on other forms of connectivity (such as 3G or 4G cellular). Plus, the vast majority of conference-goers are trying to send photos, video or blog entries of the happenings ... not taking out time to do their online banking, shopping or what-not. So rogue sites trying to scape for data are less likely to capture anything really useful.

    My co-workers have started asking me, "How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?" ... and I'm realizing the answer isn't very clear-cut. I can advise them that certain companies contract to provide thousands of APs for chain restaurants, and typically have an AP identifying themselves as such. (You'll often see an SSID of "wayport" at a McDonalds for example.) But beyond that, the average laptop or smartphone user really doesn't even think about someone spoofing a legitimate-looking SSID. I've even run across such things as multiple SSIDs showing up with no password at our airport, where I knew at least 1 or 2 of them were fakes. (One had an SSID of "airport wifi", as I recall, when I know our airport only provides wifi in the terminal waiting area via AT&T - who would NOT name it anything like that.)

    • Isn't the basic answer "use encryption"?

      You have no way of knowing if your internet connection is trustworthy - there was that incident where 30% of net traffic was routed through China for a time.

      • by timeOday (582209)
        Yes, I scanned the article for any good reason to think a "rogue" access point would any worse than any other, and only got:

        Those Man-in-the-Middle attacks are serious, potentially leading to data or identity theft. Secure websites and services will display an error when this happens, but many users ignore the warnings.

        OK. The only takehome I get from this is, don't ignore SSL errors. I think we all know that we have no idea where our traffic is going and ultimately who is looking at it, regardless of

    • Or... (Score:4, Informative)

      by betterunixthanunix (980855) on Tuesday January 24, 2012 @12:43PM (#38807789)
      Have an SSH server somewhere, and tunnel everything through that; this is the equivalent of using a VPN. If you see host key warnings, then abort -- better than the headache of dealing with someone pwning your bank account.
      • Have an SSH server somewhere, and tunnel everything through that; this is the equivalent of using a VPN. If you see host key warnings, then abort -- better than the headache of dealing with someone pwning your bank account.

        Good methodology for those of us who actually (at least half-assed) understand how this internet stuff works.

        However, that won't cover the vast majority of 'casual' users, i.e. regular folks... at least, not until "there's an app for that."

        • by yuhong (1378501)

          Well there is already SSL built into browsers, and it is standard for banks already.

        • by hitmark (640295)

          Indeed, we have not even been able to get most people to use encrypted email by default...

    • by Hatta (162192) on Tuesday January 24, 2012 @12:47PM (#38807849) Journal

      My co-workers have started asking me, "How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?" ... and I'm realizing the answer isn't very clear-cut.

      The answer is very clear cut. All networks are hostile until proven otherwise. The solution is an encrypted tunnel back to a secure network. VPN or SSH tunneling are both easy to set up and use.

      • All networks are hostile until proven otherwise. The solution is an encrypted tunnel back to a secure network. VPN or SSH tunneling are both easy to set up and use.

        So what do you recommend to the average traveler that doesn't have corporate VPN/ssh tunneling? Is there a solution for mom/dad/grandma/grandpa who are traveling with their iPad/laptop. Or even going to Starbucks etc..?

        • by Hatta (162192)

          If you can't run your own VPN, buy one. I can't recommend a provider, because I run my own.

    • Arguably, trying to solve this problem at the AP level is something of a fool's errand. There are easily thousands upon thousands of entities running non-malicious access points, many of which the user would have not the slightest reason to be able to judge the legitimacy of(Hotel Chain A might entirely plausibly hire ObscurePoint Access LLC to run their wifi, so name recognition won't help you much, and SSL wont' be too useful because, even when it works, that only helps prevent spoofing of a name, it does
      • by Anonymous Coward

        And now you need either a static IP for the home router or to sign up for a dynamic IP tracking service. And even that little bit of terminology and requirement will stump most home users -- unless that gets rolled in with the auto setup USB magic.

        • True. My thinking, rough draft, is that the router would go and sign itself up for a dynamic DNS service(presumably bundled into the cost of the device by the manufacturer and, since the configuration would be handled automatically by the config file, the hostname needn't be memorable in the slightest SHA1-of-something.vendor.com style addresses wouldn't exactly be scarce...) when the first VPN key is requested.

          It is certainly a rough-cut approximation of a plan, it just seems a pity that all the ingredi
    • by MagicM (85041)

      How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?

      It's always safe to connect. It's what you do once connected that matters.

      Unfortunately devices now do so many things automatically that you can easily get in trouble without knowing it. Auto-poll for new Email/Twitter/Facebook/AppStore content? You'd better hope that polling uses a complete and robust SSL implementation.

      Depending on your definition of "safe", even just looking at cat pictures can be unsafe if the hotspot decides to replace all images with goatse.

    • by gl4ss (559668)

      why would the legimate ap be any better than the "illegimate ap".
      if doing banking, you should use encryption and one time codes anyways.

      anyhow - a conference holder could for example make an application for android, win and ios that would detect the legit ap's and do a handshake with them. but then the problem becomes how do you distribute that app - and it's not like you can trust anyone connecting to that network anyhow.

    • by Lehk228 (705449)
      This is a huge advantage of blackberry over android and iOS, regardless of any hostile access point everything goes through a secure tunnel to the BIS servers, the downside is on rare occasions. the service has trouble despite being able to connect to the internet


      this is not just for wifi connections, there are not technical measures in place to allow a phone to validate a cell tower it is connected to and hostile/sniffer towers already exist.
  • I would have hoped all the normal standard practices would protect you almost totally from this.... Don't use an important password except over https where your browser doesn't raise red flags. Use a VPN or ssh to connect to servers that are important to you. Seems the same practices that protect you from your normal ISP would protect you from rogue access points too, no?
  • by DarkOx (621550) on Tuesday January 24, 2012 @12:52PM (#38807921) Journal

    At most conferences I've been to, I'd be grateful just to be able to get on any access point.

    I hope you have a ssh thumbprint to verify of any hosts you plant to connect directly to, and tunnel everything else!

  • by sethstorm (512897) on Tuesday January 24, 2012 @12:56PM (#38807983) Homepage

    Airespace had something where you could actively "discourage" or otherwise overwhelm the rogue AP within a defined area. Now that Cisco took over, it's just a "spot the rogue, hope you're right" type of deal.

    • One wonders if Cisco's legal chaps got a trifle nervous about shipping a system that involved quite-possibly-subject-to-CFR 47 15.5 [gpo.gov] device or devices intentionally causing interference to other such devices...

      In particular, I'd be a trifle leery of the possibility that I was contravening the letter, as well as the spirit, of part B:

      "(b) Operation of an intentional, unintentional, or incidental radiator is subject to the conditions that no harmful interference is caused and that interference must be ac
  • Free speech (Score:1, Troll)

    by Score Whore (32328)

    Some people's "rogue access points" are other people's free speech. Maybe they should stop trying to squelch free speech?

    • by Anonymous Coward

      This is not free speech. A "Rogue access point" is an attempt at idenitity theft.

      Free speech is go setup your own show in a different place, and see who is willing to show up and listen.

  • android phone + wireless ap detection software of choice + conference management + exit door = problem solved. (find them and kick them out)
  • And yet, wifi coverage was fairly spotty for the conference. Some of those access points definitely weren't working, you'd have to manually choose which MAC address to use, or point your antenna in a different direction before you could connect properly.

    If you wanted to setup a rouge AP, you could probably get away with it in the corridors. Though you wouldn't be able to hack everyone, there were plenty of people hanging around outside the main halls checking emails etc.

    But overall, it was a pretty cool c

  • From the point of view of the infrastructure/security go-to man for a small company, what options are there for locating unauthorised APs? We scan for unauthorised MAC addresses turning up on the network so an alert goes out if something unwanted is plugged into the LAN, but that wouldn't detect a soft-AP running on an otherwise expected machine (nor would it spot a device with a faked MAC, but that is another matter). Are there any reliable methods of picking up on new APs turning up (even those that are n
  • When I use a public wireless access point, my networking scripts immediately set up an OpenVPN tunnel and make that the default route. If you don't route all your traffic over a VPN when you use public wireless of any kind, you're asking for trouble.

Optimization hinders evolution.

Working...