Fighting Rogue Access Points At linux.conf.au 80
An anonymous reader writes "Last week's linux.conf.au saw the return of the rogue access points. These are Wi-Fi access points which bear the same SSID as official conference hotspots. Often it might be a simple mistake, but sometimes it's more nefarious. To combat the attacks this year, conference organisers installed a Linux-based Wi-Fi 'intrusion prevention and detection system' supplied by sponsor Xirrius." At most conferences I've been to, I'd be grateful just to be able to get on any access point.
Cisco (Score:3, Informative)
At a recent event, we utilized Cisco's Wireless Access Controller. We are an all-Cisco house, so it was an easy choice.
http://www.cisco.com/en/US/products/ps6302/Products_Sub_Category_Home.html [cisco.com]
Re:Cisco (Score:5, Informative)
Re: (Score:1)
Cisco's WLSE has APs dedicated to TDOA and cleanair .. you can upload a CAD drawing of the building and pinpoint where exactly your TDOA aps are at and it will show you exactly where (on a virtual drawing) the rouge AP or client is.
Cisco WLSE and WLC are completely different products that do different things. WLC is a wireless LAN controller that does all the radio management in hardware with lightweight APs. WLSE is an old software platform that tells IOS APs to change channels. WCS is the spiritual successor to WLSE.
Re: (Score:3)
And can be thrown off with a directional antenna.
They are not accurate but highly approximate and if I put the "center" of my signal 4 rooms away it will not show my location.
Re: (Score:2)
Not to mention a simple CAD drawing is not going to include all the furniture, equipment, people etc - all things that affect the signal.
At best it can give you a good idea where to start looking.
Re: (Score:2)
When we go looking for miscreants, the guy with the Yagi (or pringles can, or patch antenna, or anything that isn't a regular laptop without external cabling) sticks out pretty clearly.
Re: (Score:2)
Agreed. We see a ton of these in the most unusual places.
Re: (Score:1)
Re: (Score:2)
For WLAN Cisco is adequate (I have issues with some of their config and engineering choices), but for WIPS/WIDS I can think of perhaps two (
Re:Cisco *cha-ching* (Score:1)
At a recent event, we utilized Cisco's *cha-ching* Wireless Access Controller. We are an all-Cisco *cha-ching* house, so it was an easy choice.
http://www.cisco.com/en/US/products/ps6302/Products_Sub_Category_Home.html [cisco.com] *cha-ching*
Cisco. *cha-ching*
Re: (Score:2)
The reason for going "all $vendor" (be it Cisco or Microsoft) is because our business is not about finding the absolute lowest line-item cost for every piece of IT gear.
Our business is doing something ELSE, and IT is just in support of that.
Could Cisco's technology be replicated with a bunch of WRT54GLs and a room full of grad students?
Trust me, the "fun" of making two random things work t
Re: (Score:3)
Clearly A/C has never had to do an enterprise deployment.
Clearly you have misread A/C's point.
He wasn't (unless my understanding is wrong, of course) commenting on the expense of the equipment, he was commenting on the fact that the parent post looked like a very amateur paid shill. A worthwhile informative post would not have simply stated "we use this stuff, here go look at this link", it would explain how that equipment was pertinent to the article at hand. Perhaps it makes solving the problem easier in some way, if so he could have stated that rather than
Re: (Score:2, Informative)
Re: (Score:2)
Nice. I've probably installed IOSs compiled by you. It's always nice when the IOS tells you who compiled it at boot time.
I've always got an access point on me (Score:5, Informative)
android phone + cyanogenmod + grandfathered verizon unlimited data plan = "it may not be perfect, but it gets the job done and it is still way better than the dialup connection I used back in the day."
unless I'm in some building shielded with sandwiched lead sheets or something. in which case, hell, screw it, time to read an ebook.
it's easier to block than you think (Score:2)
Re: (Score:2)
My company has a branch in another city that I occasionally have to visit. Office is on the 34th floor of a rather new building. reception there is atrocious. I wonder if it's got the same problems you're talking about.
When scouting out a new location for my company's business in this city, one of the first things I test is 3g signal strength for that reason.
Re: (Score:2)
It does in my country.
Really.
Re: (Score:3)
your country is more awesome than the usa.
here, our telcos sell us devices that we're locked out of by default, with features that are built into the operating system disabled, so that we can pay the telco stupid amounts of money to turn back on.
or we just say "screw the warantee, I own this device, I'm going to do with it what I damn well please" and flash a cleaned-up rooted version of the OS on it.
Re:I've always got an access point on me (Score:4, Insightful)
depends on what criteria you're talking about.
If it's internet access, yeah most of europe and a good portion of asia kicks our ass.
if it's access to junk food, guns, or street drugs... hard to beat the USA.
Re: (Score:2)
Maybe i am nerd, but i think i will take net access over those others.
Re: (Score:2)
And still the online tech press reports on US telecom products as if they are the latest and greatest...
Re: (Score:2)
Hell, my ~iPhone~ does this out of the box. It's nothing to do with Android or the phone itself, and everything to do with the telcos/carriers.
Public key signed SSID names? (Score:4, Insightful)
Note for next revision of the protocol... public key signed SSID names. Or SSL certed SSIDs
Re: (Score:2)
It's happening (kinda).
Take a look at 802.11u.
Re: (Score:2)
Where do you get the public key? Why is that source more trusted than the source of the SSID?
Re: (Score:3)
Where do you get the public key? Why is that source more trusted than the source of the SSID?
There was a fad a couple years back of handing out little circuit boards with "stuff" on them at cons. I could see the next HOPE conference handing out ID necklaces with a little cheap USB flash drive as the "I paid my entrance fee" physical token.
At work its simpler, you preload your standard system image with the key.
Re: (Score:2)
Or some QR code that translate into a encryption key.
Re: (Score:1)
You do something smart.
Attach it to emails of the Convention newsletter, maybe with links on the convention web page. Or request it from the infodesk along with the wifi password.
Heck, depending on the swag bag you get, include a small USB drive with the keys.
Re: (Score:2)
1. Print big poster with the key fingerprint
2. Prevent people from putting up their own posters
Physical security ftw.
Re: (Score:3)
WPA2 (if you flip the switch to "enterprise", this is exactly the sort of hassle that gets left out in order for things to Just Work and not get returned to the store by frustrated Joe User) adds 802.1X authentication, which includes validation of the authentication server's certificate.
Trouble is, all that stuff is basically aimed at a big serious corporate deployment, where everybody has a username and password and things are c
Re: (Score:2)
I have a unique perspective on this problem as I do shows as well. The idea is, you have one set of access points that provide service, one set that monitor, and one set for active interference with rogue APs. When a rogue AP starts broadcasting you blanket the exact frequency and change neighboring service access points to channels that are on the other side of the spectrum. This works great in practice against regular people popping a linksys when they only pay for one Internet connection.
It won't work f
This is a growing problem everywhere .... (Score:4, Insightful)
As wi-fi becomes a mainstream Internet on-ramp when you're out and about, I think the rogue AP issue needs to be addressed FAR better than it is today. As the story's submitter said, tech. conferences might be the least of the problem since most of the time, you've got a massive flood of wi-fi usage attempts concentrated under one roof at such things. The tech-savvy will already plan on other forms of connectivity (such as 3G or 4G cellular). Plus, the vast majority of conference-goers are trying to send photos, video or blog entries of the happenings ... not taking out time to do their online banking, shopping or what-not. So rogue sites trying to scape for data are less likely to capture anything really useful.
My co-workers have started asking me, "How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?" ... and I'm realizing the answer isn't very clear-cut. I can advise them that certain companies contract to provide thousands of APs for chain restaurants, and typically have an AP identifying themselves as such. (You'll often see an SSID of "wayport" at a McDonalds for example.) But beyond that, the average laptop or smartphone user really doesn't even think about someone spoofing a legitimate-looking SSID. I've even run across such things as multiple SSIDs showing up with no password at our airport, where I knew at least 1 or 2 of them were fakes. (One had an SSID of "airport wifi", as I recall, when I know our airport only provides wifi in the terminal waiting area via AT&T - who would NOT name it anything like that.)
Re: (Score:2)
Isn't the basic answer "use encryption"?
You have no way of knowing if your internet connection is trustworthy - there was that incident where 30% of net traffic was routed through China for a time.
Re: (Score:2)
OK. The only takehome I get from this is, don't ignore SSL errors. I think we all know that we have no idea where our traffic is going and ultimately who is looking at it, regardless of
Or... (Score:4, Informative)
Re: (Score:2)
Have an SSH server somewhere, and tunnel everything through that; this is the equivalent of using a VPN. If you see host key warnings, then abort -- better than the headache of dealing with someone pwning your bank account.
Good methodology for those of us who actually (at least half-assed) understand how this internet stuff works.
However, that won't cover the vast majority of 'casual' users, i.e. regular folks... at least, not until "there's an app for that."
Re: (Score:2)
However, that won't cover the vast majority of 'casual' users, i.e. regular folks... at least, not until "there's an app for that."
There is an app for that. http://www.appbrain.com/app/ssh-tunnel/org.sshtunnel [appbrain.com]
The problems with that app are
A) requires a rooted device, and
B) is not a 'one-click' solution, requiring (what a typical user would consider) extensive setup on both ends of the connection.
These factors combined ensure that, while useful for techies, this app in particular will never see mass adoption, which was the point I was getting at.
Re: (Score:1)
Re: (Score:2)
Well there is already SSL built into browsers, and it is standard for banks already.
Re: (Score:2)
Re: (Score:2)
Indeed, we have not even been able to get most people to use encrypted email by default...
Re:This is a growing problem everywhere .... (Score:5, Insightful)
My co-workers have started asking me, "How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?" ... and I'm realizing the answer isn't very clear-cut.
The answer is very clear cut. All networks are hostile until proven otherwise. The solution is an encrypted tunnel back to a secure network. VPN or SSH tunneling are both easy to set up and use.
Re: (Score:2)
All networks are hostile until proven otherwise. The solution is an encrypted tunnel back to a secure network. VPN or SSH tunneling are both easy to set up and use.
So what do you recommend to the average traveler that doesn't have corporate VPN/ssh tunneling? Is there a solution for mom/dad/grandma/grandpa who are traveling with their iPad/laptop. Or even going to Starbucks etc..?
Re: (Score:3)
If you can't run your own VPN, buy one. I can't recommend a provider, because I run my own.
Re: (Score:3)
Re: (Score:1)
And now you need either a static IP for the home router or to sign up for a dynamic IP tracking service. And even that little bit of terminology and requirement will stump most home users -- unless that gets rolled in with the auto setup USB magic.
Re: (Score:2)
It is certainly a rough-cut approximation of a plan, it just seems a pity that all the ingredi
Re: (Score:3)
How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?
It's always safe to connect. It's what you do once connected that matters.
Unfortunately devices now do so many things automatically that you can easily get in trouble without knowing it. Auto-poll for new Email/Twitter/Facebook/AppStore content? You'd better hope that polling uses a complete and robust SSL implementation.
Depending on your definition of "safe", even just looking at cat pictures can be unsafe if the hotspot decides to replace all images with goatse.
Re: (Score:2)
even just looking at cat pictures can be unsafe if the hotspot decides to replace all images with goatse.
You mean, like this? [chan4chan.com]
Re: (Score:2)
Why in the hell did I click on that lol
Re: (Score:2)
why would the legimate ap be any better than the "illegimate ap".
if doing banking, you should use encryption and one time codes anyways.
anyhow - a conference holder could for example make an application for android, win and ios that would detect the legit ap's and do a handshake with them. but then the problem becomes how do you distribute that app - and it's not like you can trust anyone connecting to that network anyhow.
Re: (Score:2)
this is not just for wifi connections, there are not technical measures in place to allow a phone to validate a cell tower it is connected to and hostile/sniffer towers already exist.
Wouldn't basic security practices protect you? (Score:2)
Any access point? (Score:3)
At most conferences I've been to, I'd be grateful just to be able to get on any access point.
I hope you have a ssh thumbprint to verify of any hosts you plant to connect directly to, and tunnel everything else!
Re: (Score:2)
I just use sshuttle [github.com].
Airespace had this, Cisco nerfed it. (Score:3)
Airespace had something where you could actively "discourage" or otherwise overwhelm the rogue AP within a defined area. Now that Cisco took over, it's just a "spot the rogue, hope you're right" type of deal.
Re: (Score:2)
In particular, I'd be a trifle leery of the possibility that I was contravening the letter, as well as the spirit, of part B:
"(b) Operation of an intentional, unintentional, or incidental radiator is subject to the conditions that no harmful interference is caused and that interference must be ac
Free speech (Score:1, Troll)
Some people's "rogue access points" are other people's free speech. Maybe they should stop trying to squelch free speech?
Re: (Score:1)
This is not free speech. A "Rogue access point" is an attempt at idenitity theft.
Free speech is go setup your own show in a different place, and see who is willing to show up and listen.
Solution (Score:1)
Even so, coverage was poor. (Score:2)
And yet, wifi coverage was fairly spotty for the conference. Some of those access points definitely weren't working, you'd have to manually choose which MAC address to use, or point your antenna in a different direction before you could connect properly.
If you wanted to setup a rouge AP, you could probably get away with it in the corridors. Though you wouldn't be able to hack everyone, there were plenty of people hanging around outside the main halls checking emails etc.
But overall, it was a pretty cool c
Locating Rogue APs (Score:2)
Re: (Score:2)
Yes, there were a lot of "rogue" DHCP servers at LCA, although a better term might be miss-configured because I am almost certain it wasn't deliberate. But the story neglects to mention the reason. Attendees were invited to set up wireless access points because the accommodation didn't provide wireless. There were I guess 20 or 30 units, and I be surprised if every one of those units didn't have at least 1 AP set up by a community minded resident. It is inevitable that some of those will have forgotten
Using public wireless without a VPN is pure folly (Score:2)
When I use a public wireless access point, my networking scripts immediately set up an OpenVPN tunnel and make that the default route. If you don't route all your traffic over a VPN when you use public wireless of any kind, you're asking for trouble.