Rogue Access Points: Still Here and Still a Threat
Recently Gartner released their WLAN Magic Quadrant for 2011. Not surprisingly, Cisco, Aruba, and Motorola were all rated as the leaders in this space. Not only do these companies have financial stability and support for R&D, they also have a strong commitment to WLAN security-some more so than others. But still these three organizations take WLAN security seriously. If you read through any of their security materials one of the first things they’ll mention is Rogue Access Point (AP) detection.
That’s right folks; rogue access points are still a legitimate concern for businesses. But it’s not just the organizations that need to be concerned; end-users need to understand that these are a legitimate threat to their personal data as well.
What are Rouge Access Points?
Businesses typically classify rogue access points in two categories. The first, and most serious, are the rogue AP’s that are plugged into the business network. Most organizations that are on the ball have a security policy that states no one should be plugging-in unauthorized access points. Hopefully this prevents users from bringing in an access point from home and setting it up in the conference room because of a shortage of data jacks. But there are those incidents, though rare, where someone gains access to the business floor and is able to plug in a rogue device. It could be someplace inconspicuous like the waiting area or even a conference or break room. You need to keep in mind that if you remove an AP from its shell, it’s not very big. They can even be concealed inside the data jack and powered over Ethernet.
Additionally, they’re not going to be broadcasting the SSID on the Rogue device and will limit connectivity during working hours as to not draw attention. If not detected and removed quickly enough, this can provide the hacker unfettered access to the corporate infrastructure. Diligent companies will have their servers locked down and segmented behind a firewall along with other security measures. What about the user workstations on that segment? How secure are they? They can be compromised for the data they hold, both personal and corporate. It’s extremely rare for us not to have some sort of personal data on our work computers. Additionally the computer can be used as a pivot point to gain access to those critical servers. Keep in mind that if someone has taken the risk to get an access point on the corporate network, they’ve probably done a significant amount of reconnaissance already. Part of this could have been to sit in a car or lobby and sniff wireless traffic in effort to gain credentials or other information about your network.
The other more interesting issue involves rogue access points that are not plugged into the network, but are close enough to cause problems. These are the ones that organizations have a vast amount of trouble dealing with because there is really nothing they can do about them. And if the company is in a major city, like New York, it’s a big headache as the entire city is blanketed by 802.11 networks.
As demonstrated by our friends at Wigle.net, just this two-block area of NYC has hundreds of WLANs. If your company is blocking Facebook or any other favorite sites, what’s stopping them from connecting to “FreePublicWiFi”, “Starbucks” or some other SSID that’s open and inviting? Or it might be an incidental connection. Many of these residential access points that you can purchase from Best Buy are set up to work right out of the box or with minimal configuration. Often people don’t think to change the SSID of the device. How many “Linksys” SSIDs do you still see today? Most people have their Wi-Fi settings configured to automatically connect to their home’s SSID whenever in range. So what do you think happens when that wireless card sees the home’s SSID when the user is at work? Now, if the user is plugged into the corporate network and connected to a rogue device at the same time, the computer is dual-homed. It’s essentially acting like an open bridge right into the network. Unknowingly, the user can be passing domain credentials and other nuggets of information that would help the hackers get deeper into the network.
Another bad guy trick that is still somewhat effective in heavily congested areas is to set up an access point (physically) close to the company and use their SSID on this device, but not have any security on it. This is typically the easiest to detect as the signal on this device is usually not as strong as the ones inside the company’s walls, as well as other detection criteria that I’ll discuss down the road.