Catch me if you can: Rogue access point detection using intentional channel interference

In this paper, we introduce a powerful hardware-based rogue access point (PrAP), which can relay back and forth traffic between a legitimate AP and a wireless station, and act as a man-in-the-middle attacker. Our PrAP is built of two dedicated wireless routers interconnected physically, and can relay traffic rapidly between a station and a legitimate AP. Through experiments, we demonstrate that the state-of-the-art time-based rogue AP (rAP) detectors cannot detect our PrAP, although perhaps effective against software-based rAP. In demonstrating that, we unveil new insight into fundamentals of time-based detectors for software-based rAPs and their operation: such techniques are only capable of detecting rAPs due to the speed of wireless AP bridging. To address the threat of such PrAPs, we propose a new tool for network administrators, a PrAP-Hunter based on intentional channel interference. Our PrAP-Hunter is highly accurate, even under heavy traffic scenarios. Using a high-performance (desktop) and low-performance (mobile phone) experimental setups of our PrAP-Hunter in various deployment scenarios, we demonstrate close to 100 percent of detection rate, compared to 60 percent detection rate by the state-of-the-art. We show that our PrAP-Hunter is fast (takes 5-10 seconds), does not require any prior knowledge, and can be deployed in the wild by real-world experiments at 10 coffee shops.