TY - JOUR
T1 - Catch me if you can
T2 - Rogue access point detection using intentional channel interference
AU - Jang, Rhongho
AU - Kang, Jeonil
AU - Mohaisen, Aziz
AU - Nyang, Daehun
N1 - Funding Information:
This work was supported by the Global Research Lab. (GRL) Program of the National Research Foundation (NRF) funded by the Ministry of Science, Information, and Communication Technologies (ICT) and Future Planning (NRF-2016K1A1A2912757). A preliminary version of this work has appeared in IEEE ICDCS 2017 [1].
Publisher Copyright:
© 2002-2012 IEEE.
PY - 2020/5/1
Y1 - 2020/5/1
N2 - In this paper, we introduce a powerful hardware-based rogue access point (PrAP), which can relay back and forth traffic between a legitimate AP and a wireless station, and act as a man-in-the-middle attacker. Our PrAP is built of two dedicated wireless routers interconnected physically, and can relay traffic rapidly between a station and a legitimate AP. Through experiments, we demonstrate that the state-of-the-art time-based rogue AP (rAP) detectors cannot detect our PrAP, although perhaps effective against software-based rAP. In demonstrating that, we unveil new insight into fundamentals of time-based detectors for software-based rAPs and their operation: such techniques are only capable of detecting rAPs due to the speed of wireless AP bridging. To address the threat of such PrAPs, we propose a new tool for network administrators, a PrAP-Hunter based on intentional channel interference. Our PrAP-Hunter is highly accurate, even under heavy traffic scenarios. Using a high-performance (desktop) and low-performance (mobile phone) experimental setups of our PrAP-Hunter in various deployment scenarios, we demonstrate close to 100 percent of detection rate, compared to 60 percent detection rate by the state-of-the-art. We show that our PrAP-Hunter is fast (takes 5-10 seconds), does not require any prior knowledge, and can be deployed in the wild by real-world experiments at 10 coffee shops.
AB - In this paper, we introduce a powerful hardware-based rogue access point (PrAP), which can relay back and forth traffic between a legitimate AP and a wireless station, and act as a man-in-the-middle attacker. Our PrAP is built of two dedicated wireless routers interconnected physically, and can relay traffic rapidly between a station and a legitimate AP. Through experiments, we demonstrate that the state-of-the-art time-based rogue AP (rAP) detectors cannot detect our PrAP, although perhaps effective against software-based rAP. In demonstrating that, we unveil new insight into fundamentals of time-based detectors for software-based rAPs and their operation: such techniques are only capable of detecting rAPs due to the speed of wireless AP bridging. To address the threat of such PrAPs, we propose a new tool for network administrators, a PrAP-Hunter based on intentional channel interference. Our PrAP-Hunter is highly accurate, even under heavy traffic scenarios. Using a high-performance (desktop) and low-performance (mobile phone) experimental setups of our PrAP-Hunter in various deployment scenarios, we demonstrate close to 100 percent of detection rate, compared to 60 percent detection rate by the state-of-the-art. We show that our PrAP-Hunter is fast (takes 5-10 seconds), does not require any prior knowledge, and can be deployed in the wild by real-world experiments at 10 coffee shops.
KW - Channel interference
KW - Ieee 802.11n
KW - Intrusion detection
KW - Rogue ap
KW - Wireless lan
UR - http://www.scopus.com/inward/record.url?scp=85082046622&partnerID=8YFLogxK
U2 - 10.1109/TMC.2019.2903052
DO - 10.1109/TMC.2019.2903052
M3 - Article
AN - SCOPUS:85082046622
SN - 1536-1233
VL - 19
SP - 1056
EP - 1071
JO - IEEE Transactions on Mobile Computing
JF - IEEE Transactions on Mobile Computing
IS - 5
M1 - 8658163
ER -