Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fighting Rogue Access Points At linux.conf.au

Posted by timothy on from the your-boy-zoolander's-on-the-move dept.

An anonymous reader writes "Last week's linux.conf.au saw the return of the rogue access points. These are Wi-Fi access points which bear the same SSID as official conference hotspots. Often it might be a simple mistake, but sometimes it's more nefarious. To combat the attacks this year, conference organisers installed a Linux-based Wi-Fi 'intrusion prevention and detection system' supplied by sponsor Xirrius." At most conferences I've been to, I'd be grateful just to be able to get on any access point.

23 of 80 comments (clear)

  1. Cisco by Bios_Hakr · · Score: 2, Informative

    At a recent event, we utilized Cisco's Wireless Access Controller. We are an all-Cisco house, so it was an easy choice.

    http://www.cisco.com/en/US/products/ps6302/Products_Sub_Category_Home.html

    --
    I'd rather you do it wrong, than for me to have to do it at all.
    1. Re:Cisco by mindcandy · · Score: 5, Informative

      Cisco's WLSE has APs dedicated to TDOA and cleanair .. you can upload a CAD drawing of the building and pinpoint where exactly your TDOA aps are at and it will show you exactly where (on a virtual drawing) the rouge AP or client is.

    2. Re:Cisco by Christopher+B.+Linn · · Score: 2, Informative

      Full Disclaimer: I work as a software engineer at Cisco in our San Jose headquarters, and I must also say that this product does exactly what the submitter needs.

    3. Re:Cisco by Lumpy · · Score: 2

      And can be thrown off with a directional antenna.

      They are not accurate but highly approximate and if I put the "center" of my signal 4 rooms away it will not show my location.

      --
      Do not look at laser with remaining good eye.
    4. Re:Cisco by mindcandy · · Score: 2

      Here's a tip (and I work on a campus with thousands of these, btw)

      When we go looking for miscreants, the guy with the Yagi (or pringles can, or patch antenna, or anything that isn't a regular laptop without external cabling) sticks out pretty clearly.

  2. I've always got an access point on me by Skarecrow77 · · Score: 4, Informative

    android phone + cyanogenmod + grandfathered verizon unlimited data plan = "it may not be perfect, but it gets the job done and it is still way better than the dialup connection I used back in the day."

    unless I'm in some building shielded with sandwiched lead sheets or something. in which case, hell, screw it, time to read an ebook.

    1. Re:I've always got an access point on me by Skarecrow77 · · Score: 2

      your country is more awesome than the usa.

      here, our telcos sell us devices that we're locked out of by default, with features that are built into the operating system disabled, so that we can pay the telco stupid amounts of money to turn back on.

      or we just say "screw the warantee, I own this device, I'm going to do with it what I damn well please" and flash a cleaned-up rooted version of the OS on it.

    2. Re:I've always got an access point on me by Skarecrow77 · · Score: 3, Insightful

      depends on what criteria you're talking about.

      If it's internet access, yeah most of europe and a good portion of asia kicks our ass.

      if it's access to junk food, guns, or street drugs... hard to beat the USA.

  3. Public key signed SSID names? by vlm · · Score: 3, Insightful

    Note for next revision of the protocol... public key signed SSID names. Or SSL certed SSIDs

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:Public key signed SSID names? by Anonymous Coward · · Score: 2

      It's happening (kinda).

      Take a look at 802.11u.

    2. Re:Public key signed SSID names? by Anonymous Coward · · Score: 2

      Where do you get the public key? Why is that source more trusted than the source of the SSID?

    3. Re:Public key signed SSID names? by vlm · · Score: 2

      Where do you get the public key? Why is that source more trusted than the source of the SSID?

      There was a fad a couple years back of handing out little circuit boards with "stuff" on them at cons. I could see the next HOPE conference handing out ID necklaces with a little cheap USB flash drive as the "I paid my entrance fee" physical token.

      At work its simpler, you preload your standard system image with the key.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    4. Re:Public key signed SSID names? by fuzzyfuzzyfungus · · Score: 2

      Already done; but not really designed for the 'open' deployment scenario:

      WPA2 (if you flip the switch to "enterprise", this is exactly the sort of hassle that gets left out in order for things to Just Work and not get returned to the store by frustrated Joe User) adds 802.1X authentication, which includes validation of the authentication server's certificate.

      Trouble is, all that stuff is basically aimed at a big serious corporate deployment, where everybody has a username and password and things are configured by IT, and so on. There isn't, to the best of my knowledge, any terribly elegant way of setting up your basic "bunch of more or less open APs that also have verifiable SSIDs". VPN to trusted offsite host and trust no one!

  4. This is a growing problem everywhere .... by King_TJ · · Score: 3, Insightful

    As wi-fi becomes a mainstream Internet on-ramp when you're out and about, I think the rogue AP issue needs to be addressed FAR better than it is today. As the story's submitter said, tech. conferences might be the least of the problem since most of the time, you've got a massive flood of wi-fi usage attempts concentrated under one roof at such things. The tech-savvy will already plan on other forms of connectivity (such as 3G or 4G cellular). Plus, the vast majority of conference-goers are trying to send photos, video or blog entries of the happenings ... not taking out time to do their online banking, shopping or what-not. So rogue sites trying to scape for data are less likely to capture anything really useful.

    My co-workers have started asking me, "How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?" ... and I'm realizing the answer isn't very clear-cut. I can advise them that certain companies contract to provide thousands of APs for chain restaurants, and typically have an AP identifying themselves as such. (You'll often see an SSID of "wayport" at a McDonalds for example.) But beyond that, the average laptop or smartphone user really doesn't even think about someone spoofing a legitimate-looking SSID. I've even run across such things as multiple SSIDs showing up with no password at our airport, where I knew at least 1 or 2 of them were fakes. (One had an SSID of "airport wifi", as I recall, when I know our airport only provides wifi in the terminal waiting area via AT&T - who would NOT name it anything like that.)

    1. Re:This is a growing problem everywhere .... by Hatta · · Score: 4, Insightful

      My co-workers have started asking me, "How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?" ... and I'm realizing the answer isn't very clear-cut.

      The answer is very clear cut. All networks are hostile until proven otherwise. The solution is an encrypted tunnel back to a secure network. VPN or SSH tunneling are both easy to set up and use.

      --
      Give me Classic Slashdot or give me death!
    2. Re:This is a growing problem everywhere .... by fuzzyfuzzyfungus · · Score: 2

      Arguably, trying to solve this problem at the AP level is something of a fool's errand. There are easily thousands upon thousands of entities running non-malicious access points, many of which the user would have not the slightest reason to be able to judge the legitimacy of(Hotel Chain A might entirely plausibly hire ObscurePoint Access LLC to run their wifi, so name recognition won't help you much, and SSL wont' be too useful because, even when it works, that only helps prevent spoofing of a name, it doesn't attest to behavior).

      It seems like you'd be much better off assuming that APs simply cannot be trusted to any significant degree and working on the problem of how best to make establishing a secure channel over an untrusted AP as easy as possible(for less paranoid users, common services moving to encryption by default will at least protect the content of the communication, though not the origin and destination, more serious users will need a full tunnel to somewhere more trusted).

      One perhaps useful point of attack might actually be at the users' own home AP... Your contemporary router/access point is a fairly punchy little machine, by historical standards. Easily enough to function as a VPN endpoint for a few remote systems not moving too much traffic. It would be nice to see some sort of dead-simple VPN configuration mechanism built into a consumer router out of the box. Something like the following: router has a USB port on the front. User inserts a USB drive, presses the "Create VPN key" button. Router dumps a text file onto the USB drive containing a private key, and information about its dynamic DNS hostname, supported VPN protocols, etc. User pulls the drive, plugs it into their computer, computer's network connection wizard widget ingests the file, configures itself to establish a VPN connection to the router. Should a key be compromised or system stolen, the matching public key could be purged from the authentication list.

      The question of whether you are at risk out and about(yes, yes you probably are) would be much less salient if making yourself 'eh, about as safe as at home' were very much easier...

    3. Re:This is a growing problem everywhere .... by MagicM · · Score: 2

      How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?

      It's always safe to connect. It's what you do once connected that matters.

      Unfortunately devices now do so many things automatically that you can easily get in trouble without knowing it. Auto-poll for new Email/Twitter/Facebook/AppStore content? You'd better hope that polling uses a complete and robust SSL implementation.

      Depending on your definition of "safe", even just looking at cat pictures can be unsafe if the hotspot decides to replace all images with goatse.

    4. Re:This is a growing problem everywhere .... by Hatta · · Score: 2

      If you can't run your own VPN, buy one. I can't recommend a provider, because I run my own.

      --
      Give me Classic Slashdot or give me death!
  5. Or... by betterunixthanunix · · Score: 3, Informative

    Have an SSH server somewhere, and tunnel everything through that; this is the equivalent of using a VPN. If you see host key warnings, then abort -- better than the headache of dealing with someone pwning your bank account.

    --
    Palm trees and 8
  6. Any access point? by DarkOx · · Score: 2

    At most conferences I've been to, I'd be grateful just to be able to get on any access point.

    I hope you have a ssh thumbprint to verify of any hosts you plant to connect directly to, and tunnel everything else!

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  7. Airespace had this, Cisco nerfed it. by sethstorm · · Score: 2

    Airespace had something where you could actively "discourage" or otherwise overwhelm the rogue AP within a defined area. Now that Cisco took over, it's just a "spot the rogue, hope you're right" type of deal.

    --
    Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
  8. Re:Cisco *cha-ching* by mindcandy · · Score: 2

    Clearly A/C has never had to do an enterprise deployment.

    The reason for going "all $vendor" (be it Cisco or Microsoft) is because our business is not about finding the absolute lowest line-item cost for every piece of IT gear.

    Our business is doing something ELSE, and IT is just in support of that.

    Could Cisco's technology be replicated with a bunch of WRT54GLs and a room full of grad students? .. probably, but who's going to support that long term?.

    Trust me, the "fun" of making two random things work together wanes real fast when you've got a job to do.

  9. Re:Cisco *cha-ching* by asdf7890 · · Score: 2

    Clearly A/C has never had to do an enterprise deployment.

    Clearly you have misread A/C's point.

    He wasn't (unless my understanding is wrong, of course) commenting on the expense of the equipment, he was commenting on the fact that the parent post looked like a very amateur paid shill. A worthwhile informative post would not have simply stated "we use this stuff, here go look at this link", it would explain how that equipment was pertinent to the article at hand. Perhaps it makes solving the problem easier in some way, if so he could have stated that rather than just getting the link in as fast as possible to try get it as close to the top of the post list as possible - just slapping "cisco cisco csico link cisco" in a post is essentially spam.