I read a discussion on this potential exploit on another forum. Unfortunately, that discussion descended into silliness (lame jokes).
So here it is: I am running a wireless network. Some rogue finds my SSID and uses the same SSID himself, on his WiFi server.. One of my WiFi clients (a notebook computer, say) connects to the rogue network instead of my own network, because the SSIDs are identical. The rogue WiFi server can now observe all my data.
Is this possible? I use WPA2 with pre-shared key. Can the rogue WiFi server read my WPA2 password, along with all my network traffic?
That's ok as long as they didn't borrow some of my lame jokes.
That's NOT possible unless the evil hacker also has the WPA2 key. There's no way he can "join" your networks without it. Even if he simulates your access point in order to sniff key exchanges and authentication attempts, these are hashed and encrypted, making decryption unlikely.
but the related question: If he sets up a base station with the same SSID as the legit folk, and some of the laptops connect to it, can't he then sniff out any unencrypted traffic?
Yes, unfortunately. The laptop can also be attacked directly. Susceptibility to duplicated SSID exploits (rogue AP) varies with the client manager.
Note: I'm not 100.0% sure of the following. I'll need to retest to be sure.
Let's pretend that the user has setup their laptop to connect to their own system SSID using WPA2 encryption. You would expect Windoze Wireless Zero Config to remember this "profile" and always connect using WPA2. Nope. If for some reason, the rouge access point has a better signal, Windoze will try to connect to the rogue access point (with the same SSID) first. It will then decide that the encryption method has changed and offer a warning that you're connecting to an unsecured access point. Most users will see the message, click "OK", and connect merrily to the rouge access point. Windoze Wireless Zero Config will then change the saved "profile" to be unencrypted on the assumption that the owner has changed their method of encryption. If they want to connect again to the real access point, they get to tediously key in the WPA key (twice) from scratch. If you mysteriously find yourself keying in the WPA key from scratch for no obvious reason, it's because there's probably another access point out there with no encryption and a duplicated SSID.
If there are duplicated SSID's, there's also no indication as to which access point is being used, as Windoze WZC does not display the MAC address. Once connected to the rouge access point, the user checks their email and unless it's encrypted or encapsulated in a VPN tunnel, it's all sniffable. If they're running open shares or no firewall, they can be attacked directly. It's happened to a customer that went to a hotel and connected to the wrong AP.
At least that's the way I remember it working when I last tried it about a year ago. I'll try it again when I have a chance.
In the meantime, find a connection manager that will display the MAC address clearly, and offer separate connections for each different MAC address even if the SSID is the same. So far, I've found the following that will do this:
and possibly the Buffalo Client Manager 3 (not sure yet):
Incidentally, this CM3 claims to be able to support non-Buffalo products which should be very useful.
There are probably others, but I haven't bothered to do any testing.
If your client manager or connection manager will show a list of available networks, with one line for each access point even if they have the same SSID, you can then distinguish between access point. If it does that, it can also so the same in separate profiles.
With Mac OS 9 there were some programs which gave you detailed info about the base stations in your "view", and let you manually choose between the five different ones that said "Linksys" as their SSID.
I've yet to find one for OS X. (I've found "istumbler" which shows the info but doesn't offer the clickthrough).
Put Intel's PROSet/Wireless (v 10.5.2.0, although I seem to remember previous versions offering this as well) on your list. It's not right on the front page, but if you click on an available Wireless Access Point that shows up in the list of detected networks, you can then click the "Properties" button to see the AP's MAC address.
If the WPA2 is using something like public key encryption method, it is still impossible for attacker's to obtain the wpa2 passphase using the key swapped in the air traffic, to understand this, please read:
I'm running XP Pro, and am unable to duplicate this. I turned off encryption in the router, then powered everything down. Then powered up everything. My laptop (still set for WPA) would not connect to the router.
I think you need to retest. If you change the encryption method on your WAP, you typically have to delete the existing SSID from Wireless Zero Config, and then reconnect.
That is certainly the case for me switching between none and WEP-64 and back.
I agree. Like I mumbled, I'm not 100% sure and it was about a year ago when I tried it last.
However, none of the tests are what I was doing. I didn't change the encryption setting on a single access point. As I recall, I added a
2nd access point, with the exact same SSID, but no encryption. I believe I had to select "Connect to any available network" in WZC. When I did a scan for available networks, it would sometime list the unencrypted access point, not the encrypted one, as indicated by the lock icon. If I then hit connect, it would clobber the saved settings for the encrypted version. Remember, we're testing to see if a WSC client can be fooled into connecting to the wrong access point with the same SSID but no encryption.
I'll retest later today as I don't have my laptop or a spare access point at home. If not, I'll be in my office tomorrow, maybe.
If that's true, then I might be wrong. I just hate it when that happens.
Incidentally, I blundered across these different auto connection modes for Intel Proset. See:
under "Auto Connect" settings. - Connect to available network using profiles only: = Connect to any available network if no matching profile is found: = Connect to any network based on profiles only (Cisco* mode): If the profile includes the MAC address of the access point, it's a good way to prevent connecting to the wrong access point. If it doesn't, it's useless.
I retrieved my laptop, bought a WRT54G v2.0 at a local thrift shop for $10, flashed it with DD-WRT v23 SP3 2007/07/20 VPN firmware, and merrily started testing.
I have two wireless routers. WRT54GS v4 with encryption off. WRT54G v2.0 with WPA-PSK(TKIP) encryption. Both are running DD-WRT. I'm using an HP ze2000 laptop, with a Broadcom something MiniPCI card using XP SP2 Wireless Zero Config. Both wireless router are set to the same channel and the same SSID. The WRT54GS is the main router for our neighborhood LAN and has a very strong signal around my house. The other WRT54G (with WPA) is fairly portable and is being moved around the house to vary the signal strength.
To start, I deleted all saved profiles (preferred networks) from WZC on the laptop. The WRT54G with the WPA encryption is located fairly close to the laptop. Refreshing the network list always shows an encrypted network, which means it's correctly connecting to the proper (encrypted) router.
However, when I remove the antennas from the WRT54G with the WPA encryption, and reduce the signal level substantially, refreshing the network list shows the unencrypted router. Apparently, if there's no saved encrypted entry in the preferred network list, WZC will take the strongest signal. I tinkered with the tx power output on both units until the signal level was the same. Even a slight change (3dB) would cause the stronger signal to get recognized. Therefore, WZC does NOT automatically prefer an encrypted network over an unencrypted network with the same SSID.
Next, I connected to the WRT54G with WPA encryption, and saved the network in the preferred networks. WZC would automatically connect to the WPA encrypted router, even if the signal strength was far lower than that of the unencrypted router. This is good.
I then did a manual disconnect, which WZC considers to be some kind of invitation to not reconnect automatically. Once again, WZC would connect to the strongest signal, instead of the encrypted router.
If you have your WZC connection settings saved as a "preferred network", and you're set to automatically connect, then you're probably safe from a rogue access point without encryption.
If you are set to manually connect and/or do not have the setting saved, WZC will prefer the strongest signal, ignoring the encryption status. This will make it very easy to fool users into connecting to the wrong access point.
Meanwhile, your best defense against AP spoofing is to find a connection manager that either displays the MAC address of the access point, or offers independent connections for each MAC address associated with a given SSID.
I'll leave things setup for a few hours in case anyone has any other tests they would like me to run. Meanwhile, I'll be playing with Buffalo Client Manager 3 to see if it offers any improvements.
I'm really confused. What do you mean by "set to manually connect"? I have my laptop set up with my router as the only preferred connection, and it automatically connects to it when powered up. But I do NOT have "Connect to any network" checked. So, if I'm away from my router, my laptop won't connect to anything unless I tell it to. And if I'm near my router, but have encryption turned off in it, then the laptop still won't connect.
In what way is your laptop configured differently? Also, is there a way, with one laptop and one router, to duplicate the results you are getting?
Mountain Thrift in Ben Lomond, California. Weds, Sat and Sun are half off days.
This is from about 2 years ago. The electronics and junk are in another section not visible in the photo. They don't get much decent electronics. However, there are plenty of DSL modems and routers from people that move out of the area and leave their junk behind. I've picked up quite a bit of really nice electronics for next to nothing. There are several other thrift shops in the area, but they don't take some electronics because of the high DOA and return rates. Just TV's and radios because they are easy to test.
When you use WZC to setup a new connection, it will default to "connect automatically". Once connected, when you hit "Disconnect", WZC stupidly thinks that this is an invitation to set the profile to "connect manually". It will show either "Automatic" or "Manual" in the WZC box for the particular SSID. You can also change this setting in the properties for the connection.
That's the default and normal method. I set it to "Manual" so that it did NOT try to automatically connect. I wanted to see what would be displayed when I hit "Refresh Network List". It can't do that properly if it were already connected. Note that my test procedure is simply a method of determining how WZC responds to duplicated SSID's and should not be considered a recommendation that you setup your computer in a similar manual. If you like automatic connections, leave it that way.
You're making the same mistake that several people have done trying to simulate the problem. The original question was how does WZC respond to multiple access points, with identical SSID's, where the real AP is encrypted, and the rouge access point is not-encrypted. I've demonstrated that under some conditions, it is possible to fool the user into connecting to the wrong AP. What others have incorrectly done is assume that this can be simulated with a single wireless AP by simply changing the encryption settings. That's a good test to see how WZC responds to a change in the save profile, but is not very useful for answering the original question, which requires two AP's.
Actually, it's totally weird and has quite a few shims tossed into the IP stack. However, for this test, I saved everything with Netswitcher:
and then removed all the VPN's, traffic monitors, security filters, sniffers, and multiple wireless/ethernet drivers. It's all very simple and fairly stock for this test.
No. That was the point of my testing. It requires two routers. One to simulate a "rouge" access point and the other for the "real" access point. Also not that I tried to make the two access points as identical as possible. I have no idea what might happen if they were different chipsets, with different timing.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.