What Is A Rogue AP? | GigMocha Defines
Since technology and the Internet have been all around us all the time, we have to take certain measures to keep ourselves safe while online. To achieve that, you need to know particular details that involve connecting to different networks and when it comes to this, you have probably heard people mentioning rogue access points. Therefore, what is a rogue access point and why is it bad?
A rogue access point (Rogue AP) refers to any wireless access point that has been installed on a network without any permission of the owner. This access point serves as a backdoor channel into the private network, enabling attacks, meaning that an attacker can own the AP and intercept data.
In this article, I will thoroughly explain the notion of a rogue access point and how harmful it can be. I will also discuss how they can be identified and in what way you can prevent them. Once you read my explanations, I believe you will have a clear image of rogue access points, and you will be prepared to protect yourself while using different wireless networks.
What Is A Rogue AP?
A rogue access point (Rogue AP) is a device that has been installed on the network without the authorization of the administrator. This access point could be installed by an employee of a company, or by an intruder, or could be set up by a nearby organization. Sometimes it can be difficult to detect whether an access point is rogue or not.
In the case, you suspect a certain access point is rogue, there are several reasons that can validate your suspicions.
- The SSID of the access point does not belong to your network, and it is not included on the permitted SSID list. The AP might not even broadcast an SSID, so you can check this by using the following methods:
- MSS CLI.
- Network Director.
- The access point is directly created between two client devices. This is called an ad-hoc point, meaning that it is rogue by default.
- The access point is masquerading one of your SSIDs, and these are usually rogue by default.
- The MAC address of the access point cannot be found in the ARP tables.
- Some features that refer to network management of the access point have been disabled. These features include Telnet, SNMP, or HTTP.
- The access point functions as a bridge.
- The access point in question has been listed on the list of rogue APs. This list is usually made by the administrator.
If an attacker owns the access point, they can use the data that is flowing on the network. In other words, the attacker can intercept the data that is used on a certain network. This means that rogue access points can undermine the security of a network used by a company and they can allow access to third parties.
The third parties do not always mean they are attackers or intruders. The access point can be installed by a naive user who does not intend any malicious actions or someone from the IT team has installed it for testing purposes or something similar.
However, whenever an access point has been installed on the network, it can include two types of interception. Interception of data can be passive or active.
In the case of passive interception, the rogue access point can read your data, but it cannot operate with it, or manipulate it. For instance, if you connect to a network with a rogue access point, that access point can read the passwords you include by typing over HTTP.
Furthermore, passive interception has the ability to collect the Internet footprint of the user. In other words, the access point can monitor your DNS requests and everything that you do on the Internet. This means that the access point makes a profile of your Internet behavior, which later can expose private information about the websites you use.
In an active interception, the rogue access point can manipulate the data in whichever way they want. This means that the rogue access point allows reading, modifying, or sending the user’s data to a certain endpoint or destination.
For instance, if a user uses online banking, and tries to make a deposit to a certain account, the rogue access point can redirect the transfer to another account. This is how most online thefts happen, and that is why it is not recommended to connect to any wireless network.
How To Prevent Rogue Access Points?
There are certain measures that you can do to ensure that rogue access points would not be installed on your network.
Firstly, you can establish some rules which will dictate that only authorized IT staff can connect to the network of the company. You can also change the rogue classification rules which will detect whenever an unknown device has connected. This will limit the access of the unknown device, and you can optionally isolate that user.
Furthermore, you can make a list of allowed SSIDs, and a list of users that are allowed to use the particular SSIDs. This way, these accesses will not be considered rogue, and you will not be falsely alarmed.
In addition, you can strengthen your security system on the network. For example, whenever a client wants to connect to a network, they will need to be authorized before they gain access and start using it. Similarly, the client will be asked to confirm the authenticity before using the network.
Lastly, you can use active scanning that will enable the detection of rogue access points. Active scans send probes with a null SSID name and that way scans whether a rogue access point has been installed on the network.
Staying safe on the Internet is of crucial importance, therefore you need to be careful how much and in what way your data is exposed. This means that you have to think twice before connecting your devices to free wireless hotspots in public locations, and if you see something suspicious you should notify the owner of the network.