Rogue wireless access points

Rogue wireless access points had been one of the big security concerns since the advent of WiFi. Security groups were concerned that employees were plugging a cheap (sorry, low cost) wireless access point into the corporate network LAN. With this, anyone could easily access the sensitive LAN using a WiFi connection, including people outside the building.

Security groups started looking for rogue access points using tools like AP-Finder, kismet and NetStumbler. Sure enough, they started finding rogue access points… lots of them.
Why were these access points being installed? In interviews with corporate security groups, I discovered two main reasons for people setting up rogue access points:

  1. Provide network coverage to places that did not have a network jack, such as a conference room or lobby. Employees felt that this would make them more productive.
  2. Contractors would need to share files among themselves, so they would set up an access point for the group. Sometimes, the access was not connected to any wired network, but other times it was connected to the corporate LAN.

The most effective strategy in the past for controlling rogue access points has been to search for them using the above mentioned tools. Other control methods that were attempted but did not work very well were;

  1. Installing software on the laptop to prevent the laptop from connecting to an unapproved wireless access point. This didn’t work if the user needed to connect to a wireless network while outside the office, and this solution only prevented laptops running the restriction software from connecting to the rogue AP. It did nothing to stop the deployment of the rogue APs.
  2. Searching the wired LAN for devices that appeared to be wireless APs. This technique was tried using MAC address identification and nmapping the IP addresses found while scanning the local network. While in principal this technique should help to identify rogue APs, it turned out that in practice, it was difficult. For one, MAC address identification is not effective across an internal router. Routers only relay IP traffic, not Ethernet traffic. This same issue made the nmap identification of APs difficult. Ultimately, this solution has not proven to be very effective.

So, in order to effectively control the use or misuse of wireless within your premises, you will need to deploy sensors that monitor the wireless air space constantly. These sensors should report access points that are active, as well as which access points are being used in the area. No other methods seem to be as effective.

Forensics vs proprietary processes

Forensic processing must be able to stand up to inspection and challenge by the defense in a criminal prosecution. The use of “proprietary” techniques should be avoided, since vendors may not allow their techniques to be reviewed.

Here is an example where a vendor allowed their proprietary processes, in particular their product source code, to be examined as part of a criminal trial.
Let’s briefly look at the case of “State v Chun” (New Jersey). This case started off as a DWI (driving while intoxicated) case. Per the NJ statute, one of the criteria for conviction on the DWI charge is evidence that the suspect had a blood alcohol content (BAC) greater than 0.08. The evidence was produced by the prosecution via the Alcotest 7110 unit, a replacement to the traditional Breathalyzer.

During the trial, the defense challenged the validity of the BAC reading as reported by Alcotest 7110. In support of their defense, they hired a company to perform a review of the source code used by the Alcotest 7110. (A copy of the source code analysis is here. )The source code analysis reported many flaws, but ultimately none that were fatal to the prosecution.

Should the vendor have objected to the source code analysis, the usefulness of the Alcotest 7110 would have been put into jeopardy in this case and other cases.

What is the lesson here? If using a product for evidence collection, by sure that the vendor can explain how their product works, and will allow examination of the processing when necessary.