Rogue Access Points

We know how important it is to keep your network safe, and we want to help you do that. That's why we've put together this guide to unauthorized and rogue access points as well as client devices.

You'll learn all about rogue vs. unauthorized APs, rogue and unauthorized clients, and how to mitigate security risks. This guide also touches on PCI DSS compliance and will show you how to physically locate a rogue AP. 

What is a Rogue AP?

A rogue access point is an unauthorized AP that is attached to your authorized network infrastructure. Unlike an authorized AP, a rogue AP poses a greater threat because it is connected to your network. Once the AP is connected to the network, malicious users can gain access to the wired infrastructure through the air. Check out our detailed blog post on the basics of rogue APs and clients.

 

Unauthorized AP

An authorized access point is an AP that has been seen operating in your airspace but has not been authorized to do so. Unauthorized APs can be neighboring devices set up by outside users for malicious attacks. An unauthorized AP is considered rogue once if  it successfully is connected to your authorized network infrastructure. 

Basics-unauthorized-access-point

 

Unauthorized and Rogue Clients

In the same security risk realm of rogue APs, an unauthorized client  is a wireless device that has not connected to the network or been approved for use. Unauthorized clients are often found in environments without policies in place or equipment to detect wireless activity.

 A rogue client is an unauthorized client device that has been found communicating and accessing an authorized network .Rogue clients are considered a serious security risk since malicious users can connect them to a network from inside or outside the enterprise.



 

Neighboring APs and Accidental Association

An accidental association is when an unauthorized device connects to an unauthorized AP because of the wireless network’s configuration to search for all other networks. While both are security concerns, accidental associations can either be malicious or non-malicious. A neighboring access point could be an AP that is physically outside the enterprise perimeter but still transmitting into your airspace. Neighboring APs are commonly found in multi-tenant buildings and pose little to no security risk.

 

Rogue AP Detection - PCI DSS Compliance

The Payment Card Industry Data Security Standard 4.0 Requirement 11.2 specifically states that wireless access points are to be identified and monitored, and unauthorized access points are to be addressed. Requirement 11.2.1 states that authorized and unauthorized wireless access points are managed as follows:

  • The presence of wireless (Wi-Fi) access points is tested for,
  • All authorized and unauthorized wireless access points are detected and identified,
  • Testing, detection, and identification occurs at least once every three months.
  • If automated monitoring is used, personnel are notified via generated alerts.

 

More information from PCI DSS 4 Requirement 11.2.1:

Purpose: Implementation and/or exploitation of wireless technology within a network are common paths for malicious users to gain unauthorized access to the network and cardholder data.

Unauthorized wireless devices could be hidden within or attached to a computer or other system component. These devices could also be attached directly to a network port, to a network device such as a switch or router, or inserted as a wireless interface card inside a system component. If a wireless device or network is installed without a company’s knowledge, it can allow an attacker to enter the network easily and “invisibly.”

Detecting and removing such unauthorized access points reduces the duration and likelihood of such devices being leveraged for an attack.

Good Practice: The size and complexity of an environment will dictate the appropriate tools and processes to be used to provide sufficient assurance that a rogue wireless access point has not been installed in the environment. For example, performing a detailed physical inspection of a single stand-alone retail kiosk in a shopping mall, where all communication components are contained within tamper-resistant and tamper-evident casings, may be sufficient to provide assurance that a rogue wireless access point has not been attached or installed. However, in an environment with multiple nodes (such as in a large retail store, call center, server room or data center), detailed physical inspection can be difficult. In this case, multiple methods may be combined, such as performing physical system inspections in conjunction with the results of a wireless analyzer. 

Click here to read more about PCI DSS 4.0 and rogue device security threats.

 

Physically Locating a Rogue AP

The very first thing you need in order to look for a rogue AP is a WiFi scanning tool. This software should allow you to easily identify APs by their unique BSSID.  Once the rogue AP has been identified, you will use its unique BSSID to track its precise WiFi signal (RSSI in dBm) with the WiFi scanning software. The process is essentially a guess-and-check until you find the device. Our blog post How to Physically Locate a Rogue Access Point, which outlines a detailed process on finding a rogue AP using WiFi Scanner for Windows. Also check out our demonstration video below:

 

WiFi Scanner for Windows - The Perfect Tool for Rogue Detection

Check out our app, WiFi Scanner for Windows, which is a perfect tool for identifying and mitigating rogue access points. Click the link below to try it for free for 14 days.

DOWNLOAD TRIAL Windows WiFi Scanner