Question

Describe a scenario in which an access point impersonation attack could be used to steal personal financial information.

Answer 1

The impersonation of wireless Access Point (AP) poses an unprecedented number of threats that can compromise a wireless client’s identity, personal data, and network integrity. The AP impersonation attack is conducted by establishing rogue AP with spoofed Service Set Identifier (SSID) and MAC address same as the target legitimate AP. Since these identities can be easily forged, there is no identifier can be used to identify the legitimate AP. Due to strong correlation between the AP signal strength and the distance, in this paper, we propose a client-centric AP spoofing detection framework by exploiting the statistical relationship of signal strength from the legitimate and rogue APs. We show the relationship between the signals can be determined by using two classical partitioning-based clustering methods, K-means and K-medoids analysis. The experimental results show that both analysis methods can achieve over 90% detection rate.

Impersonating a Access point-

Impersonating a WiFi access point without any sort of password protection is trivial. Your proposed scenario of running a second access point with an identical SSID would work as you described. This attack works best when the signal strength of the rogue AP is higher than that of the real AP at the target computer. Hackers can also use de-authentication attacks to force clients to disconnect from the real AP in hopes that they will then be forced to reconnect to the rogue AP.

You can even buy commercial devices designed to facilitate this sort of MITM attack from a few vendors. See the famous WiFi Pineapple for one such example. It's still not point-and-click, but such attacks are within reach of the average script kiddie these days.

That's one of many reasons why unsecured access points are bad news. But generic shared APs with a common password distributed to everyone aren't a whole lot better in that regard. In the coffee shop example, everyone is freely given the password.

Impersonation Attack-
Wireless technologies have advanced with extraordinary speed in the previous couple
of years. Not just have the capacity and performance of wireless communications systems
enhanced exponentially, however so has the range of information and services that can
now be accessed using mobile devices. Mobile phones and other handheld devices for
example palm pilots permit incredibly increasing amounts of information to be retrieved,
stored and transmitted in real time. This incorporates text, audio and video data, as
delineated by the simplicity with which mobile phone users are today able to converse by
voice, email, SMS, take and transmit digital photographs, stream audio and video files,
and upload or download a range of material specifically by means of the internet .
The primary advantage of Wireless system is communicating with rest of the world while
being mobile. The weakness of this is their limited bandwidth, processing capabilities,
memory, open medium and less secure compared to wired devices. As wireless systems
are progressively being utilized for communication it is becoming a challenge to keep
electronic data transmissions secure.
On top of everything, security needs for wireless devices are greater than those of
regular wired-network devices. This is due to the very nature of their use; they are mobile,
they are on the edge of the network, their connections are unreliable, and they tend to get
destroyed accidentally or maliciously. Security processing can easily overwhelm the
processors in wireless devices. This challenge, which is unique to wireless devices, is
sometimes referred to as the security-processing gap. Wireless networks lack appropriate
security infrastructure, and give potential attackers easy transport medium access.
Malicious attackers can be divided into two types. First is known as Focused attackers
International Journal of Security and Its Applications
where these attackers are full time, dedicated professionals who have nothing better to do
than target a specific enterprise an second is called as Opportunistic attackers who will
attack a wireless network. Although several attacks have been addressed including active,
passive eavesdropping, man-in-the-middle, replay, session hijacking, using traffic
analysis, and masquerading, existing authentication schemes cannot fully protect hosts
from well-known impersonation attacks. Impersonation attacks have the distinctive power
to not solely determine the presence of those attacks however conjointly localize
adversaries. Therefore, it’s vital to detect the presence of spoofing attacks, determine the
amount of attackers, and find the location of the attackers and eliminate them.

EXAMPLE
For example, in an 802.11 network, it is easy for an attacker to
collect useful MAC address information during passive monitoring and then modify its
MAC address by simply issuing an If config command to masquerade as another device.
In spite of existing 802.11 security techniques including Wired Equivalent Privacy
(WEP), Wi-Fi Protected Access (WPA), or 802.11i (WPA2), such methodology can only
protect data frames an attacker can still spoof management or control frames to cause
significant impact on networks.
Impersonation attacks are launched by using other node’s identity, such as MAC or IP
address . Impersonation attacks sometimes are the first step for most attacks, and are
used to launch further, more sophisticated attacks. In reality wireless networks lack
appropriate security infrastructure, and give potential attackers easy transport medium
access. Rogue wireless access points deserve particular attention since they are not
authorized for operation. They are usually installed either by employees or by hackers.
Attention has been paid to finding rogues by using: Wireless sniffing tools (e.g., Air
Magnet or Net Stumber), walking through facilities and looking for access points that
have authorized Medium Access Control (MAC) addresses, vendor name, or security
configuration,
A central console attached to the wired side of the network for monitoring (e.g.,
Air Wave),
A free Transmission Control Protocol (TCP) port scanner (e.g., Super Scan 3.0),
that identifies enabled TCP ports.
At the point when source send any message to distinctive centers inside the framework
then that threatening center also recover that rub and mishandled all the information
Impersonation strike is key driver of plotting attack in which traded off hub infused
noxious hub into the system also make number of imitated duplicate of pernicious hub for
doing future assaults in general system .
Risk of Impersonation Attack
In understanding the risks, knowledge of the real threats helps place in context the
complex landscape of security mechanisms. Impersonation takes the form of device
cloning, address spoofing, unauthorized access, rogue base station (or rogue access point)
and replay.
Device cloning consists of reprogramming a device with the hardware address of
another device. This can be done also for the duration of one frame, which an
operation termed MAC address is spoofing. This is a known problem in
unlicensed services such as Wi-Fi/802.11. It is an enabler for unauthorized access
and various attacks such as the de-association or de-authorization attack. It is
interesting to note that a recent case of CDMA phone cloning occurred in India
In Wi-Fi/802.11 networks, the identity of a device, i.e. its hardware address, can
be easily stolen over the air by intercepting frames. Presently, no wireless access
technology offers perfect identity concealment over the air. Presently, no wireless
access technology offers perfect identity concealment over the air
Impersonation of a legitimate user can be done to obtain unauthorized access to a
wireless network . Authorization at user level has been introduced in both
WiFi/802.11 and WiMax/802.16 to mitigate the threatThere are three options for
authorization:
 Device list-based: If device list-based authorization is used only, then the
probability of a subscriber impersonation attack is likely.
 X.509-based: X.509-based authorization uses certificates installed in
devices by their manufacturers. X.509- based authorization is used, the
probability for a subscriber to be the victim of impersonation is possible
in particular if certificates are hard coded and cannot be either renewed or
revoked.
 EAP-based: The Extensible Authentication Protocol (EAP) is a generic
authentication protocol can be actualized with specific authentication
method, If EAP-based authorization is used, we believe that at this time it
is safe to say that the probability of a subscriber impersonation attack is
possible.
A rogue base station (or access point) is an attacker station that imitates a
legitimate base station. The rogue base station confuses a set of subscribers trying
to get service through what they believe to be a legitimate base station. It may
result in long disruptions of service [3].
The signal of the attacker, however, must arrive at targeted receiver subscribers
with more strength and must put the signal of the impersonated base station in the
background, relatively speaking. Again, the attacker has to capture the identity of
a legitimate base station. Then it builds messages using the stolen identity.
The scope of management messages to which authentication is applicable is
limited in earlier versions of 802.16. Hence, with earlier versions of 802.16 the
management messages are not subject to integrity protection. Weaknesses in
management messages authentication open the door to aggressions such as the
man in the middle attack or rogue base station attack.
The risk of impersonation in wireless networks is critical since the threat can be
materialized into several forms of attack. Countermeasures are needed to address the
threat.

SPOOFING ATTACK
Spoofing attack occurs when malicious adversary impersonates another device or user in order to gain access to restricted resources or to steal information. Spoofing attacks provide a rich set of ways for identity thieves and corporate espionage agents to launch a variety of traffic injection, Denial of Service (DoS) attacks, and RAP. Phishing AP or Evil Twin AP is a term of RAP that intentionally deployed by the adversary to impersonate LAP and to trick the victim to connect to it through the illegitimate connection . RAP is established by imitating all the configurations of the LAP namely SSID, MAC address, operating channel, and etc. Since the SSID and MAC address of the AP are easily forged by the adversary, there is no other form of identification to identity the LAP. Adversary that launches the spoofing attack allows his RAP to advertise the same SSID as that of the LAP. This may cause the wireless client to unwittingly connect to the RAP. Moreover, the adversary can force a DoS or deauthentication attack to the LAP to interrupt existing connections, and then waits for the client to re-connect and to trap into RAP. In addition, for IEEE 802.11 networks, the clients select AP by the strength of the receiving signal. The adversary only needs to ensure that his RAP has greater signal strength as seen by the client. To accomplish that, the adversary tries to place his RAP nearer to the client than LAP.