Two years ago a private U.S. group concerned about intellectual property theft called on the American government to give business the right to go on the offence against hackers.
Since then a number of IT security pros have been urging the same, most recently former CISO turned consultant Jeff Bardin. Now another voice has been added: As part of a free tool he created which can be downloaded from GibHub to detect rogue Wi-Fi access points set up by hackers to mimic corporate APs, security researcher Mohamed Idris has included the ability to execute a denial of service attack on the legitimate wireless users to prevent them from connecting to the rogue AP. That would give administrator more time to react.
The DoS will only be performed against evil APs that have the same SSID (service set identifier, which is the name of the network) but different BSSID (broadcast service set identifier, which is the access point’s MAC address) or running on a different channel. That ensures the DoS isn’t aimed at the legitimate corporate network.
It’s not quite the same as launching a DoS attack on the hacker, but it does raise a number of legal and ethical questions. Before I get to that a description of the detection tool. It can find rogue APs
- with a different BSSID address;
- with the same BSSID as the legitimate AP but a different attribute (including: channel, cipher, privacy protocol, and authentication)
- with the same BSSID and attributes as the legitimate AP but different tagged parameter – mainly different OUI (tagged parameters are additional values sent along with the beacon frame. Currently no software based AP gives the ability to change these values. Generally software based APs are so poor in this area).
Idris writes that when an evil AP is discovered the tool alerts the admin through email (SMS will be supported soon), and can be set to automatically DoS the users of the legitimate wireless network from connecting to the bad AP. It also has a “learning mode” allowing the admin to whitelist the legitimate network.
As for that DoS capability, security blogger Graham Cluley noted that in most countries around the world, it would be considered illegal to launch an attack against somebody else’s computer without their permission. That might seem odd if the users are within the organization. However, some users are legitimate outsiders — think of patrons in a restaurant or guests in a hotel.
Perhaps problems could be avoided the DoS attack is accompanied by a message to device users explaining who is behind the attack (“We are denying service to a particular rogue AP.”)
Even so, Cluley notes that IT pros can improve security by maintaining VPNs on corporate networks.