HAL Id: hal-02531071
https://hal.archives-ouvertes.fr/hal-02531071
Submitted on 3 Apr 2020
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Finding Indicators To Detect Fake Access Point Attacks On the Physical Layer
Andy Amoordon, Christophe Gransart, Virginie Deniau, Corentin Gesnot
To cite this version:
Andy Amoordon, Christophe Gransart, Virginie Deniau, Corentin Gesnot. Finding Indicators To Detect Fake Access Point Attacks On the Physical Layer. URSI Benelux Forum, Dec 2019, Bruxelles, Belgium. 1p. �hal-02531071�
28th URSI Benelux Forum 2019
Finding Indicators To Detect Fake Access Point Attacks On the Physical Layer
Andy Amoordon, Christophe Gransart, Virginie Deniau, Corentin Gesnot
IFSTTAR-French Institute of Science and Technology for Transport, Development and Networks, Villeneuve d’Ascq 59650, France (e-mail: andy.amoordon@ifsttar.fr)
Wireless networks are indispensable in transport systems as they offer mobility, flexibility and rapid extension of the network. For vehicular communication, the IEEE 802.11p standard - an enhanced version of the IEEE 802.11 standard – will be used as a medium of communication. However since attacking tools for Wi-Fi have been democratized, Wi-Fi is vulnerable to various types of attacks ranging from denial of service attacks (jamming, deauthentication attacks…) to more elaborated attacks such as Man-in-the-Middle attacks. In a Man-in-the- Middle attack, the attacker sits in the middle of an exchange between two nodes and can either sniff out or inject packets to the exchange. This attack leads to critical losses of privacy and identity theft – which is problematic for vehicular communications. It is therefore essential to detect and mitigate this attack. This paper focuses on the detection step and aims to identify indicators, characterizing that an access point attack is underway. The final objective is to exploit these indicators to develop a monitoring approach based on the physical layer.
Wi-Fi is vulnerable to two types of Man-in-the-Middle attacks: the fake access point and the rogue access point.
The fake access point attack consists in the identity usurpation of an existing access point while the rogue access point attack consists in the deployment of monitored access points offering free internet access to attract victims.
A Wi-Fi access point periodically broadcasts its identity via beacon frames. The beacon frame contains its name (SSID), its MAC address (BSSID), the channel used, characteristics supported by the access point and the time indicator for frame transmission. To usurp the identity of the access point, the attacker creates another access point which transmits the same beacon frames as the licit access point. The attacker disconnects the clients from the licit access point by sending deauthentication frames to clients - forcing them to connect to his fake access point.
As a result, there are two access points; one adversary and one licit both transmitting the same beacon signal. This kind of incoherence can be observed by monitoring the data link layer. However, we aims to develop a detection approach based on the physical layer to avoid any privacy issues. By monitoring the physical layer, we only analyze transmitted signals and have no access to the transmitted data. In the following table, we group the relevant attack characteristics that can be exploited to build attack indicators for the physical link.
Table 1: Events indicating that a fake access point attack is underway
For instance, knowing that a fake access point will forcibly emit beacon frames at time intervals different than the licit one, an approach to detect a fake access attack on the physical layer could be to develop a receiving process measuring the beacons time intervals.
1. IEEE Computer Society, Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications 802.11, 29 March 2012.
INDICATORS DESCRIPTION VALIDITY
Inconsistent beacon intervals
An access point should send a beacon frame each 100 milliseconds [1]. If two similar beacon frames are received
at inconsistent intervals, there is a fake access point.
Indicator always valid ; inconsistent beacon intervals =>
fake access point
Incomplete identity usurpation
Some attackers usurp only the SSID and/or BSSID and not all parameters in the beacon frames. In such cases, comparing beacon frames/tagged parameters against a
whitelist or known value can aid to detect the attack.
Indicator valid only when the attacker is notice/unexperienced
and perform an incomplete identity usurpation.
Unjustified deauthentication
frames
Deauthentication frames are sent for smooth handover of
client. Any other case is suspect and indicates an attack. Unjustified deauthentication/Excessive frames indicate deauthentication
attacks and not necessarily a fake access point attack Excessive number of
deauthentication frames
The presence of an excessive amount of deauthentication frames in short intervals indicate the use of automated
attack scripts.
