9.11 Rogue Devices as Exploitation Tools

9.11.1 Access Points

Rogue devices are usually placed in an area to appear as if the device were designed to be there in the first place. An AP should not cause any disruption in service to the existing network. It is intended to be used surreptitiously, so adversaries are generally very cautious when placing rogue APs so they will not be noticed. If an administrator happens to be scanning the area where a rogue device is suspected, he or she will search for unencrypted data packets as a first sign that a rogue device exists. There is virtually no way to tell the difference between data packets encrypted by an intruder's WEP key and data packets encrypted by an authorized WEP key.

Rogue devices are often placed near building perimeter points, especially near a window, to optimize coverage. The intruder will attempt to place the rogue device in a part of the building that has a physically insecure perimeter so he or she can be within range of the access point and not arouse suspicion.

Intruders may use 900 MHz units instead of 2.4-GHz (802.11b) or 5 GHz (802.11a) WiFi-compliant units. Virtually no WLAN discovery tool can use the 900 MHz range. Intruders may also use FHSS technology such as Bluetooth, OpenAir, or HomeRF instead of DSSS. Few WLAN discovery tools are even able to use FHSS equipment. Additionally, intruders often use horizontally polarized antennas in order to give the rogue device a very small RF signature when scanning devices are used to find rogue devices. Such rogues are unlikely to be detected in a scan unless the administrator is physically close to the rogue device.

9.11.2 Wireless Bridges

A rogue bridge placed within the Fresnel Zone of an existing bridge link poses a great security risk. A Fresnel Zone is the area around the visual line-of-sight that radio waves spread out into after they leave the antenna. This area must be clear or signal strength will weaken. Fresnel Zones are an area of concern for wireless transmissions using the 2.4-GHz range. The 2.4-GHz signals can pass through walls easily, but they have a tough time passing through trees because of the water content; 2.4-GHz signals are absorbed in water, so any barrier with a high water content becomes a problem. The Fresnel Zone of a wireless bridge link may span several miles and can be extremely broad. This fact makes placement of a rogue bridge much easier for an intruder. Conversely, rogue detection becomes much tougher for an administrator. A rogue bridge must be set up with a very low priority; otherwise , it will become the root bridge and be detected. Intruders tend to use high-gain directional antennas in order to ensure a consistent, high-quality connection. Locating a rogue bridge in a three-mile point-to-point bridge link lessens the chances of being discovered significantly when compared to setting up the rogue device inside a corporate office. Administrators are rarely able to detect the presence of rogue bridges.