Zero Cyber Exercise

Wireless Router/AP Behavior and Rules

Wireless routers and Access Points (APs) are fundamental components of modern networks, providing connectivity to client devices. Their behavior, along with how client devices select which one to connect to, creates a specific connection pattern that can be exploited in cybersecurity.

1. Beacons and SSIDs: APs periodically transmit beacon frames. These frames advertise the presence of the network, including the Service Set Identifier (SSID) (the network’s name, e.g., “Home Wi-Fi”) and supported security protocols.
2. Authentication and Association:
   • Authentication: A client device first attempts to authenticate with the AP using its credentials (like the Wi-Fi password, for WPA2/WPA3).
   • Association: Once authenticated, the client associates with the AP, establishing a link that allows data transmission.
3. Client Management: The AP maintains a list of associated clients and manages their data traffic, quality of service (QoS), and connection state.
4. Security Protocols: They enforce security protocols like WPA2 or WPA3 to encrypt data traffic and verify client credentials.

Client Device Connection Selection Behavior

Client devices (laptops, smartphones, tablets) use a predictable, often passive, process to select and connect to an AP:

1. Scanning (Discovery):
   • Passive Scanning: The client listens for beacon frames from nearby APs, passively discovering available networks.
   • Active Scanning (Probing): The client sends out probe request frames that contain the SSID of a known network it is configured to connect to (or a null/broadcast SSID). APs respond with probe response frames.
2. Preferred Network Lists (PNLs): Client devices maintain a PNL, a list of previously connected and saved Wi-Fi networks. This list typically dictates connection priority based on:
   • SSID Match: Prioritizing saved networks.
   • Signal Strength (RSSI): Generally preferring the network with the strongest signal, even if the difference is marginal.
3. Automatic Reconnection: If a device loses connection to a preferred AP, it often aggressively and automatically tries to reconnect to that specific SSID, usually by broadcasting a probe request for it.

Basic Operational Security

To have a slightly better operation security:

• ALWAYS DISABLE “Auto reconnect”
• DO NOT CONNECT to any public wifi

Cybersecurity Vulnerability: The Connection Pattern

The combination of the client’s aggressive search for known SSIDs and the lack of inherent authentication of the AP itself creates a critical vulnerability known as a Rogue Access Point attack, often specifically a Karma Attack or a Man-in-the-Middle (MITM) attack.

The vulnerability stems from this pattern: a client device blindly trusts the SSID name.

1. The Attack: A malicious actor sets up a rogue AP with a strong signal. The attacker’s AP is configured to mimic the SSID of a popular, known network (e.g., “Starbucks Wi-Fi,” “Airport Free Wi-Fi,” or a victim’s saved home network).
2. Client Deception:
   • The client, looking for its preferred network, sees the attacker’s AP (due to its strong signal or simply being the only one around).
   • The client sees the matching SSID and, based on its connection rules, automatically attempts to connect and authenticate to the rogue AP.
3. Exploitation: Once the client is connected to the rogue AP:
   • The attacker can sniff (capture) all unencrypted traffic.
   • The attacker can perform DNS spoofing to redirect the victim to malicious websites (e.g., a fake banking login page).
   • The attacker effectively becomes a Man-in-the-Middle, intercepting and potentially modifying all data between the victim and the internet.

This is a vulnerability because the client is only authenticating the password (if used) against the AP, but the client does not verify the authenticity of the AP hardware or location. Any AP can broadcast any SSID.

The Human Factor Contribution

While the technology creates the potential for the vulnerability, human behavior significantly amplifies the risk by making the attack surface larger and the connection pattern more predictable.

• Convenience Over Security: Users prioritize ease of access. They save common, non-secure public SSIDs (e.g., coffee shops, public transit) in their PNLs for future automatic connection, often ignoring security warnings.
• Trust in Branding: Users inherently trust networks with familiar or branded names (“Hotel Wi-Fi,” “City Public”). They don’t question the legitimacy of the connection if the name matches what they expect.
• Lack of Cyber Awareness: Many users are unaware that:
  • Any device can broadcast any Wi-Fi name.
  • SSIDs are easily cloned.
  • Turning Wi-Fi off when not in use is a fundamental security practice to stop the device from actively seeking known networks.
• Creating Predictable Targets: By repeatedly connecting to a few common SSIDs, users make it easier for an attacker to choose a highly effective, cloned SSID to lure them in.

Tip 1

Turn Wifi Off when not in use:

• Saves battery
• Disables probe requests which can be used to profile you and as vector for mobile attack.

Tip 2

Upgrade all your devices to support the latest wireless security protocols.

This may sound consumerist but a handle of local attack are performed by script kiddies limited access to more recent (expensive) devices utilizing better security chips, protocols, and practice.

Comparison of Device Behaviors and Security Implications

The following table summarizes the contributing factors to the vulnerability: