One of the more sophisticated attacks a malicious user can use is called a man-in-the-middle (MITM) attack. There are many ways in which to create a MITM attack.
A popular wireless MITM attack is called the “evil twin AP” attack, where an attacker introduces a rogue AP and configures it with the same SSID as a legitimate AP. Locations offering free Wi-Fi, such as airports, cafes, and restaurants, are hotbeds for this type of attack due to the open authentication.
Connecting wireless clients would see two APs offering wireless access. Those near the rogue AP find the stronger signal and most likely associate with the evil twin AP. User traffic is now sent to the rogue AP, which in turn captures the data and forwards it to the legitimate AP. Return traffic from the legitimate AP is sent to the rogue AP, captured, and then forwarded to the unsuspecting STA. The attacker can steal the user password, personal information, gain network access, and compromise the user system.
For example, in Figure 1, a malicious user is in “Bob’s Latte” coffee shop and wants to capture traffic from unsuspecting wireless clients. The attacker launches software, which enables their laptop to become an evil twin AP matching the same SSID and channel as the legitimate wireless router.
In Figure 2, a user sees two wireless connections available, but chooses and associates with the evil twin AP. The attacker captures the user data and forwards to the legitimate AP, which in turn directs the return traffic back to the evil twin AP. The evil twin AP captures the return traffic and forwards the information to the unsuspecting user.
Defeating an attack like an MITM attack depends on the sophistication of the WLAN infrastructure and the vigilance in monitoring activity on the network. The process begins with identifying legitimate devices on the WLAN. To do this, users must be authenticated. After all of the legitimate devices are known, the network can be monitored for abnormal devices or traffic.
Enterprise WLANs that use state-of-the-art WLAN devices provide administrators with tools that work together as a wireless intrusion prevention system (IPS). These tools include scanners that identify rogue APs and ad hoc networks, and radio resource management (RRM), which monitors the RF band for activity and AP load. An AP that is busier than normal alerts the administrator of possible unauthorized traffic.