Real-Time Identification of Rogue WiFi Connections in the Wild

Abstract

WiFi connections are vulnerable to simulated attacks from rogue access points (AP) or devices whose SSID and/or MAC/IP address are the same as legitimate devices. This kind of attack is difficult to counter with traditional network security mechanisms. In this paper, we propose a new security mechanism that uses environment-independent features extracted from channel state information (CSI) to detect and identify rogue WiFi devices or APs, and reject their connections. We find that due to the I/Q imbalance and imperfect oscillator of each WiFi network card (NIC), the nonlinear phase error of different subcarriers will vary with the NIC. Through our experimental verification, this cross-subcarrier phase feature is invariant to the location and the environment. We deploy systems on two platforms that can extract constant phase errors from the constantly changing CSI in less than one second, which is at least 8× faster than that of the state-of-the-art solution. Extensive experiments on commercial routers and end devices in different scenarios show that based on the Industral Platform Computer (IPC) platform, where only non-encrypted rogue connections can be detected, the detection accuracy rate reaches 96%, and the false alarm rate is less than 2%. Based on the ASUS router platform (a commercial WiFi router), WiFi channels and smart device types are not restricted, which greatly improved universality, and the accuracy of device connection detection can even reach more than 99%. We improve a device-type identification method based on the communication traffic features of the device when connected to WiFi. Experiments show that even if there are multiple similar devices from the same manufacturer, the accuracy of device type detection exceeds 99%.