COSEC, Nanjing University
As the widespread deployment of various access points(hereinafter AP), more and more people begin to enjoy the convenient life of surfing wherever they are. The APs are set in homes, offices, coffee shops, shopping malls, and a large number of other public or private scenes.
However, this led us to a question: are these APs safe ?
The answer is for sure: APs are not always official, and some of them are rather BAD. Due to the fact that mobile phones usually re-connect to the APs which thay used to connect merely by the AP name and the signal strength, attackers usually utilize such feature to set up a fake AP(herein after rogue AP), with the same name, same MAC etc. Such rogue APs have stronger signal levels and are able to ‘kick out’ the official APs, to lure the victim’s phones to initialize the reconnection process according to the name and strength, i.e., to connect to the attacker’s rogue AP.
Then the attacker’s rogue AP(could be a mobile hotspot, PC or even a real router) act as a middle man between the victim and the real AP. By launching a man-in-the-middle attack(henceforth mitm attack), capturing the packets sent from victims or the official AP, the attackers can easily eavesdrop the credential information from the victims, such as passwords.
Prior to implementing the project, I made a fake Nanjing University WLAN authentication System.
And the original one:
To tackle such a problem, researchers have developed various approaches.
Vladmir Brik et. al., utilized radiometric signatures to identify the subtle differences between two different APs but with same names. Usually a router’s radiometric signatures, exempli gratia, strengths, although vary but tiny, stay stable during long term runs. However such fluctuation in radiometric signature between devices, even same types of same devices, are rather different.
Suman Jana et al., proposed a new timestamp-based way. Rather than TCP/IP timestamp, their approach measures TSF(Time Synchronization Function) timestamp, which is generated by router itself, with a high granularity upto 1ms, needless of considering delays and hard to manipulate, to measure the arrival of packet. They developed a Linear Programming Method(LPM) to avoid delay, and a Least Square Fitting(LSF) algorithm to estimate them. The ‘jump’ of arrival time indicates that there is a hidden shadow router that may be eavesdropping.
Hao Han et al.,  take RTT time of DNS lookup non-recursive query into consideration. Their research are based on these sound assumptions:
- Most local networks has a local DNS server.
- A station can always send a dns-lookup request.
- DNS request cannot be blocked by network
- DNS response varies for different queries.
Since the user-generated DNS queries are unpredictable, it is impossible for rogue AP to keep up a huge database of DNS addresses of massive entries, even if the attacker has taken dns query into consideration when setting up rogue AP. Henceforth the Ap is forced to forward the query to another dns server, and there is a time delay.
The researches on rogue AP detection has been through for over ten years. However the story is not over. Let’s take this step forward.
If we have already suspecting a presence of rogue AP in the adjacency, what should we do?
The answer is simple: let’s locate it.
In 2011, Zengbin Zhang et al. proposed an idea of merely using off-the-shelf smartphone, and without special equipments, to locate on which direction is the connected AP placed.
The principle is simple. When the user stands in front of the wireless antenna of the smartphone, the emissions of phone may be blocked. Hence the signal strength received from the AP decreases.
In such case, the user merely needs to turn around 360 degree like a radar, and signal from all blocking stances is recorded. The degree at which the signal decreses most dramatically becomes the direction of AP.
The inspiration of my method, however, comes from two interesting stories.
The explosion of Chernobyl is a disaster, and even until today, those who enters Chernobyl should be equipped with a Geiger counter. When holding the geiger counter, it shows the current radiation, when the radiation rises, it indicates that we are walking towards a center of concerntrated radiating materials.
What about we apply such scheme to localizing APs?
Some companies now adopt checking in via phone. When checking-in, the environmental signature, e.g., AP names and strength around, GPS localization informations, will be take into account to verify that you are IN the company, rather than FAKING TO BE in the company. This process is also related to indoor-localizing people using multiple routers. In a paper in 2016 from MSR-India, a trangular localization algorithm can be adopted using multiple APs to localize user.
Okay, so what about walking around the room, sampling and analyzing the signals, then PINPOINT the AP?
This is the method. The MAIL project.
The original project is a SAIL project, single Ap indoor localization. I want to test whether it is possible detecting a given AP.
Conditional wifi sensor
The original design takes wifi information once upon receiving it, creating a lot of system overeads. This is bad because the app easily stops working. Hence in the final version, the sensing stage works with a interval of 4 seconds, or when the user manually force the process.
Originally I used accelerator to sense steps, and Magnetic field sensor to sense orient. However the accelerator sucks(:P) hence in the final version, the step is performed manually. User clicks ‘record’ when the orientation is adjusted to a correct condition, then the virtual step appears on screen.
Originally the sensor was too accurate and sensitive. A factor of 2-5 degree is introduced. Without a change in 2-5 degrees, the direction will not be changed.
The idea comes from the convolution neural network. A matrix is adopted to calculate means of each point and their adjacent point. The purpose is to minimize the influence of noises, or sudden fluctuations of signal strength.
According to the scene in which the user is required to go straight or turn without going around, the data should be subject to a cubic polynomial pattern. Hence a cubic polynomial regression is performed.
To pinpoint, the SAIL first calculates the point with maximal strength, then a floating window of +/- 2.5 strength is applied. Points within this window are in the predicted range. A circle enclosing all these points is then drawn. The AP is pinpointed.
During the experiment, I found that the system is even able to process multiple APs. By adding them all into a Map in each step, it is capable of pinpoint multiple APs.
Therefore the project is upgraded into MAIL.
Moreover, the system has the potential of not merely pinpointing APs, but also distinguish device type, and even applicable of pinpointing non-APs, i.e. clients.
The future PC version of implementing above features is in progress.
In the experiments both in dormitory and classroom, the granularity of localization can be within 1 meter, which is quite good.
(step length is around 50 cm, time between each step is less than 0.5s)
Compared with I am the antenna, our method does not require standing and rotating, which attracts the sight of strangers, causing alert to attackers, and we are capable of pinpointing rather than merely telling the direction.
Our method is stealthy, even able to locate when putting the phone in pocket, and capable of locating multiple APs.
The code is available on Github:
Many thanks to Associate Prof. Jingyu Hua, who gave me plenty guidances and suggestions in this project.
 [Vladimir Brik et al., 2008]Wireless Device Identification with Radiometric Signatures
 [Suman Jana et al., 2008]On Fast and Accurate Detection of Unauthorized Wireless Access
Points Using Clock Skews
 [Hao Han et al., 2009]A Measurement Based Rogue AP Detection Scheme
 [Zengbin Zhang et al., 2011]I am the antenna: accurate outdoor AP location using smartphones