SlideShare a Scribd company logo

Analysis of Rogue Access Points using Software-Defined Radio

J
JuanRios179

This document analyzes how rogue WiFi access points can be created using software-defined radio (SDR) to intercept network traffic. It discusses how SDR allows simulating the physical, link, network, and transport layers needed for an access point. The researchers created a rogue access point using inexpensive SDR hardware and a Raspberry Pi "victim" to capture its network traffic as a proof-of-concept. Their work aims to help prevent such attacks by exposing how cybercriminals could carry them out.

Internet
1 of 6
Download to read offline
1
2
3
4
5
6
Analysis of Rogue Access Points using SDR Juan C. Rios Department of Electrical and Computer Engineering University of California, Los Angeles Los Angeles, CA 90095 USA jcrios@ucla.edu Charles Mercenit Department of Math and Computer Science Stetson University DeLand, FL 32723 USA ccmercenit@stetson.edu Yongxin Liu Department of Electrical, Computer Software and Systems Engineering Embry-Riddle Aeronautical University Daytona Beach, FL 32114 USA liuy11@my.erau.edu Jian Wang Department of Electrical, Computer Software and Systems Engineering Embry-Riddle Aeronautical University Daytona Beach, FL 32114 USA WANGJ14@my.erau.edu Jiawei Yuan Department of Electrical, Computer Software and Systems Engineering Embry-Riddle Aeronautical University Daytona Beach, FL 32114 USA yuanj@erau.edu Houbing Song Department of Electrical, Computer Software and Systems Engineering Embry-Riddle Aeronautical University Daytona Beach, FL 32114 USA h.song@ieee.org Abstract — When people connect to the Internet with their mobile devices, they do not often think about the security of their data; however, the prevalence of rogue access points has taken advantage of a false sense of safety in unsuspecting victims. This paper analyzes the methods an attacker would use to create rogue WiFi access points using software-defined radio (SDR). To construct a rogue access point, a few essential layers of WiFi need simulation: the physical layer, link layer, network layer, and transport layer. Radio waves carrying WiFi packets, transmitted between two Universal Software Radio Peripherals (USRPs), emulate the physical layer. The link layer consists of the connection between those same USRPs communicating directly to each other, and the network layer expands on this communication by using the network tunneling/network tapping (TUN/TAP) interfaces to tunnel IP packets between the host and the access point. Finally, the establishment of the transport layer constitutes transceiving the packets that pass through the USRPs. In the end, we found that creating a rogue access point and capturing the stream of data from a fabricated “victim” on the Internet was effective and cheap with SDRs as inexpensive as $20 USD. Our work aims to expose how a cybercriminal could carry out an attack like this in order to prevent and defend against them in the future. I. INTRODUCTION Mobile devices have made an on-the-go connection to the Internet a necessity; with social media deeply integrated into modern society and cell phones dominating human attention, most people check their phones numerous times each day [1]. This brings up an important issue, one that users hardly take into account when finding public WiFi access points: user security. When connecting to free WiFi access points, users rarely consider encrypting their connection using a virtual private network (VPN) and run the risk of unintentionally connecting to a rogue access point (RAP). An RAP is an access point deployed by a hacker with the intent to siphon sensitive information from those who connect to it. One of the many ways an RAP can be dispensed involves using a tool known as software-defined radio (SDR). The flexibility of SDR provides a strong advantage over the traditional method of interacting with radio signals; it can simulate the effects of expensive physical equipment (e.g. mixers, filters, amplifiers, modulators/demodulators, and detectors) with a single piece of hardware that manipulates those signals with powerful programs like GNU Radio [2] and GQRX [3]. Though in its early stages, SDR has proven to be a revo- lutionary technology for various agencies, organizations, and corporations: the U.S. military has utilized SDR mechanisms for their tactical radios, the satellite communications business has adopted SDR as a solution to difficulties in changing hardware in space, and the mobile infrastructure market has incorporated SDR to develop faster and more flexible networks [4]. Despite SDR having shown tremendous potential for numerous of applications, individuals with malicious intent have created ways to exploit its powerful features. With SDR, a criminal could communicate with mobile de- vices and inconspicuously extract information that the victim believed to be safely transported to the server. This level of anonymity has become extremely dangerous, especially since these attacks often occur in crowded, public areas (e.g. a metropolitan city, a concert, a shopping mall, an airport, etc.). In 2018, cybersecurity experts at Coronet reported the most likely locations to fall under attack by cybercriminals were airports. They also found that the San Diego International Airport contained an RAP with a service set identifier (SSID) named #SANfreewifi that ran Address Resolution Protocol (ARP) poisoning attacks to change user MAC addresses and deliver information directly to the hacker. Coronet disclosed that each passenger had a 30% chance of connecting to a
medium-risk network and an 11% chance of connecting to a high-risk network [5] at this airport alone. To top it off, the cost of setting up an RAP falls below $100 USD [6] due to various open-source software programs and legally purchasable hardware devices. For example, many of the methods we followed could be reproduced with GNU Radio, Wireshark, and an RTL-SDR, which brings the total cost to around $30 USD. This method of hacking has become a frightening reality with a huge potential payoff for the attackers. Victims of identity theft spend a tremendous amount of time dealing with emotional stress and financial burdens while seeking to prove their innocence. Often, victims never recuperate their assets and remain unable to recover, leaving them with wasted time, lost wages, and drained bank accounts. Aside from personal information, criminals have a plethora of knowledge — ranging from sensitive business documents belonging to travelling businessmen and classified intelligence belonging to government officials — within their reach. In the wrong hands, this information has the potential to create catastrophic consequences: bankrupt companies and national security issues [7]. These consequences, combined with the vast amount of public WiFi access points, display how the average person can do little to determine if an access point is legitimate. This makes the public an easy target for attackers. All of society will benefit from improved methods for detecting these crimes. Our paper will aid the research and development of such detection and prevention systems by revealing the methods used by hackers. The remainder of this paper is organized as follows: Section II presents related works; our research plan, methods, and tools are presented in Section III; Section IV explains our experimental results; finally, Section V concludes our paper. II. RELATED WORKS The average person assumes an access point is secure and remains unaware of the danger that could lie behind the scenes, furthering the importance of detecting RAPs and the need to research and discuss them. In order to aid this discussion, we take the opposing approach and work to disclose how an attacker would launch these attacks. The importance of fully understanding these threats from both sides resides in the fact that the increasing base of Internet users fuels the growth of identity theft in the world. In 2017, the United States Identity Theft Resource Center reported 1,579 identity breaches with 178,955,069 records exposed. Out of these attacks, digital identity thefts (phishing, ransomware/malware, skimming, RAPs) made up 940 of the breaches (59.5%) and 167,549,245 of the records exposed (93.6%) [8]. This demonstrates that not only does the Internet make up where most of identity theft cases in the United States happen, it also makes the most efficient method of attack for cybercriminals to use. Fig. 1 depicts a rudimentary explanation of how network packets can get stolen. Figure 1. A simplified version of the attack RAPs present the most common method of accessing sensi- tive information and consist of an access point with a similar SSID to a well-established and reputable access point nearby (e.g. setting the RAP’s SSID to “iHop Free WiFi” next to a legitimate iHop WiFi with a WPA2 key). This baits users to connect to the RAP, and network packets containing sensitive information (usernames, passwords, credit card information, etc.) begin to flow to the attacker for decoding. Currently, limited work to detect evolving rogue WiFi access point technology with SDR exists. Some work relies on detecting and measuring the strength of signals [6], while other papers use established intrusion detection systems (IDS) such as statistical analysis [9], wireless traffic monitoring, and feature extraction/timing-based solutions [10]. However, hardly any published work explains how an attacker would deploy such an attack using SDR. We based a lot of our work off of one important paper authored by B. Bloessl et al. [11] Using the techniques for creating an orthogonal frequency-division multiplexing (OFDM) receiver in GNU Radio outlined by Bloessl, we created a receiver and transmitter with SDR to mimic an RAP. III. PLAN, METHOD, TOOLS, ETC. A. Plan We attempt to recreate the system a hacker would use in order to experience and understand the process an attack could follow. Our final objective involves manufacturing a “victim” by connecting a Raspberry Pi [12] to our RAP and subsequently capturing all of the traffic generated by it. By simulating the victim using this system, we can interpret the infiltrated Open Systems Interconnection (OSI) layers. The first step of building this model includes receiving and transmitting with our USRP B210 [13] and USRP N210 [14] to establish the physical layer. After accomplishing that, unicasting between the USRPs becomes the next important task. Successfully unicasting means the link layer has been introduced. Ultimately, using the USRPs to transceive data establishes the network and transport layers, and our RAP is effectively deployed. B. Reception We began by analyzing FM radio waves with GNU Radio. After successfully constructing a flowgraph for listening to the radio, our first major goal included capturing network packets from genuine WiFi spectrums. Fig. 2 shows how we analyzed 2.4 and 5.0 GHz frequencies and observed the multitudes of network packets transmitting in the air using a waterfall graph.
Figure 2. Waterfall graph illustrating network packets (the “hotspots” in the graph) corresponding to a frequency in 802.11g spectrum Reading these packets required Wireshark [15] and a Wire- shark connection block provided by the GitHub repository gr- foo [16]; combining these allowed us to analyze the network packets that our SDR captured with GNU Radio. After successfully implementing this method, we possessed the ability to inspect the packets transported through the network and captured by GNU Radio. Fig. 3 displays some of the network packets we captured in Wireshark. After we established the information reception phase of the project, our next step became transmission. C. Transmission The physical layer, the lowest layer in computer networking, defines the hardware used to physically connect computers to- gether. In our case, it consisted of radio waves that transmitted data between our SDRs. We began by attempting to transmit an audio file to a nearby FM radio. Using a .wav file and a wide-band FM transmission block, we converted the audio signal to a radio signal and fed it into a rational resampler to increase the frequency. Afterwards, the signal passed through the USRP sink — the last step of transmitting the .wav file — before getting picked up by the radio. After successfully performing this transmission, we began to implement this system with WiFi signals. Building off of an IEEE 802.11 a/g/p module [17] created by B. Bloessl, we captured network packets from 2.4 and 5.0 GHz WiFi spec- trums. In order to pinpoint which frequency our system should listen to, we used GNU Radio to specify the physical medium and phase-shift keying that the physical layer required. For our specific case, we elected to analyze both 2.4 GHz (802.11g) and 5.0 GHz (802.11a) signals with simple binary phase- shift keying (BPSK) rather than quadrature phase-shift keying (QPSK). BPSK is the most simple method to encode data by transmitting one bit per symbol while QPSK offers transmis- sion of two bits per symbol; however, this enhanced rate of transmission results in a higher chance of incorrectly encoded QPSK symbols. φ(t) = 2 Tb cos(2πfct) (1) Eqn. 1 represents the signal space in BPSK modulation D. Unicasting In the OSI model, the link layer is the second lowest layer. This layer manages the communication protocols that operate with devices directly connected to the host and provides unique MAC addresses to identify network members. We simulated the link layer by unicasting an encoded text file between the USRP B210 and the USRP N210. Unicasting refers to the one-to-one communication between a sender and a receiver over a network. This represents the link layer by producing the first data connection created between the SDRs. Figure 3. Network packets collected by GNU Radio from genuine access points are exported to Wireshark
The initial step involved the B210 broadcasting a text file while the N210 listened to the frequency. Once the N210 located the signal with GNU Radio, it grabbed the wirelessly transmitted packets from the air and fed them into a Gaussian Minimum Shift Keying (GMSK) demodulator. GMSK, a type of continuous-phase frequency modulation, originates from Minimum Shift Keying (MSK). It includes a modification to smooth out the transitions between points in a constellation graph using a Gaussian filter. Using GMSK avoids overexten- sion of the sidebands from the carrier. After exiting the GMSK demodulator, the packet decoder extracted the contents of the signal and stored them into a local, readable text file. The next step required sending the file directly between the B210 and the N210. To achieve this, we modified the USRP source/sink blocks to transmit and receive only to and from each other. Unicasting the text file avoided the obvious downfall of broadcasting: third parties having the option to grab the information out of the air. Fig. 4 shows this process. E. Transceiving The network layer and transport layer make up the third and fourth layers of the OSI model. The network layer is responsible for routing data across intermediate network members, while the transport layer is in charge of Internet protocols in end-to-end communication over a network. The most common protocols, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), are vastly distinct from one another. TCP checks for errors during transmission by waiting for an acknowledgement from the recipient while UDP sends data faster but without confirmation of deliv- ery. These deviating approaches define unique characteristics within each protocol. TCP ensures reliability but uses larger, slower packets while UDP fails to guarantee reception but uses smaller and quicker packets. We simulated the network layer by combining the reception and transmission of network packets to build a system that could transport information through intermediate hosts with a maximum transition unit (MTU) of 10 kB. We established the transport layer by utilizing a packet data unit (PDU) socket to determine whether a server requests a TCP or a UDP transfer. Once formed, we successfully transceived data with both SDRs on 2.4 and 5.0 GHz (indicated by Fig. 6). The final step included creating an SSID and enabling a connection with mobile devices through network management. F. Network Management In computer networking, most network interfaces have an associated physical device that manages the transmission and reception of data packets. For our simulation, we used a virtual network interface to handle packets. Virtual network interfaces differ from traditional interfaces by controlling packets purely with software. Two commonly used virtual interfaces include TUN (network tunneling) and TAP (network tapping). These two interfaces target specific layers within the network: TUN aims to transport IP packets within the network layer while TAP carries Ethernet frames in the link layer, portrayed by Fig. 5. Because of this, TUN has the ability to create point-to- point connections and TAP broadcasts traffic to various hosts. As a result, we use TUN for direct communication between an RAP and hosts. Figure 5. Illustration of the locations of TUN/TAP in the OSI layers Figure 4. A text file’s packets collected from unicasting a textfile from the N210 to the B210 before being decoded
Figure 6. Transceiving network packets on GNU Radio with the N210 Using tunnel.py, a program located within the GNU Radio source files, we pinged between two computers on different networks using our SDRs. Finally, we used hostapd [18] to broadcast the SSID to WiFi-enabled mobile devices from a single SDR. In order to integrate hostapd with our flowgraph in GNU Radio, we exposed the inputs and outputs of the data stream and monitored the access point that devices connected to. Once we deployed our RAP, hostapd handled the threeway handshake that Fig. 7 shows. A three part procedure, this hand- shake entails both the client and server sending synchronize (SYN) and acknowledge (ACK) packets before establishing a connection. After initiating the connection, we used the N210 with GNU Radio and Wireshark to read the information transferring between the connected devices and our RAP. IV. EXPERIMENTAL RESULTS Throughout our research, we found ways that a hacker could build their own computer network modeled after the OSI model in order to gain access to user information. We gained an understanding of how cybercriminals deploy RAPs and the network weaknesses they exploit. Using SDR, we successfully recreated our own physical, link, network, and transport layers to implement an RAP. The RAP easily listens to user activity and extracts infor- mation sent across its network. In our case, we evaluated our RAP by connecting a Raspberry Pi and surfing the Internet (i.e. visiting several sites and signing in to numerous accounts). Figure 7. Handshake protocol between the RAP and the host In our testing, we found that Wireshark can easily decode login credentials on websites with poor security. Fig. 8 reveals some of the packets we captured from http://www.ucla.edu. According to an article published by the Center for Internet Security, 33-59% of people use the same password for multiple accounts [19]. The high percentage of password reuse makes having access to just one enough for an attacker to begin employing tactics like credential stuffing. With this strategy, criminals seek to use information obtained from one breach to sign into thousands of unrelated accounts [20]. V. CONCLUSION AND FUTURE WORK Identity theft leaves victims helpless and in ruins. Online identity thefts constitute the vast majority of all cases, yet users rarely consider the security of information sent through open access points. In this paper, we demonstrate a hacker’s process for setting up an RAP to intrude on a user’s online activity. Not only does this display the power of software-defined radio, it also signifies a glaring security flaw in computer networks. For the future of this project, we will incorporate the remaining three layers (session, presentation, and application) of the seven-layer OSI model into our recreation of an RAP. With these layers, we can continue to analyze security flaws that hackers exploit and learn how to defend against them. ACKNOWLEDGEMENTS We would like to thank Embry-Riddle Aeronautical Univer- sity and Ashok Vardhan Raja for providing mentorship during our REU experience. This research was supported by the National Science Foun- dation under Grant No. CNS-1757781.
Figure 8. Information captured from our Raspberry Pi connected to our RAP and browsing ucla.edu REFERENCES [1] NY Post, “Americans Check Their Phones 80 Times a Day: Study”. [On- line]. Available: https://nypost.com/2017/11/08/americans-check-their- phones-80-times-a-day-study/. [Accessed: 1- Aug- 2019] [2] GNU Radio, 2019. Available: https://www.gnuradio.org [3] GQRX, 2019. Available: http://gqrx.dk [4] Wireless Innovation Forum, “SDR Market Size Study”, wirelessinnovation.org, 2011. [Online]. Available: https://www.wirelessinnovation.org/assets/documents/mexp-sdr- 11%20final.pdf [5] “Airport Networks Are Putting Your Devices & Cloud Apps At Severe Risk”, Coronet, 2018. [Online]. Available: https://www.coro.net/wp-content/uploads/2018/08/Coronet Cyber- Insecure-Airports.pdf.[Accessed: 1- Jul- 2019] [6] J. Wang, N. Juarez, E. Kohm, Y. Liu, J. Yuan and H. Song, “Integration of SDR and UAS for Malicious Wi- Fi Hotspots Detection,” 2019 Integrated Communications, Navigation and Surveillance Conference (ICNS), Herndon, VA, USA, 2019, pp. 1-8. doi:10.1109/ICNSURV.2019.8735296, URL:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8735 296&isnumber=8735100 [7] E. Gardner, “Is airport public Wi-Fi cyber-secure?”, Airport Technology, 2018. [Online]. Available: https://www.airport- technology.com/features/airport-public-wi-fi-cyber-secure/. [Accessed: 19- Jul- 2019]. [8] Identity Theft Center, “2017 Annual Data Breach Year End Review”, Idtheftcenter.org, 2018. [Online]. Available: https://www.idtheftcenter.org/images/breach/2017 Breaches/2017AnnualDataBreachYearEndReview.pdf. [Accessed: 12- Jul- 2019]. [9] Chao Yang, Yimin Song, Guofei Gu, September 2012, Active User-Side Evil Twin Access Point Detection Using Statistical Techniques, IEEE Transactions on Information Forensics and Security, Volume: 7, Issue: 5, pp: 1638 - 1651. [10] Mayank Agarwal, Santosh Biswas, Sukumar Nandi, March 2018, An Efficient Scheme to Detect Evil Twin Rogue Access Point Attack in 802.11 Wi-Fi Networks, International Journal of Wireless Information Networks, Volume: 2, Issue: 25, pp: 130 - 145. [11] B. Bloessl, M. Segata, C. Sommer, and F. Dressler, “An IEEE 802.11a/g/p OFDM Receiver for GNU Radio”, 2019 Special Interest Group on Data Communication (SIGCOMM), Hong Kong, 2013, pp. 9-16. doi:10.1145/2491246.2491248 URL: https://homepages.dcc.ufmg.br/ mmvieira/cc/papers/OFDM%20receiver %20GNU%20Radio.pdf [12] Raspberry Pi 3 Model B, 2019. Available: https://www.raspberrypi.org/products/raspberry-pi-3-model-b/ [13] USRP B210. Available: http://files.ettus.com/manual/page usrp b200.html [14] USRP N210. Available: http://files.ettus.com/manual/page usrp2.html [15] Wireshark, 2019. Available: https://www.wireshark.org [16] B. Bloessl, GR-foo. 2014. Available: https://github.com/bastibl/gr-foo [17] B. Bloessl, IEEE 802.11 a/g/p Transceiver. 2014. Available: https://github.com/bastibl/gr-ieee802-11 [18] Hostapd, 2019. Available: https://w1.fi/hostapd/ [19] Center for Internet Security, “Reusing Passwords on Multiple Sites”. [Online]. Available: https://www.cisecurity.org/blog/reusing-passwords- on-multiple-sites/. [Accessed: 31- Jul- 2019]. [20] Cloudflare, “What Is Credential Stuffing?”. [Online]. Available: https://www.cloudflare.com/learning/bots/what-is-credential-stuffing/. [Accessed: 31- Jul- 2019]

More Related Content

PDF
Linked in researchpaper
JuanRios179
 
PDF
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
David Sweigert
 
PDF
Iaetsd cyber crimeand
Iaetsd Iaetsd
 
PDF
CYBER AWARENESS
EDUJIE DOMINIC IGHODALO
 
DOCX
Insider Attacks: Theft of Intellectual and Proprietary Data
Lindsey Landolfi
 
PDF
Rpt paradigm shifts
malvvv
 
PDF
Rpt paradigm shifts
malvvv
 
PDF
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Andrea Rossetti
 
Linked in researchpaper
JuanRios179
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
David Sweigert
 
Iaetsd cyber crimeand
Iaetsd Iaetsd
 
CYBER AWARENESS
EDUJIE DOMINIC IGHODALO
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Lindsey Landolfi
 
Rpt paradigm shifts
malvvv
 
Rpt paradigm shifts
malvvv
 
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Andrea Rossetti
 

What's hot (19)

PPSX
Unit 2
Jigarthacker
 
PPTX
GovSec Joyal New Threat Matrix
Paul Joyal
 
PPTX
Emerging Threats to Digital Payments - Is Your Business Ready
Chukwunonso Okoro, CFE, CAMS, CRISC
 
PDF
A Joint Study by National University of Singapore and IDC
Microsoft Asia
 
PDF
SEO2India - Cyber crime
SEO2India - Devang Barot - SEO2India
 
PDF
5 main trends in cyber security for 2020
Agnieszka Guźniczak-Beim
 
PDF
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
iosrjce
 
PPTX
220715_Cybersecurity: What's at stake?
Spire Research and Consulting
 
PDF
NAGTRI Journal Article
Taylre Janak
 
PDF
RSA Monthly Online Fraud Report -- February 2014
EMC
 
PDF
Cybercrimeandforensic 120828021931-phpapp02
Gol D Roger
 
PDF
2015 Global Threat Intelligence Report Executive Summary | NTT i3
NTT Innovation Institute Inc.
 
DOCX
2 phishing
Yadavalli Thripura
 
PDF
C018131821
IOSR Journals
 
PDF
EXPLORING HISTORICAL AND EMERGING PHISHING TECHNIQUES AND MITIGATING THE ASSO...
IJNSA Journal
 
PPTX
Security weekly september 28 october 4, 2021
Roen Branham
 
DOCX
E crime thesis Cyber Crime and its several types
Assignment Studio
 
DOCX
Report of android hacking
div2345
 
DOCX
Cyber crime
Ranjana Adhikari
 
Unit 2
Jigarthacker
 
GovSec Joyal New Threat Matrix
Paul Joyal
 
Emerging Threats to Digital Payments - Is Your Business Ready
Chukwunonso Okoro, CFE, CAMS, CRISC
 
A Joint Study by National University of Singapore and IDC
Microsoft Asia
 
SEO2India - Cyber crime
SEO2India - Devang Barot - SEO2India
 
5 main trends in cyber security for 2020
Agnieszka Guźniczak-Beim
 
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
iosrjce
 
220715_Cybersecurity: What's at stake?
Spire Research and Consulting
 
NAGTRI Journal Article
Taylre Janak
 
RSA Monthly Online Fraud Report -- February 2014
EMC
 
Cybercrimeandforensic 120828021931-phpapp02
Gol D Roger
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
NTT Innovation Institute Inc.
 
2 phishing
Yadavalli Thripura
 
C018131821
IOSR Journals
 
EXPLORING HISTORICAL AND EMERGING PHISHING TECHNIQUES AND MITIGATING THE ASSO...
IJNSA Journal
 
Security weekly september 28 october 4, 2021
Roen Branham
 
E crime thesis Cyber Crime and its several types
Assignment Studio
 
Report of android hacking
div2345
 
Cyber crime
Ranjana Adhikari
 
Ad

Similar to Analysis of Rogue Access Points using Software-Defined Radio (20)

PDF
Ransomware-as-a-Service: The business of distributing cyber attacks
Δρ. Γιώργος K. Κασάπης
 
DOCX
Discuss similarities and differences between and Trojan.docx
write12
 
PDF
New Age Cybersecurity
Kishore Jethanandani, MBA, MA, MPhil,
 
PDF
China Cyber
Dominic Karunesudas
 
PDF
F5 Hero Asset - Inside the head of a Hacker Final
Shallu Behar-Sheehan FCIM
 
DOCX
Journal of Computer and System Sciences 80 (2014) 973–993Con
karenahmanny4c
 
DOCX
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
croysierkathey
 
PDF
How Safe is your Data?
Michael Soltys
 
PPTX
cyber crime
priya sehgal
 
PDF
The Current State of Cybercrime 2014
EMC
 
PDF
Invesitigation of Malware and Forensic Tools on Internet
IJECEIAES
 
PPTX
PP Lec15n16 Sp2020.pptx
MuhammadAbdullah201796
 
PPTX
Professional Practices PPT Slide on Chapter 5: Crime
frazaslam10
 
PDF
Cyber crime
Debayon Saha
 
PDF
Ransomware: Attack, Human Impact and Mitigation
Maaz Ahmed Shaikh
 
DOCX
A report on cyber Crime
Nikhil Chaudhary
 
PPTX
Cybercrime
MobeenaJavid
 
PPT
cyber terrorism
Accenture
 
PPT
cyber terrorism
Accenture
 
PPT
Trends in network security feinstein - informatica64
Chema Alonso
 
Ransomware-as-a-Service: The business of distributing cyber attacks
Δρ. Γιώργος K. Κασάπης
 
Discuss similarities and differences between and Trojan.docx
write12
 
New Age Cybersecurity
Kishore Jethanandani, MBA, MA, MPhil,
 
China Cyber
Dominic Karunesudas
 
F5 Hero Asset - Inside the head of a Hacker Final
Shallu Behar-Sheehan FCIM
 
Journal of Computer and System Sciences 80 (2014) 973–993Con
karenahmanny4c
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
croysierkathey
 
How Safe is your Data?
Michael Soltys
 
cyber crime
priya sehgal
 
The Current State of Cybercrime 2014
EMC
 
Invesitigation of Malware and Forensic Tools on Internet
IJECEIAES
 
PP Lec15n16 Sp2020.pptx
MuhammadAbdullah201796
 
Professional Practices PPT Slide on Chapter 5: Crime
frazaslam10
 
Cyber crime
Debayon Saha
 
Ransomware: Attack, Human Impact and Mitigation
Maaz Ahmed Shaikh
 
A report on cyber Crime
Nikhil Chaudhary
 
Cybercrime
MobeenaJavid
 
cyber terrorism
Accenture
 
cyber terrorism
Accenture
 
Trends in network security feinstein - informatica64
Chema Alonso
 
Ad

Recently uploaded (20)

PPTX
Slides PPTX: World Game (s): Eco Economic Epochs.pptx
Steven McGee
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
Internet Safety for Seniors presentation
mwnorman1
 
PPTX
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PDF
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 
PPTX
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
PPTX
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 
PDF
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
PPT
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
PDF
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
PDF
Introduction to the IoT system, how the IoT system works
TinBinh
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PDF
Slides PDF: The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PPTX
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PDF
SlidesGDGoCxRAIS about Google Dialogflow and NotebookLM.pdf
minhtrietgect
 
PDF
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
PPTX
Layers_of_the_Earth_Grade7.pptx class by
varadhanvara05
 
Slides PPTX: World Game (s): Eco Economic Epochs.pptx
Steven McGee
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
Internet Safety for Seniors presentation
mwnorman1
 
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
Introduction to the IoT system, how the IoT system works
TinBinh
 
artificial intelligence overview of it and more
yafotin445
 
Slides PDF: The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
SlidesGDGoCxRAIS about Google Dialogflow and NotebookLM.pdf
minhtrietgect
 
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
Layers_of_the_Earth_Grade7.pptx class by
varadhanvara05
 

Analysis of Rogue Access Points using Software-Defined Radio

  • 1. Analysis of Rogue Access Points using SDR Juan C. Rios Department of Electrical and Computer Engineering University of California, Los Angeles Los Angeles, CA 90095 USA jcrios@ucla.edu Charles Mercenit Department of Math and Computer Science Stetson University DeLand, FL 32723 USA ccmercenit@stetson.edu Yongxin Liu Department of Electrical, Computer Software and Systems Engineering Embry-Riddle Aeronautical University Daytona Beach, FL 32114 USA liuy11@my.erau.edu Jian Wang Department of Electrical, Computer Software and Systems Engineering Embry-Riddle Aeronautical University Daytona Beach, FL 32114 USA WANGJ14@my.erau.edu Jiawei Yuan Department of Electrical, Computer Software and Systems Engineering Embry-Riddle Aeronautical University Daytona Beach, FL 32114 USA yuanj@erau.edu Houbing Song Department of Electrical, Computer Software and Systems Engineering Embry-Riddle Aeronautical University Daytona Beach, FL 32114 USA h.song@ieee.org Abstract — When people connect to the Internet with their mobile devices, they do not often think about the security of their data; however, the prevalence of rogue access points has taken advantage of a false sense of safety in unsuspecting victims. This paper analyzes the methods an attacker would use to create rogue WiFi access points using software-defined radio (SDR). To construct a rogue access point, a few essential layers of WiFi need simulation: the physical layer, link layer, network layer, and transport layer. Radio waves carrying WiFi packets, transmitted between two Universal Software Radio Peripherals (USRPs), emulate the physical layer. The link layer consists of the connection between those same USRPs communicating directly to each other, and the network layer expands on this communication by using the network tunneling/network tapping (TUN/TAP) interfaces to tunnel IP packets between the host and the access point. Finally, the establishment of the transport layer constitutes transceiving the packets that pass through the USRPs. In the end, we found that creating a rogue access point and capturing the stream of data from a fabricated “victim” on the Internet was effective and cheap with SDRs as inexpensive as $20 USD. Our work aims to expose how a cybercriminal could carry out an attack like this in order to prevent and defend against them in the future. I. INTRODUCTION Mobile devices have made an on-the-go connection to the Internet a necessity; with social media deeply integrated into modern society and cell phones dominating human attention, most people check their phones numerous times each day [1]. This brings up an important issue, one that users hardly take into account when finding public WiFi access points: user security. When connecting to free WiFi access points, users rarely consider encrypting their connection using a virtual private network (VPN) and run the risk of unintentionally connecting to a rogue access point (RAP). An RAP is an access point deployed by a hacker with the intent to siphon sensitive information from those who connect to it. One of the many ways an RAP can be dispensed involves using a tool known as software-defined radio (SDR). The flexibility of SDR provides a strong advantage over the traditional method of interacting with radio signals; it can simulate the effects of expensive physical equipment (e.g. mixers, filters, amplifiers, modulators/demodulators, and detectors) with a single piece of hardware that manipulates those signals with powerful programs like GNU Radio [2] and GQRX [3]. Though in its early stages, SDR has proven to be a revo- lutionary technology for various agencies, organizations, and corporations: the U.S. military has utilized SDR mechanisms for their tactical radios, the satellite communications business has adopted SDR as a solution to difficulties in changing hardware in space, and the mobile infrastructure market has incorporated SDR to develop faster and more flexible networks [4]. Despite SDR having shown tremendous potential for numerous of applications, individuals with malicious intent have created ways to exploit its powerful features. With SDR, a criminal could communicate with mobile de- vices and inconspicuously extract information that the victim believed to be safely transported to the server. This level of anonymity has become extremely dangerous, especially since these attacks often occur in crowded, public areas (e.g. a metropolitan city, a concert, a shopping mall, an airport, etc.). In 2018, cybersecurity experts at Coronet reported the most likely locations to fall under attack by cybercriminals were airports. They also found that the San Diego International Airport contained an RAP with a service set identifier (SSID) named #SANfreewifi that ran Address Resolution Protocol (ARP) poisoning attacks to change user MAC addresses and deliver information directly to the hacker. Coronet disclosed that each passenger had a 30% chance of connecting to a
  • 2. medium-risk network and an 11% chance of connecting to a high-risk network [5] at this airport alone. To top it off, the cost of setting up an RAP falls below $100 USD [6] due to various open-source software programs and legally purchasable hardware devices. For example, many of the methods we followed could be reproduced with GNU Radio, Wireshark, and an RTL-SDR, which brings the total cost to around $30 USD. This method of hacking has become a frightening reality with a huge potential payoff for the attackers. Victims of identity theft spend a tremendous amount of time dealing with emotional stress and financial burdens while seeking to prove their innocence. Often, victims never recuperate their assets and remain unable to recover, leaving them with wasted time, lost wages, and drained bank accounts. Aside from personal information, criminals have a plethora of knowledge — ranging from sensitive business documents belonging to travelling businessmen and classified intelligence belonging to government officials — within their reach. In the wrong hands, this information has the potential to create catastrophic consequences: bankrupt companies and national security issues [7]. These consequences, combined with the vast amount of public WiFi access points, display how the average person can do little to determine if an access point is legitimate. This makes the public an easy target for attackers. All of society will benefit from improved methods for detecting these crimes. Our paper will aid the research and development of such detection and prevention systems by revealing the methods used by hackers. The remainder of this paper is organized as follows: Section II presents related works; our research plan, methods, and tools are presented in Section III; Section IV explains our experimental results; finally, Section V concludes our paper. II. RELATED WORKS The average person assumes an access point is secure and remains unaware of the danger that could lie behind the scenes, furthering the importance of detecting RAPs and the need to research and discuss them. In order to aid this discussion, we take the opposing approach and work to disclose how an attacker would launch these attacks. The importance of fully understanding these threats from both sides resides in the fact that the increasing base of Internet users fuels the growth of identity theft in the world. In 2017, the United States Identity Theft Resource Center reported 1,579 identity breaches with 178,955,069 records exposed. Out of these attacks, digital identity thefts (phishing, ransomware/malware, skimming, RAPs) made up 940 of the breaches (59.5%) and 167,549,245 of the records exposed (93.6%) [8]. This demonstrates that not only does the Internet make up where most of identity theft cases in the United States happen, it also makes the most efficient method of attack for cybercriminals to use. Fig. 1 depicts a rudimentary explanation of how network packets can get stolen. Figure 1. A simplified version of the attack RAPs present the most common method of accessing sensi- tive information and consist of an access point with a similar SSID to a well-established and reputable access point nearby (e.g. setting the RAP’s SSID to “iHop Free WiFi” next to a legitimate iHop WiFi with a WPA2 key). This baits users to connect to the RAP, and network packets containing sensitive information (usernames, passwords, credit card information, etc.) begin to flow to the attacker for decoding. Currently, limited work to detect evolving rogue WiFi access point technology with SDR exists. Some work relies on detecting and measuring the strength of signals [6], while other papers use established intrusion detection systems (IDS) such as statistical analysis [9], wireless traffic monitoring, and feature extraction/timing-based solutions [10]. However, hardly any published work explains how an attacker would deploy such an attack using SDR. We based a lot of our work off of one important paper authored by B. Bloessl et al. [11] Using the techniques for creating an orthogonal frequency-division multiplexing (OFDM) receiver in GNU Radio outlined by Bloessl, we created a receiver and transmitter with SDR to mimic an RAP. III. PLAN, METHOD, TOOLS, ETC. A. Plan We attempt to recreate the system a hacker would use in order to experience and understand the process an attack could follow. Our final objective involves manufacturing a “victim” by connecting a Raspberry Pi [12] to our RAP and subsequently capturing all of the traffic generated by it. By simulating the victim using this system, we can interpret the infiltrated Open Systems Interconnection (OSI) layers. The first step of building this model includes receiving and transmitting with our USRP B210 [13] and USRP N210 [14] to establish the physical layer. After accomplishing that, unicasting between the USRPs becomes the next important task. Successfully unicasting means the link layer has been introduced. Ultimately, using the USRPs to transceive data establishes the network and transport layers, and our RAP is effectively deployed. B. Reception We began by analyzing FM radio waves with GNU Radio. After successfully constructing a flowgraph for listening to the radio, our first major goal included capturing network packets from genuine WiFi spectrums. Fig. 2 shows how we analyzed 2.4 and 5.0 GHz frequencies and observed the multitudes of network packets transmitting in the air using a waterfall graph.
  • 3. Figure 2. Waterfall graph illustrating network packets (the “hotspots” in the graph) corresponding to a frequency in 802.11g spectrum Reading these packets required Wireshark [15] and a Wire- shark connection block provided by the GitHub repository gr- foo [16]; combining these allowed us to analyze the network packets that our SDR captured with GNU Radio. After successfully implementing this method, we possessed the ability to inspect the packets transported through the network and captured by GNU Radio. Fig. 3 displays some of the network packets we captured in Wireshark. After we established the information reception phase of the project, our next step became transmission. C. Transmission The physical layer, the lowest layer in computer networking, defines the hardware used to physically connect computers to- gether. In our case, it consisted of radio waves that transmitted data between our SDRs. We began by attempting to transmit an audio file to a nearby FM radio. Using a .wav file and a wide-band FM transmission block, we converted the audio signal to a radio signal and fed it into a rational resampler to increase the frequency. Afterwards, the signal passed through the USRP sink — the last step of transmitting the .wav file — before getting picked up by the radio. After successfully performing this transmission, we began to implement this system with WiFi signals. Building off of an IEEE 802.11 a/g/p module [17] created by B. Bloessl, we captured network packets from 2.4 and 5.0 GHz WiFi spec- trums. In order to pinpoint which frequency our system should listen to, we used GNU Radio to specify the physical medium and phase-shift keying that the physical layer required. For our specific case, we elected to analyze both 2.4 GHz (802.11g) and 5.0 GHz (802.11a) signals with simple binary phase- shift keying (BPSK) rather than quadrature phase-shift keying (QPSK). BPSK is the most simple method to encode data by transmitting one bit per symbol while QPSK offers transmis- sion of two bits per symbol; however, this enhanced rate of transmission results in a higher chance of incorrectly encoded QPSK symbols. φ(t) = 2 Tb cos(2πfct) (1) Eqn. 1 represents the signal space in BPSK modulation D. Unicasting In the OSI model, the link layer is the second lowest layer. This layer manages the communication protocols that operate with devices directly connected to the host and provides unique MAC addresses to identify network members. We simulated the link layer by unicasting an encoded text file between the USRP B210 and the USRP N210. Unicasting refers to the one-to-one communication between a sender and a receiver over a network. This represents the link layer by producing the first data connection created between the SDRs. Figure 3. Network packets collected by GNU Radio from genuine access points are exported to Wireshark
  • 4. The initial step involved the B210 broadcasting a text file while the N210 listened to the frequency. Once the N210 located the signal with GNU Radio, it grabbed the wirelessly transmitted packets from the air and fed them into a Gaussian Minimum Shift Keying (GMSK) demodulator. GMSK, a type of continuous-phase frequency modulation, originates from Minimum Shift Keying (MSK). It includes a modification to smooth out the transitions between points in a constellation graph using a Gaussian filter. Using GMSK avoids overexten- sion of the sidebands from the carrier. After exiting the GMSK demodulator, the packet decoder extracted the contents of the signal and stored them into a local, readable text file. The next step required sending the file directly between the B210 and the N210. To achieve this, we modified the USRP source/sink blocks to transmit and receive only to and from each other. Unicasting the text file avoided the obvious downfall of broadcasting: third parties having the option to grab the information out of the air. Fig. 4 shows this process. E. Transceiving The network layer and transport layer make up the third and fourth layers of the OSI model. The network layer is responsible for routing data across intermediate network members, while the transport layer is in charge of Internet protocols in end-to-end communication over a network. The most common protocols, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), are vastly distinct from one another. TCP checks for errors during transmission by waiting for an acknowledgement from the recipient while UDP sends data faster but without confirmation of deliv- ery. These deviating approaches define unique characteristics within each protocol. TCP ensures reliability but uses larger, slower packets while UDP fails to guarantee reception but uses smaller and quicker packets. We simulated the network layer by combining the reception and transmission of network packets to build a system that could transport information through intermediate hosts with a maximum transition unit (MTU) of 10 kB. We established the transport layer by utilizing a packet data unit (PDU) socket to determine whether a server requests a TCP or a UDP transfer. Once formed, we successfully transceived data with both SDRs on 2.4 and 5.0 GHz (indicated by Fig. 6). The final step included creating an SSID and enabling a connection with mobile devices through network management. F. Network Management In computer networking, most network interfaces have an associated physical device that manages the transmission and reception of data packets. For our simulation, we used a virtual network interface to handle packets. Virtual network interfaces differ from traditional interfaces by controlling packets purely with software. Two commonly used virtual interfaces include TUN (network tunneling) and TAP (network tapping). These two interfaces target specific layers within the network: TUN aims to transport IP packets within the network layer while TAP carries Ethernet frames in the link layer, portrayed by Fig. 5. Because of this, TUN has the ability to create point-to- point connections and TAP broadcasts traffic to various hosts. As a result, we use TUN for direct communication between an RAP and hosts. Figure 5. Illustration of the locations of TUN/TAP in the OSI layers Figure 4. A text file’s packets collected from unicasting a textfile from the N210 to the B210 before being decoded
  • 5. Figure 6. Transceiving network packets on GNU Radio with the N210 Using tunnel.py, a program located within the GNU Radio source files, we pinged between two computers on different networks using our SDRs. Finally, we used hostapd [18] to broadcast the SSID to WiFi-enabled mobile devices from a single SDR. In order to integrate hostapd with our flowgraph in GNU Radio, we exposed the inputs and outputs of the data stream and monitored the access point that devices connected to. Once we deployed our RAP, hostapd handled the threeway handshake that Fig. 7 shows. A three part procedure, this hand- shake entails both the client and server sending synchronize (SYN) and acknowledge (ACK) packets before establishing a connection. After initiating the connection, we used the N210 with GNU Radio and Wireshark to read the information transferring between the connected devices and our RAP. IV. EXPERIMENTAL RESULTS Throughout our research, we found ways that a hacker could build their own computer network modeled after the OSI model in order to gain access to user information. We gained an understanding of how cybercriminals deploy RAPs and the network weaknesses they exploit. Using SDR, we successfully recreated our own physical, link, network, and transport layers to implement an RAP. The RAP easily listens to user activity and extracts infor- mation sent across its network. In our case, we evaluated our RAP by connecting a Raspberry Pi and surfing the Internet (i.e. visiting several sites and signing in to numerous accounts). Figure 7. Handshake protocol between the RAP and the host In our testing, we found that Wireshark can easily decode login credentials on websites with poor security. Fig. 8 reveals some of the packets we captured from http://www.ucla.edu. According to an article published by the Center for Internet Security, 33-59% of people use the same password for multiple accounts [19]. The high percentage of password reuse makes having access to just one enough for an attacker to begin employing tactics like credential stuffing. With this strategy, criminals seek to use information obtained from one breach to sign into thousands of unrelated accounts [20]. V. CONCLUSION AND FUTURE WORK Identity theft leaves victims helpless and in ruins. Online identity thefts constitute the vast majority of all cases, yet users rarely consider the security of information sent through open access points. In this paper, we demonstrate a hacker’s process for setting up an RAP to intrude on a user’s online activity. Not only does this display the power of software-defined radio, it also signifies a glaring security flaw in computer networks. For the future of this project, we will incorporate the remaining three layers (session, presentation, and application) of the seven-layer OSI model into our recreation of an RAP. With these layers, we can continue to analyze security flaws that hackers exploit and learn how to defend against them. ACKNOWLEDGEMENTS We would like to thank Embry-Riddle Aeronautical Univer- sity and Ashok Vardhan Raja for providing mentorship during our REU experience. This research was supported by the National Science Foun- dation under Grant No. CNS-1757781.
  • 6. Figure 8. Information captured from our Raspberry Pi connected to our RAP and browsing ucla.edu REFERENCES [1] NY Post, “Americans Check Their Phones 80 Times a Day: Study”. [On- line]. Available: https://nypost.com/2017/11/08/americans-check-their- phones-80-times-a-day-study/. [Accessed: 1- Aug- 2019] [2] GNU Radio, 2019. Available: https://www.gnuradio.org [3] GQRX, 2019. Available: http://gqrx.dk [4] Wireless Innovation Forum, “SDR Market Size Study”, wirelessinnovation.org, 2011. [Online]. Available: https://www.wirelessinnovation.org/assets/documents/mexp-sdr- 11%20final.pdf [5] “Airport Networks Are Putting Your Devices & Cloud Apps At Severe Risk”, Coronet, 2018. [Online]. Available: https://www.coro.net/wp-content/uploads/2018/08/Coronet Cyber- Insecure-Airports.pdf.[Accessed: 1- Jul- 2019] [6] J. Wang, N. Juarez, E. Kohm, Y. Liu, J. Yuan and H. Song, “Integration of SDR and UAS for Malicious Wi- Fi Hotspots Detection,” 2019 Integrated Communications, Navigation and Surveillance Conference (ICNS), Herndon, VA, USA, 2019, pp. 1-8. doi:10.1109/ICNSURV.2019.8735296, URL:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8735 296&isnumber=8735100 [7] E. Gardner, “Is airport public Wi-Fi cyber-secure?”, Airport Technology, 2018. [Online]. Available: https://www.airport- technology.com/features/airport-public-wi-fi-cyber-secure/. [Accessed: 19- Jul- 2019]. [8] Identity Theft Center, “2017 Annual Data Breach Year End Review”, Idtheftcenter.org, 2018. [Online]. Available: https://www.idtheftcenter.org/images/breach/2017 Breaches/2017AnnualDataBreachYearEndReview.pdf. [Accessed: 12- Jul- 2019]. [9] Chao Yang, Yimin Song, Guofei Gu, September 2012, Active User-Side Evil Twin Access Point Detection Using Statistical Techniques, IEEE Transactions on Information Forensics and Security, Volume: 7, Issue: 5, pp: 1638 - 1651. [10] Mayank Agarwal, Santosh Biswas, Sukumar Nandi, March 2018, An Efficient Scheme to Detect Evil Twin Rogue Access Point Attack in 802.11 Wi-Fi Networks, International Journal of Wireless Information Networks, Volume: 2, Issue: 25, pp: 130 - 145. [11] B. Bloessl, M. Segata, C. Sommer, and F. Dressler, “An IEEE 802.11a/g/p OFDM Receiver for GNU Radio”, 2019 Special Interest Group on Data Communication (SIGCOMM), Hong Kong, 2013, pp. 9-16. doi:10.1145/2491246.2491248 URL: https://homepages.dcc.ufmg.br/ mmvieira/cc/papers/OFDM%20receiver %20GNU%20Radio.pdf [12] Raspberry Pi 3 Model B, 2019. Available: https://www.raspberrypi.org/products/raspberry-pi-3-model-b/ [13] USRP B210. Available: http://files.ettus.com/manual/page usrp b200.html [14] USRP N210. Available: http://files.ettus.com/manual/page usrp2.html [15] Wireshark, 2019. Available: https://www.wireshark.org [16] B. Bloessl, GR-foo. 2014. Available: https://github.com/bastibl/gr-foo [17] B. Bloessl, IEEE 802.11 a/g/p Transceiver. 2014. Available: https://github.com/bastibl/gr-ieee802-11 [18] Hostapd, 2019. Available: https://w1.fi/hostapd/ [19] Center for Internet Security, “Reusing Passwords on Multiple Sites”. [Online]. Available: https://www.cisecurity.org/blog/reusing-passwords- on-multiple-sites/. [Accessed: 31- Jul- 2019]. [20] Cloudflare, “What Is Credential Stuffing?”. [Online]. Available: https://www.cloudflare.com/learning/bots/what-is-credential-stuffing/. [Accessed: 31- Jul- 2019]