Rogue AP attack
In a rogue AP attack, the attacker employs an AP (masqueraded as a legitimate AP in a given hotspot) connected to an
MS, as depicted in Figure 1. Based on signal strength, an unsuspecting MS may connect to the rogue AP and start to
perform authentication. Since no messages can be integrity protected before authentication, the attacker substitutes the
MAC/IP address-pair of his own MS and relays the authentication messages to a legitimate AP. In this way, the
authentication procedure binds the MAC/IP address-pair of the attacking MS to the credentials of the legitimate user.
As a consequence, the attacker gains access to anything the legitimate user would, while the legitimate user is denied
access. This attack is only applicable if the authentication does not result in encryption/integrity keys to protect the
session.
Figure 1. Rogue AP used for man-in-the-middle attacks
The same equipment may also be used to redirect a user’s traffic to a completely different network. That is, the attacker may trick the user into believing that he is accessing the given WRAN, when he in fact is connected to a network of the
attacker’s choice.