Do you currently know who is connected to your corporate wireless network? Most people cannot even answer this question for their home networks.
You expect people with different devices to be connected to a network at any given moment. Users connect laptops, tablets, smartphones, game consoles, smart TVs, Wi-Fi printers, among other devices, to a network.
Unquestionably, your wireless network is vulnerable to malicious actors and outsiders who simply want to use your internet access for free. Either way, it is unwanted and unlawful. It helps to be aware of certain warning signs that indicate the presence of devices and users connecting to your network without permission.
The first common sign involves noticing your internet moving a little slower than usual. Naturally, every connection to the network takes up some bandwidth. Consequently, if outsiders connect and start using your Wi-Fi without permission, then your traffic will slow down.
The easiest way to determine if outsiders are joining your network without permission is to login to your wireless network’s web interface and review all the devices currently connected. The challenge with this is to know what devices shouldn’t be connected you first need to know what devices should be connected. Unfortunately most companies can’t answer this question either.
What’s the big deal with someone connecting to your network? Understanding what devices, and more importantly, people, connecting to the network is the first step in identifying an attacker.
If attackers connect to your network, the attack surface grows exponentially. If an attacker is able to pivot to other segments of the corporate network, it is possible to install malware that could steal your passwords and other proprietary information. Even worse, it would be possible to encrypt all data the attacker has access to and hold your company hostage with ransomware. In effect, it is essential to ensure that all users and devices connected to your network are trustworthy.
More frequently, companies try to circumvent the risk by setting up a guest and a corporate network. Typically, most routers on the market today offer guest access to wireless networks straightforwardly. However, if it is possible to join the corporate network from the guest one, or join both networks with the same device, then the company is vulnerable to wireless attacks. In some cases, the guest network is enabled in access points by default.
A low-tech way of identifying devices connected to your network involves shutting all your smartphones and computers so that none of them are turned on. Ensure you switch off smart TVs and any other smart appliance connected to the Wi-Fi. Next, you can check the activity lights on your wireless router or AP. If regular activity still shows on the router’s signal light, then that’s a sign that someone is using the Wi-Fi without permission.
In the case of a business with multiple connected devices, shutting off all of them to check the activity lights might be infeasible. You can open your router’s management page by typing its IP address in your browser’s address bar in such a situation. If you are lucky, you will recognize all the items on the attached devices or client list page on the router’s management page. However, not all routers offer enough information. For instance, you can have a list with a couple of devices that list no name or manufacturer.
You can leverage Sonar, included in Pulsar Cyber Shield, to generate a list of all devices currently connected, or attempting to connect, to your wireless network so that you can identify the ones you trust. Although you get some of this information when a device joins the network through the authenticated device’s MAC address and assigned IP address, Sonar takes it a step further and provides physical device characteristics helping to confirm the device connecting is legitimate and not one with a spoofed MAC address. The only way to properly confirm the device is legitimate is to tie the physical device to the MAC and IP address.
Sonar service detects client devices connecting to your network, including those with common open networks in their preferred network lists. If a client device that has been seen connecting to your network, or is currently connected, has also been seen connecting to common open networks, such as ‘Starbucks,’ this device is vulnerable to de-authentication attacks that take advantage of automatic reconnection to common open networks.
Besides that, Sonar detects clients that match the signatures of wireless hacking devices. Attackers use such devices to perform several malicious actions, such as de-authenticating devices, capturing packets necessary for network password retrieval, setting up fake access points, and viewing or manipulating network traffic.
The solution also discovers devices whose MAC addresses are not resolvable to a vendor and are not locally administered by the organization. Sonar subsequently monitors such devices for malicious activities. Naturally, devices with wireless connectivity should be resolvable to a vendor or a locally administered address. Therefore, an unresolvable device is considered potentially malicious and may indicate an attacker’s presence in the wireless network with a spoofed MAC address.
After identifying outsiders in your wireless network, your can simply kick them off by enhancing the router’s or access point’s security. These best practices can enhance your wireless network security and prevent outsiders from connecting.