If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Rogue access points

One time at a coffee shop, I saw a listing like this when trying to connect to its Wi-Fi network:
Screenshot of a listing of wireless networks, with two wireless networks named "Coffee Shop Wifi". Neither of those networks are password protected.
Seeing the generic and duplicate “Coffee Shop Wifi” networks gave me an odd feeling, so I decided not to connect. When I visited the coffee shop a few weeks later, I saw a flyer warning customers that “Coffee Shop Wifi” was a rogue access point.
What’s a rogue access point? To answer this, let’s first describe how a typical home gets Internet access.

Access points

Homes often connect to the Internet via a wired connection. Imagine that you couldn’t place a wire in your computer’s room. How else would you connect it to the Internet? You can use an access point.
Access points connect to the Internet via a wired connection but share it wirelessly with many devices like your computer. You can think of access points as translators between the languages of wireless and wired signals.
If you’re wondering why you’ve never heard of access points but have heard of routers, it’s because most routers include access points. Routers are responsible for transporting packets, not for providing wireless Internet access.
You can see what an access point looks like below. Notice the Ethernet cable in the back that connects it to the Internet and the two antennae that broadcast and receive wireless signals.
Photo of a Linksys wireless access point.
Image source: Macic7

Rogue access points

A rogue access point is an access point installed on a network without the network owner’s permission. Why is this bad?
If an attacker owns the access point, they can intercept the data (e.g. PII) flowing through the network. This is why the coffee shop provided the warning to its customers; they wanted to stop an unauthorized access point on their network from intercepting users’ data.
Let’s now dive deeper into two ways rogue access points can intercept PII.

Passive interception

In passive interception, a rogue access point can read your data but cannot manipulate it. If you connect to a network with a rogue access point and enter your password on a site over HTTP, the rogue access point can read your password.
Illustration of passive interception over a rogue access point. On the left, a laptop has a website open with a filled-out password field. There's a server on the right. An area is labeled "What the client thinks happens" and contains an arrow that is labeled "Password: 123abc" and goes from to the laptop to an access point labeled "legitimate access point". Another arrow is labeled with the same data and goes from the legitimate access point to the server. The bottom area is labeled "What actually happens" and contains an arrow that is labeled "Password: 123abc" and goes from the laptop to an attacker labeled "rogue access point". Another arrow is labeled with the same data and goes from the rogue access point to the server.
Passive interception can also collect a user's Internet footprint. By monitoring DNS requests and other Internet traffic, the rogue access point can profile your Internet behavior. This profile can expose private information about you such as the types of websites you visit.

Active interception

In active interception, a rogue access point can also manipulate your data. They can read the incoming user data, modify the data however they want, and send the modified user data to the destination endpoint.
For example, if a user visits a banking website and tries to deposit money into an account, a rogue access point can redirect the deposit to an attacker’s account.
Illustration of active interception over a rogue access point. On the left, a laptop has a website open with a form field. There's a server on the right. An area is labeled "What the client thinks happens" and contains an arrow that is labeled "Account ID: 25" and goes from to the laptop to an access point labeled "legitimate access point". Another arrow is labeled with the same data and goes from the legitimate access point to the server. The bottom area is labeled "What actually happens" and contains an arrow that is labeled "Account ID: 25" and goes from the laptop to an attacker labeled "rogue access point". Another arrow is labeled "Account ID: 12" and goes from the rogue access point to the server.

Recommendations

We should think twice before connecting to a free wireless hotspot in public locations such as coffee shops or airports. If we see something odd, we should notify the network owner.
We can also protect ourselves by using VPNs (virtual private networks) or HTTPS. VPNs and HTTPS both send a scrambled form of our data across the network. Even if rogue access points intercept it, they won’t be able to unscramble it.

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!