Detection of Masqueraded Wireless Access Using 802.11 MAC Layer Fingerprints

Abstract

Many wireless Internet access operators prefer open local area network (WLAN) access because this reduces the need for user assistance for a variety of smaller devices. A 802.11 MAC spoofer masquerades as an authorized user and gains access by using an already whitelisted MAC address. We consider the scenario where the spoofer waits until the authorized user has finished the session, and then uses the still whitelisted MAC address for the network access. We propose and experiment with “implementation fingerprints” that can be used to detect MAC layer spoofing in this setting. We include eight different tests in the detection algorithm, resulting in 2.8 in average Hamming distance of the tests. Eleven different STA devices are tested with promising detection results. No precomputed database of fingerprints is needed.