Trident: Context-based Reverse Authentication for Phishing AP Detection in Commodity WiFi Networks

In urban areas, WiFi is the most widely-deployed portal for users to acquire the broadband access. Meanwhile, phishing AP (access point)-a rogue AP that falsifies the SSID (or even the BSSID) of a legitimate corporate AP-has caused many security problems in commodity WiFi networks. Existing research on the phishing AP detection can be divided into two categories: (1) the hardware-based approach usually deploys sensors (sniffers and/or USB-based wireless adapters) and conducts radio frequency (RF) sensing at a large scale to detect the anomaly at link and physical layers; and (2) the measurement-based approach enables a laptop to determine the legitimacy of a given AP by monitoring the RTT (round trip time) of data and/or control messages. However, these approaches require the additional cost on either the hardware deployment, or periodic statistical measurements. In this paper, we present Trident, a context-based reverse authentication method for detecting phishing AP in commodity WiFi networks, which requires no extra hardware deployment or periodic statistical measurements. Specifically, Trident employs a challenge-response protocol that allows a user to (reversely) authenticate an AP by two steps: (1) sending the AP a few questions regarding three user-context features (time, location, traffic) during the user-AP interaction procedure, and (2) examining the answers returned by the AP to determine its legitimacy. Our experimental results reveal that Trident achieves a high reliability rate(1) of 95% and a detection rate of 98% when users are connecting rogue APs in the commodity WiFi network on campus.