Lightweight Method for Detecting Fake Authentication Attack on Wi-Fi Muhammad Yusuf Bambang Setiadji Cyber Security Engineering Sekolah Tinggi Sandi Negara Bogor, Indonesia yusuf.setiadji@stsn-nci.ac.id Ramadhan Ibrahim Badan Siber dan Sandi Negara Jakarta, Indonesia ramadhan.ibrahim@bssn.go.id Amiruddin Amiruddin Cyber Security Engineering Sekolah Tinggi Sandi Negara Bogor, Indonesia amir@stsn-nci.ac.id Abstract— Wireless networks, despite providing better access and flexibility, have vulnerabilities that are easier to realize compared to wired networks. Fake authentication attack can be taken by an attacker prior to carrying out a Man in the Middle attack to intercept the other party's communication. Such an attack is generally carried out in public places that provide free Wi-Fi access. Detection of fake authentication is necessary to maintain communication success. Several methods have been applied to detect fake authentication such as the use of Wireless Intrusion Detection System (WIDS) or certificates on Transport Layer Security (TLS). However, attackers can trick the use of WIDS or TLS. Moreover, the WIDS and TLS techniques require large costs and computations. In this study, a lightweight method based on the comparison of BSSID/MAC address for detecting fake authentication is proposed. The lightweight method is implemented by creating an application that runs on Android mobile phones, and Linux operating system. We compared the detection performance of the device with the proposed application and the one without the proposed application. It can be concluded that the proposed method using comparison of BSSID / MAC address is an effective way to detect fake authentication attacks on Wi-Fi networks. Keywords—fake authentication, fruitywifi, karma, Wireless Fidelity I. INTRODUCTION Wireless Fidelity, abbreviated as Wi-Fi, is one way to connect computing devices to the wireless network. With this wireless connection, Wi-Fi has advantages that cannot be provided by cable networks, such as convenience and flexibility of use. Not surprisingly, this network connection is very popular used in public places (hotels, coffee shops, restaurants), as well as private places (residences, offices) [9]. However, the convenience of using Wi-Fi also makes the emergence of fad or crime to abuse it, for example stealing user data or information. Attackers install fake Access Point to trap users and then steal user identity information. The information obtained can then be used to carry out serious attacks, for example carrying out a Man in the Middle (MITM) attack to intercept communications that occur on computer networks. However, to apply such an attack, the attacker must be part of the telecommunications system used by the victim [1] [11]. In Wi-Fi networks, attackers can become part of the telecommunications system by exploiting the weaknesses of probe request frames and probe response frames at the stage of the Wi-Fi association [2]. The attacker will monitor the probe request frame, which is sent automatically by the target, and extract the Service Set Identifier (SSID) value. The SSID value is then used as a pseudonym for the Access Point intended for the victims. To monitor probe requests, however, compatible hardware and software are needed. In this study, karma [3] which runs on the Debian operating system is used to conduct fake Access Point. Other than monitoring, karma also functions as a honeypot hotspot to attarct the victim's Wi-Fi devices to associate with a device that karma runs on. After the victim’s devices is associated, the attacker has become part of the telecommunication system and can tap all communication from and to the victim’s devices. To overcome this problem, as main contribution of our work, this research proposed a lightweight technique for detecting fake authentication based on Basic SSID (BSSID) / MAC address verification. This paper is organized according to the general structure as follows. Section 1 describes the background that stirr the motivation for the research; Section 2 summarizes the related studies on Wi-Fi attacks; the proposed method is explained in Section 3; Implementation and discussion are given in Section 4; and Section 5 concludes the study. II. RELATED WORKS A fake authentication attack on Wi-Fi aims to intercept communications made by two entities. There are several previous studies with similar themes, i.e. detection of MITM attacks on Wi-Fi. In this section some studies related to MITM attacks and the weaknesses of association / authentication on Wi-Fi are explained. Authors in [4] detected Rouge Access Point (RAP) which is a security threat for organizations / institutions if its use is not controlled. In addition, RAP can also be an entry point for MITM attacks. The detection of RAP is done at the edge of the network, which is on the side to the public internet point. Detection is done using the packet analyzer functionality, tcpdump. By carrying out that analysis, it can be distinguished between official WLAN networks and unofficial WLAN networks (RAP). Weakness of this technique is that the tool is made only for laptop devices, not for mobile devices. Authors in [5] studied and detected Stealth MITM attacks by using the Wireless Intrusion Detection System (WIDS). Stealth MITM attacks can occur because the attacker can directly modify the reply frame of Address Resolution Protocol (ARP). The attacker can then exploit the weaknesses on key management of Wi-Fi Protected Access version 2 (WPA2). By providing / adding WIDS Proc. EECSI 2019 - Bandung, Indonesia, 18-20 Sept 2019 280