Multiple WIFI attacks, then malicious AP detected

dmg15 · October 17, 2021

About two weeks ago I started to get notified that Fingbox (2.0) had detected an attack on my access point. It is an Apple time capsule and not the only AP on my network so I disabled it for a day. A few days after being reenabled, same thing. Disabled it again overnight and another couple of days and the notifications start up again and became more frequent. I left it for a while, and the notification now happens every couple of minutes. After a while I get a new notification about a ‘new or malicious AP’ and an option to ‘Trust’ it.

The BSSID is completely different to my AP and matches a hidden network in my area. The BSSID of the hidden network is a close variant of 2 other visible AP in my area, their SSID suggests its an ISP provided router.

How can I find more information about the attack that is being detected?

Under what conditions would Fingbox determine that a nearby, unassociated AP is part of MY network if I have never attempted to connect to it before?

Below are screenshots of the hidden and visible AP details from Digital Fence, its relevant.

Any ideas? Cheers.

Robin_Ex_Fing · October 20, 2021

Hi @dmg15

To update you that sometimes, it can be a false alarm as well. It seems like the warnings are getting generated due to Apple time capsule. If the time capsule is able to change the MAC address and then try to connect to main network then it may be detected as an attack. To make sure, Once Fingbox identifies a Rogue Access Point you should take immediate action:

Turn off your WiFi network equipment for 15 minutes and wait. Make sure to turn off or disable WiFi from all client devices (like e.g. mobile phones, laptops, etc). Then restart networking and see if the Rogue Access Point still appears.

Multiple WIFI attacks, then malicious AP detected

Comments

Categories