How can I ensure that I connect to the right wireless Access Point?

Speaking generally
MAC's are easily spoofed.
WEP is cracked in minutes.
WPA/WPA2 implementations are not secure in all routers.

IMO man-in-the-middle attacks are almost unavoidable
The main problem is that the control data in 802.11x is never encrypted.
Because every wireless authentication must start using the unencrypted control sequence, it will be vulnerable to a man-in-the-middle attack.

To make matters worse, 802.11x sessions can easily be forced to disconnect and re-authenticate, so the man-in-the-middle can appear at any time in the session.

By using a radio-beam directed only at the client, it is very hard for intrusion detection systems to intercept this traffic.

Don't worry
The solution to this is to stop worrying about the man-in-the-middle at this or that access point.
Just make a connection with any access point, secured or not.
None of them can be trusted, so don't bother.

The solution
Instead use a VPN solution that is safe from man-in-the-middle attacks*). e.g. SSHv2 in a MITM-safe configuration and connect to your endpoint using that.

What can the attacker do?
Than your attacker can listen in on the stream of data to his hearts content, all he can infer is how much data you are sending and receiving at your laptop (traffic analysis), this is still useful, but he could do that anyway by silently sniffing the wireless traffic.

But keep your laptop safe
You will still have to keep an attacker out of your laptop, employ a firewall that only accepts traffic from your VPN connection and nothing else. Use a secure operating system.

Benefits of this approach
Your laptop will be usable outside the corporate infrastructure. Realistically it will almost never stay inside that safe shell and securing all the access points you want to connect with is a pipe dream.
If you set up a proxy server for web and mail server reachable through the VPN connection you'll have full secure use of your laptop from any and all locations.

To recap
With WEP and WPA outside attackers can spoof your wireless access point.
With WPA2, regardless of encryption used authenticated attackers can initiate a mitm attack regardless of encryption scheme used. This can be done by unreliable insiders or malware on a trusted laptop.
Whilst there is no need to get all paraniod about this as D.W. correctly pointed out.
The bottom line is, there is no way to be 100% sure that you are not connecting to a rogue AP.

Now you only need to worry about that iphone.....

WPA2 has a mitm attack vector called Hole 196, see: http://www.airtightnetworks.com/WPA2-Hole196


*) not all VPN solutions are and lots of them have configurations where an otherwise safe solution is still at risk, but there are safe options and if you have a good sysadmin it is not a difficult thing to setup correctly.


The only way to be 'sure' you are connecting where you want to connect, is by having a root of trust beforehand, something shared with AP like symmetric keys or a the public key of the AP (and be trust the public key belongs to it) or trust some certificate. If you have this root of trust, you can form a basis of trusting the AP if it can provide assurances that it knows the private key or can use the shared key.

Also, if the AP uses WPA/WPA2 then mutual authentication is used, so you can infer it is the correct AP by the fact that authentication succeeds or fails.


The solution is alluded to in another answer but not explicitly stated. This is currently only possible using WPA/WPA2 Enterprise. Using EAP-TLS both the client and the authentication server (ie RADIUS) are authenticated via certificates. If you want to be sure you are connecting to the right AP secure mutual authentication is required. That being said this type of deployment is rare outside of the enterprise.