Skip to main content
Version: Next

MULTIPLE_SIGNAL_TRACKS

Summary#

One of our stations (access point) is transmitting with more than one signal track. This could indicate that an attacker is spoofing the station, causing a different signal strength than the legitimate station. If this is an attacker, the difference in signal strength is usually caused by different physical locations of attacker and legitimate station.

Let's take a look at what the channel details of a network under normal operations look like:

Screenshot

  • 1) The channel fingerprints. You see that this network is advertised with frames that have a single unique fingerprint. (Sometimes you have two or even three fingerprints. See also Fingerprinting.)
  • 2) All frames nzyme recorded in the last five minutes had a signal strength of about -35 dBm.
  • 3) The -35 dBm signal strength and number of frames has been pretty consistent over the last 4 hours. The red lines show that nzyme detected the track of this access point. There is one track.

Everything seems to be going as expected.

Now let's look at what the same charts look like after someone started to spin up a rogue access point. It is extremely hard or impossible to spoof physical attributes like signal strength. Starting a rogue access point that is not in the same physical location as the legitimate access point will lead to different signal strengths recorded by nzyme:

Screenshot

  • 1) A new fingerprint appeared. (This will have triggered an UNEXPECTED_FINGERPRINT alert if this network is monitored.
  • 2) We still see the -35 dBm frames from our legitimate access point, but much less of them compared to a new group of signals with a different strength (4)
  • 3) The same detected signal track as before.
  • 4) A new group of signal strengths was recorded.
  • 5) A new track identified by nzyme. This will raise the alert documented on this page.

Sections 4) and 5) clearly identify a new source of 802.11 frames that is advertising one of our networks and the MULTIPLE_SIGNAL_TRACKS alert is triggered.

Because the rogue access point is sending so many frames (you can identify this by the colors on the waterfall chart (5) or the size of the signal strength buckets in the histogram (4)), it is likely that a BEACON_RATE_ANOMALY alert was triggered, too.

Possible False Positives#

  • A sudden change in the physical radio frequency environment can cause new tracks to appear. Monitor the signal track behavior long-term to spot normal changes in track behavior.
  • A station with adaptive transmit power can cause new tracks to be detected.
  • A physical relocation or configuration change of the station can cause the signal strength to change and new tracks to appear.

Notes#

See Also#

  • None