Cybersecurity

Detecting Rogue Devices with Artificial Intelligence

May 18, 2021

Rogue devices are malicious machines placed inside networks to steal data or otherwise spy on network users. The owners of these devices might range from your Wi-Fi-stealing neighbor to a malicious actor monitoring your whole network. The threat from rogue devices comes due to limited visibility on consumer-grade networks. Manually monitoring every computer, phone and smart appliance might be difficult for most users, especially with 15-20 connected devices in an average household.

Even some advanced network administrators also only see limited information about the devices on their networks, such as their internal IP address, a MAC address and a hostname. Properly secured enterprise networks, on the other hand, have an added benefit of approving every new device before giving it access to the network. For non-enterprise users, artificial intelligence (AI) can provide higher network transparency that would help them detect any rogue devices.

Do not make the common mistake by mixing up rogue devices with rogue access points, as the latter are a different breed of malicious activity that deserves its own article.

How Rogue Devices Connect to Networks

There are several ways for an unknown device to access a network. These methods require some effort on the rogue device owner’s part, and hinge on no network access controls being present on the network. It is not common for rogue devices to end up on properly secured networks, because network access controls:

  • Require additional verification.
  • Do not provide instant access to the network.
  • In general, these networks seem to also have better physical and Wi-Fi security.

Home networks might be penetrated by rogue devices in several ways:

Physical access. If a home network has a device connected to the network gateway via a cable, attackers might intercept the connection and implant a rogue device on the same connection. This issue concerns various IoT devices outside the home, such as IP cameras, smart doorbells, etc.

Password extraction. Any devices that are connected to a Wi-Fi network have the password stored on them and could be extracted.

Brute force: guessing the password. This is especially true if users do not change the standard password shipped with their router. There had been instances where ISPs ship routers with weak passwords or use bad password generation practices, making them easy to guess (e.g. using MAC address to generate passwords).

What a Rogue Device Can Do on a Network

In many cases, rogue devices are simply stealing internet bandwidth, but even if they are owned by your neighbor, having unknown devices on your network is a very dangerous sign. If a malicious actor manages to connect their devices to a local network, they might be able to monitor your network traffic, access files on NAS devices or access your IP camera feed.

Man in the middle (MITM) attacks can also start through rogue devices. Passive MITM attacks might inspect cleartext traffic, while active MITMs might keep your devices on HTTP and prevent you from noticing it. This might lead to credential theft and other data leaks.

Detecting Rogue Devices with AI

Detecting rogue devices is very important for your security, and AI can have a very positive impact on consumer network visibility due to high-precision device monitoring capabilities. Artificial intelligence used in CUJO AI Explorer can identify device types with >94% precision, even if they are spoofing their MAC address or hostname.

Nevertheless, there are no fool-proof ways to solve all security problems stemming from unknown devices without creating an additional approval layer on the network. This is why CUJO AI offers an additional approval step for end-users using Sentry to protect their gateways.

Don’t Let Rogue Devices onto Your Network

As we see, rogue devices are not something to be taken lightly, and everyone can take a page from enterprise-level network security to prevent them. First of all, every gateway should use updated firmware, latest patches and strong passwords. We recommend requiring additional approvals from the owner of the network before allowing new devices onto the network and giving them access to the internet or other devices.

While most people might not be technically able to create this security procedure on their own, they could be inclined to use an ISP’s application that provides network visibility and notifies them whenever a new device tries to use the network, which is exactly what CUJO AI offers to ISPs.

Our AI device intelligence solution Explorer is used in large telecommunications networks to provide more visibility to both the operators and the end-users: ISPs use AI to detect all devices on end-user networks and give them full visibility of their devices. Using this AI-driven approach makes preventing rogue devices a lot easier.