A rogue access point is an effective way of breaching a network by violating trust. An attacker installs an access point inside the corporate network thereby bypassing any firewall in place. The attacker then has the ability to connect to the target network without having to deal with most security controls, gather information, escalate privileges or other tasks. This type of attack is relatively easy to perform by putting in place compact hardware access points such as an Raspberry Pi or an Odroid device and software designed to create an access point. These kinds of devices are often referred to as Dropboxes and may be configured to use reverse SSH tunneling to spawn an egress shell as igress traffic may be blocked in the corporate firewall. This is also possible by having a workstation act as an access point but this method require credentials for the workstation. The attacker will have to somehow gain physical access to the target location, connect the device to the existing wired network, hide the access point from being readily observed and likely configure the SSID to appear as a corporate access point.

Techniques exists to mitigate this kind of attack by having unused switch ports in a shut down state when they are not in use and implement Port-based Network Access Control (PNAC) authentication using 802.1x. An attacker may of course unplug existing equipment to get access to the local network but this will be highly visible as this means disconnecting a workstation or other device from the network.