A story about the unlabelled access point that nobody had ordered and nobody could explain.
We were doing a wireless audit. Routine work: we’d been engaged for a network refresh and the audit was the first day of the engagement. Walk the building with a survey app on a tablet, map signal coverage, identify dead zones, identify channel overlap, list every access point (AP, the WiFi box on the wall or ceiling) we found. Three hours of slow walking and a lot of coffee.
The map came back with thirteen APs. The client’s documentation said there were eleven. We walked it again and got the same count.
The two we couldn’t account for were broadcasting an SSID (the name of a WiFi network) that looked legitimate at first glance. Same naming convention as the rest of the estate. Subtle differences if you looked closely. One in a small storage room above the back office. One in the ceiling of a corridor near the loading bay.
Neither was on the client’s asset register. Neither was on any switch port the client could see. They were getting power from somewhere, and they were broadcasting, and they had been doing so for at least the four months that signal data from the previous audit had been available to look at.
Three things it might be
There are three plausible explanations for an unlabelled AP, and we’d rather work through them than guess.
Operational drift. A previous contractor installed it, charged for it, didn’t add it to the documentation, and moved on. The client paid for it, owns it, has no record of it. We see this on probably half the audits we do. It’s a documentation failure, not a security incident.
Shadow IT. Somebody internal got fed up of the WiFi in their corner of the building, bought an AP from a high-street retailer, plugged it in. We see this on maybe a quarter of audits. The AP is real, it’s friendly, but it’s also not configured to the rest of the estate’s security standard, and it’s probably broadcasting on a channel that’s clobbering everything else.
Actual rogue device. Something somebody planted. Either as part of a deliberate intrusion attempt, or, more often, as part of a previous tenant or contractor’s setup that was never disconnected. The frequency of this is much lower than the first two, but it isn’t zero, and the cost of getting it wrong is much higher.
You can usually tell which of the three you’re looking at within twenty minutes once you’ve got the device in your hand. The brand, the configuration, the MAC address vendor lookup (a quick check of the device’s hardware ID against a public registry that tells you who made it), the way it’s powered. What you can’t do is tell from across the building. You have to find it, physically.
So we found them. The storage-room one was a £40 consumer router somebody on the operations team had plugged in eighteen months earlier because the meeting room next door had poor signal. He’d genuinely forgotten about it and felt a bit sheepish. We turned it off, walked it back to its owner, and moved on.
The loading-bay one was harder to track. It was in the ceiling void, not screwed to the structure, just sitting on top of a cable tray. It was being powered by a PoE injector (a device that pushes power through an Ethernet cable so you don’t need a separate plug) tucked behind a ventilation duct, plugged into a wall socket on a separate ring main from the rest of the IT power. It was a small business-grade AP, not a consumer one. The serial number didn’t match anything on the client’s records, but it did match a batch sold to a previous IT supplier the client had used in 2021 and parted ways with in 2022, probably forgotten, possibly not.
What we did next
We took it down. We took it back to the office. We pulled the configuration. The SSID it was broadcasting was open, no password, and it was bridged to a VLAN (a logical network segment) that turned out to be on the main staff network, not segregated from anything. Anybody within range of the loading bay, and there’s a public footpath on the other side of the wall, could have been on the staff network for the past four years.
We can’t tell you whether anyone was, because we don’t have the logs. The AP wasn’t logging to a central system because it wasn’t centrally managed.
What we can tell you is the gap that allowed this to exist for that long was the same gap we wrote up in the audit report:
- No periodic wireless survey. The last one had been at install in 2019.
- No central management of APs. Each device was managed individually, which means nothing notices when an extra one shows up.
- No segregation between public-facing zones and the staff network. One flat network across the building.
Each of those gaps is fixable. We fixed them as part of the refresh. The story has a tidy ending.
Why we’d rather find them
The headline of this post is the punchline of the engagement. We’d rather find the rogue AP than not. Even when finding it is awkward, because somebody internal installed it, because a previous supplier left a mess, because the report becomes harder to write. Even when nobody asked us to look for it specifically.
The alternative is being the firm that did the wireless audit and didn’t find it. Two years later, when the breach happens, somebody asks why the audit missed it, and the answer is “we didn’t look in the ceiling void”. That’s a worse position for everyone: the client, us, our professional indemnity insurer, the people whose data was on that network.
This is the spirit of our Security Solutions practice. The audit isn’t a piece of paper but an actual look at the actual estate, with somebody walking it with a tablet for the full day it takes, and asking the awkward questions when the map doesn’t match the documentation. The paper at the end is a byproduct.
A short note for the procurement-minded
A wireless audit that takes half a day and produces a report is cheaper than the one that takes a full day and produces the same report. It’s also cheaper than the one that takes a full day and finds the rogue AP, because that one then continues into incident response and a network rebuild.
If you’ve never had an audit find anything, that’s information. It might mean your estate is genuinely clean, or it might mean the audit didn’t look very hard. We’d want to know which. Because the device sitting in your ceiling void right now, broadcasting an open SSID into the car park, isn’t waiting for your next audit cycle; it’s exposing your staff network today. The cost of finding out from a regulator or an insurer instead of from us is an order of magnitude higher, and it tends to arrive with a press release attached.
Wondering what’s on your wireless that you don’t know about? Drop us a note at info@jmopartners.co.uk. One of us will read it.
JMO|Partners · Enterprise IT, sized for SMEs.