A lesson in having accurate floor plans and the attenuation capabilities of HVAC ducting.
The Problem:
While using the etherscope to test a wall plate, I did what I usually do; checked for wireless “rogues” in the area. There had been some complaints trickle into me about issues in the theatres but no official tickets. I’ll usually find some interference consisting of printers or personal hotspots from a cell phone, but occasionally I will find a rogue network. Often, someone has set up a rogue network not realizing the are interfering or breaking any rules. Malicious ones will spoof a mac address or register the device as something it is not to have it allowed on the network. This is in violation of our network policies and a security risk. This time there was a network setup on a D-Link somewhere, but they were using the same SSID as our campus network. It was also set 40MHz in the 2.4GHz.
The Solution:
I began hunting. I tried finding the device mac address from the wires network using “show mac address-table | begin” and using the first 8 characters of wireless mac address. If the device mac hasn’t been spoofed to get on the network, this has been a successful way of finding the connection location. It was not showing for this case.
The area where I noticed the D-Link consists of 4 large lecture theatres; each theatre is concrete floor to ceiling and slopes to cover 2 levels. I was able to find the strongest signal at the top of room 242. Behind me was an AV booth behind its own concrete wall, so I called security for access. The signal was the same as outside the booth. As you can see on the map, this building is attached in a cluster with 3 other buildings. After spending some time trying to trace the signal and finding it in various other spaces in these buildings, sometimes hitting -52 to -48 to give me hope I was going in the right direction, I went back to the place where I could hear the SSID the strongest, and as I looked up, I noticed there was a large HVAC duct right above me. Since I was at the back of the theatre, I could touch it with the etherscope (so I did). The signal got stronger. I did a bit of googling and found a few articles and studies where people used ductwork as a conduit for radio. I knew the main mechanical and heating space was partially under this theatre, so I went that way.
Although it does not exist on any map, the mechanical room is an enormous, underground, concrete space covering the areas shown in green above. When I walked towards the very back wall the signal strength started to increase until I found myself in a two-foot-wide space between a large piece of HVAC equipment and a concrete wall. The Ducting from upstairs ran here and then turned and went through the concrete wall. The signal was rapidly jumping between -32 and -21 all while I was standing still. Since none of this exists on any floor plans, I could never find what was on the other side of that wall. I climbed the ladder on the HVAC equipment to check for monitoring device that may have been incorrectly setup but found nothing. I climbed under some very low ductwork and found a door on the other side which seemed to lead to a space behind the wall where ducting disappeared.
Security was brought in to open the door which turned out to be the back door of a small carpentry storage area (not on the floor plans). There was no AP in this space, so security and I made our way to the room next door. There we found two oceanography researchers. On the back wall (the shared wall with the large HVAC space) plugged into an outlet, the antenna 2 inches from touching the duct, was a D-Link plug-in extender which was connected to nothing.
The researcher had bought it in and plugged it in next to their printer then gave it the same SSID as our Dal network thinking it would allow them to connect the printer through our wireless network. It had not worked so they just gave up and left it power on. They were not in the space often but figured it might help their wireless connections whenever they were.
I politely asked them to unplug it and explained the interference it was causing, but also how just naming the SSID the same would not make a device part of network. They had no issues disconnecting it and since they had not been maliciously trying to interfere with or extend the network, I did not feel the need to confiscate the device. I told them that they could take home to use but that it could not be powered on anywhere on campus and that I would be able to monitor to ensure it did not return.
Conclusion:
Previously I had only looked at ductwork as a source of hindrance during the installation of a wireless network. After reading the above-mentioned report, seeing the large area covered by the signal, and experiencing the hunting required to locate the true source of the interference, I can see how ductwork could also be used as an amplifier in certain situations.
Study on using existing building HVAC systems as “waveguides”:
Guillaume Villemaud, Florin Hutu, Pierre Belloche, Fatimazhra Kninech. Wireless Transmission in Ventilation (HVAC) Ducts for the Internet of Things and Smarter Buildings: Proof of Concept and Specific AntennaDesign. IRACON 2018 – 6th MC and 6th Technical Meeting, Jan 2018, Nicosie, Cyprus. pp.1-6. ffhal-01973399f
Let's Ginger-Fi it! 
Leave a comment